Questions about this topic? Sign up to ask in the talk tab.

IDS evasion

From NetSec
Jump to: navigation, search

Introduction

Intrusion Detection System evasion is the process of evading a host or network layer intrusion detection system by various means. 'IDS' is a broad term, and refers to intrusion detection systems across many systems - from web applications to intrusion detection systems on a computer - a commonly known example of an IDS is a Firewall or anti-virus system. Any system that has any kind of connection to the outside world can be protected with an IDS, but as most intrustion detection systems are based on evading known methods of intrusion, they can often be thwarted by a skilled professional.

Filter Evasion

Main article: Filter bypass

Many intrusion detection systems use string replacement in order to filter "dangerous" strings. For example, in the context of a web application, the '../' string may be filtered from the URL in order to prevent directory traversal. However, if the filter is badly implemented it is possible to redirect it by fooling it into altering a string so that what is left behind contains the real payload. For example, if '../' is being filtered out an attacker could inject '....//' - in this case, the '../' would be removed from the string, causing '....//' to be replaced by '../'.

It is also possible, similarly, to bypass improper sanitizing of other forms during SQL injection and other types of web exploitation.

Some intrusion detection systems attempt to thwart this by performing multiple checks for unsafe strings - however, this method is not reliable, as an attacker can simply add more dummy strings until they achieve the desired result. The proper way to handle this kind of injection is to perform a loop-based or recursive check that continually checks the string until no unsafe checks are found.

Session Splicing

Many intrusion detection systems implement signature recognition in order to catch attacker payloads. This is similar to string replacement, but is put into place on a larger scale. It is often employed by antivirus applications in order to recognise known malware, as well as by many standard intrusion detection systems in order to recognise patterns characteristic of an attack.

Session splicing seeks to evade this kind of signature recognition by splitting a payload into many small parts, which are delivered in such a way that they are ignored by the signature recognition algorithm but still form a payload on the 'other end'.


This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.