Tweet
Some techniques to evade an IDS system exists and even all of then are not very stealthy they usually have the desired effect on the target system.
Denial of Service
One way of dealing with the presence of an IDS is to attack the IDS system itself. One way of accomplishing this is to overwhelm the IDS using a DoS or DDoS attack or to use an exploit or weakness in the system to make it temporarily or permanently unavailable. Through the consumption of vital resources the performance of the target is impacted, making it less able, or completely unable to respond to legitimate traffic. The main goal is to make the IDS unable to function properly or drop so many packets that it is no longer able to protect the network. On a successful DoS attack the IDS may function erratically or not at all. This kind of a system require a lot of resources to analyze traffic, not just because it takes a fairly long time to analyze every single packet but also because it may receive traffic destined to more than one host or maybe even a busy subnet. If the attacker is able to trick the IDS into consuming resources on other events than it is supposed to, it will change the overall behavior of the system and allow the attacker to mask the actual attack.
Obfuscating
If an IDS is analyzing traffic based on signatures, an attacker may have the ability to evade the system by obfuscating the payload in such a manner that it is no longer a match for the signature database. The attacker will manipulate information in such a way that the IDS cannot make sense of it but the target host can. Older systems could be evaded by sending a payload such as HTTP requests or responses in Unicode which was not recognized by the IDS but was perfectly legit on the target host.
Crying Wolf
This attack is based on an attacker doing several real but fairly harmless attacks, causing the IDS to react and trigger an alarm. If this is done repeatedly the log files will indicate information that an attack is happening, but no other evidence suggests the same. Eventually the system owner may start to believe that the alarms from the IDS are false positives and ignore the warnings even though they are not. Then, an attacker will attempt to penetrate the network and may do so in plain sight as the target system owner see the alarms as false positives.
Session Splicing
This kind of evasion technique exploits how some types of IDSs do not always reassemble or rebuild sessions before analyzing traffic. It may be possible to fragment packets or tamper with the transmission of packets in such a way that the IDS cannot analyze them and instead forwards them to the target system. An IDS system can only wait so long before forwarding a packet so if a longer delay between fragmented packets are implemented, the IDS is forced to forward the packet without inspection. Depending on the type of attack another way of accomplishing this is to adjust the fragments in such a way that when they are reassembled the fragments overlap causing issues for the IDS that may still forward the packets to the intended destination.
Bogus RST
A reset (RST) flag in a TCP packet is one of many ways to terminate a session between two endpoints. A checksum is also calculated and is in place to verity the integrity of the packet to ensure what was received is also what the destination receives. An attacker can benefit from altering the checksum to cause the IDS to not process the packet. On some IDS devices that receives a packet with a checksum that does not match, this may result in the packet being forwarded unimpeded without raising an alert.
The Urgency Flag
The TCP urgency (URG) flag is in place to mark data in transit as being urgent in nature. This does not imply what the payload of a packet is but having the URG flag set may affect some IDS devices to let the traffic pass unimpeded, letting a potential attack pass without triggering an alarm.
Encryption
Not all IDS devices can process encrypted traffic and therefore have to let it pass without analyzing it. This technique is by far the most effective way of evading IDS. Inspecting encrypted traffic can be done but depends heavily on what kind of encryption the organization has in place. It is also important to consider that decrypting traffic require a lot of resources and that the gain may not be level with the cost of doing so.
Note that both IDS and IPS systems may be configured either inline or outline and this has an affect on how an attack may work. An inline device is one that receives packets and forward them to the intended destination where outline devices are on on the side, often connected to a Switched Port Analyzer (SPAN) used for monitoring.
Denial of Service
One way of dealing with the presence of an IDS is to attack the IDS system itself. One way of accomplishing this is to overwhelm the IDS using a DoS or DDoS attack or to use an exploit or weakness in the system to make it temporarily or permanently unavailable. Through the consumption of vital resources the performance of the target is impacted, making it less able, or completely unable to respond to legitimate traffic. The main goal is to make the IDS unable to function properly or drop so many packets that it is no longer able to protect the network. On a successful DoS attack the IDS may function erratically or not at all. This kind of a system require a lot of resources to analyze traffic, not just because it takes a fairly long time to analyze every single packet but also because it may receive traffic destined to more than one host or maybe even a busy subnet. If the attacker is able to trick the IDS into consuming resources on other events than it is supposed to, it will change the overall behavior of the system and allow the attacker to mask the actual attack.
Obfuscating
If an IDS is analyzing traffic based on signatures, an attacker may have the ability to evade the system by obfuscating the payload in such a manner that it is no longer a match for the signature database. The attacker will manipulate information in such a way that the IDS cannot make sense of it but the target host can. Older systems could be evaded by sending a payload such as HTTP requests or responses in Unicode which was not recognized by the IDS but was perfectly legit on the target host.
Crying Wolf
This attack is based on an attacker doing several real but fairly harmless attacks, causing the IDS to react and trigger an alarm. If this is done repeatedly the log files will indicate information that an attack is happening, but no other evidence suggests the same. Eventually the system owner may start to believe that the alarms from the IDS are false positives and ignore the warnings even though they are not. Then, an attacker will attempt to penetrate the network and may do so in plain sight as the target system owner see the alarms as false positives.
Session Splicing
This kind of evasion technique exploits how some types of IDSs do not always reassemble or rebuild sessions before analyzing traffic. It may be possible to fragment packets or tamper with the transmission of packets in such a way that the IDS cannot analyze them and instead forwards them to the target system. An IDS system can only wait so long before forwarding a packet so if a longer delay between fragmented packets are implemented, the IDS is forced to forward the packet without inspection. Depending on the type of attack another way of accomplishing this is to adjust the fragments in such a way that when they are reassembled the fragments overlap causing issues for the IDS that may still forward the packets to the intended destination.
Bogus RST
A reset (RST) flag in a TCP packet is one of many ways to terminate a session between two endpoints. A checksum is also calculated and is in place to verity the integrity of the packet to ensure what was received is also what the destination receives. An attacker can benefit from altering the checksum to cause the IDS to not process the packet. On some IDS devices that receives a packet with a checksum that does not match, this may result in the packet being forwarded unimpeded without raising an alert.
The Urgency Flag
The TCP urgency (URG) flag is in place to mark data in transit as being urgent in nature. This does not imply what the payload of a packet is but having the URG flag set may affect some IDS devices to let the traffic pass unimpeded, letting a potential attack pass without triggering an alarm.
Encryption
Not all IDS devices can process encrypted traffic and therefore have to let it pass without analyzing it. This technique is by far the most effective way of evading IDS. Inspecting encrypted traffic can be done but depends heavily on what kind of encryption the organization has in place. It is also important to consider that decrypting traffic require a lot of resources and that the gain may not be level with the cost of doing so.
Note that both IDS and IPS systems may be configured either inline or outline and this has an affect on how an attack may work. An inline device is one that receives packets and forward them to the intended destination where outline devices are on on the side, often connected to a Switched Port Analyzer (SPAN) used for monitoring.