Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion

IDS Evasion Techniques

Since the introduction of intrusion detection systems they became very popular amongst network administrators because it provided a way to detect if any attacks took place. At them days (1990s) these systems were very simple devises that monitor the network traffic, match it to a database of signatures and if there is a match an alert is produced that informs the administrator of the event
(Bruneau, 2001,
History and Evolution of Intrusion Detection, p. 3). Throughout the years attackers, security professionals, researchers and developers have always played a cat and mouse game. Every time developers, security professionals and researchers find or develop new ways to counteract attacks, attackers seem to develop new ways to attack security devises such as IDSs or even bypass them altogether. This is because of the complexities in capturing, analysing and understanding network traffic (Timm, 2002, IDS Evasion Techniques and Tactics, p. 1). These complexities meant the existence of many techniques that can be used to take advantage of the weaknesses in IDSs. These methods were very simple such as pattern matching, denial of service (DOS) and false positives. However overtime more advanced techniques such as fragmentation, session splicing and polymorphic shell-code techniques began to appear.

As mentioned by (Roberts, 2010)
that stonesoft’s disclosure of a new way to evade IDSs and IPSs (IDPSs) raises some doubts about the effectiveness of many security products already used by many organisations worldwide. However stonesoft’s discovery was not new; anyone has an interest in information security knows that these techniques have been around for a very long time and was first mentioned in 1998 by (Newsham, 1998).

As quoted by (Roberts, 2010):

“Researchers working for Stonesoft have been delving into evasion techniques since 2007 in an effort to improve Stonesoft’s own products, said Matt McKinley, Director of Product Management in the U.S.”

He further quoted:

“”In the process of doing so, we basically discovered that it’s possible to combine multiple evasion techniques together working at different layers (of the IP stack) and they can confound the IPS and become hard to protect,” he said.”

However, I respectfully disagrees with what Mr. Matt McKinley had said; this is because these techniques as will be discussed in the following sections have been around for a very long time and all are based on the techniques mentioned in
(Newsham, 1998)

In this section the author presents an overview of some of these techniques by dividing them into two categories Basic techniques and Complex techniques.

Basic evasion techniques

Pattern-matching Weaknesses

As described by (iDefence Security Team, 2006, p. 3), most IDSs seem to employ pattern-based detection approach and many of the evasion methods performed by attackers tend to exploit the pattern matching mechanism and takes advantage of its weaknesses. As described in “Appendix A” pattern-based (signature-based) approach compares the network traffic to known vulnerabilities or commonly used strings inside exploits to detect attacks. However due to the fact that not all input have to be the same to trigger a particular vulnerability, which means a small change in the string can bypass the IDS. An example to explain this further is shown below:

Taking a simple HTTP request as an example

GET /cgi-bin/phf?

If this string was sent and seen by the IDS it will cause an alert, however if the string was obfuscated as shown below it will trigger the attack but no alerts will be produced:

GET /cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%25%2fp%68f?

Both of the strings above would produce the same results; however the second one would bypass detection because when the string is compared to the signatures available in the IDS there will be no match because no signature is available with a string that matches this one and so the attack would reach its destination without being detected and when the target receives this string it will URL decode to /phf. This is because in a URL % is used to escape special characters. Thus %25 will be decoded to %, %2f decoded to / and %68 decoded to h, which will result into /cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%/phf?
String this causes it to move up a directory because the %/ escapes the “/” and the “..” moves up a directory, therefore strips out the multiple “a” character leaving the string looking as /cgi-bin/phf?, which is the same as the original string.

Unicode Evasion techniques

According to the same document mentioned above; Unicode is a way of representing characters of each language by giving it a unique identifier to help uniform the computer representation of each language. Although Unicode is a very useful method that made a big difference in the way computers have advanced it also provided attackers another way to evade detection.

Because in Unicode it is possible to represent a single character in multiple ways meant a big problem for IDSs. For example a character such as “\” can be represented as 5C, C19C and E0819C, this makes creating signatures very challenging. Although the new Unicode standard makes multiple representation illegal, some applications still use the old standard.

A good example of how Unicode affects IDS as presented by the iDefense document is the Microsoft IIS 4.0/5.0 directory traversal vulnerability. This vulnerability was released in October 2000 by Rain Forrest Puppy.

Denial of service (DoS)

Another way attackers use to evade detection is a DoS attack, which can be classed as an indirect way of evading IDSs. In an enterprise alert data is stored centrally so it can be viewed from one location, in other words alert logs for the entire enterprise network, which can have many IDS sensors can be viewed centrally from one location instead of a system-by-system basis. This is very useful for security analysts but if attackers know the IP address of the central logging server they could direct their attack towards it in order to slow it down or even launch a DoS attack to crash it. When this happens attackers can then launch further attacks happily knowing that their attack will not generate any alerts because the logging server is down. Another method discussed below, which is useful if the logging server’s IP address is not known is to generate false positives in order to fill the logging server’s memory so that it can no longer log any alerts.

False Positive technique

This method is very similar to the DoS attack method, as mention at the end of the above section the aim of this technique is to generate large amounts of packets known to trigger an alert. This will force the IDS to produce large amounts of alerts that must be logged, which in turn will give the attacker two advantages, the first is that the logging server’s memory will fill up and so no further alerts can be logged; the second advantage is that the attacker can hide the real attack within the huge amount of alerts knowing that security analysts would have great difficulty in differentiating between the real attack and the false alerts when looking at log data.

Also attackers know that many IDSs would have the same or similar signatures for a particular attack, which increases the success rate of a given attack. This is because the more signatures IDSs have in common, the more false positives attackers are able to generate and the faster attackers can launch their attacks.

Session splicing

Because of the processor power required to reconstruct a full session some IDSs only reassemble parts of it. Also some IDSs perform pattern matching on the data before reassembling the session. This resulted in a technique that emerged to take advantage of these vulnerabilities and exploits them. This method splits the data into several packets, which means that every single packet will not match any of the IDS’s signatures. Many IDSs stop reconstructing a stream of packets after a certain period of time and so if intruders know which IDS system is in use they could add a delay time between packets to skip reassembly checking. Also if the application the attacker is trying to attack keeps a session for a longer period then the amount of time the IDS set to reassemble packets, the IDS will stop reassembling that session, which provides attackers the ability to send malicious data that would go undetected.

This type of attack is known as session splicing, which is very old and most if not all modern IDSs haven found ways to prevent it (iDefence Security Team, 2006).

References and Bibliography

  1. AIR MAGNET INC (2004). Air magnet Technical White paper. [online]. Last accessed 15 July 2011 at:
  2. ANTTI LEVOMAKI, Christian Jalio and Olli-Pekka Neimi (2009). Advanced Network Based IPS Evasion Techniques. [online]. Last accessed 1 Nov 2011 at: Stonesoft
  3. ARTAN, N Sertac (2007). High-Speed Network Intrusion Detection and Prevention. PhD Thesis,
  4. BARBER, Brian (2010). Linux + Exam XK0-003 Certification Study Guide. CompTIA.
  5. BEAVER, Kevin (2007). Hacking for Dummies. 2nd ed., Wiley Publishing.
  6. BEJTLICH, Richard (2004). The Tao of Network Security Monitoring. Addison-Wesley.
  7. BRANDON FRANKLIN, Michael Gregg George Mays (2006). Hack The Stack: Using Snort and Ethereal to Master the 8 Layers of Insecure Network. Syngress Publishing.
  8. BRUNEAU, Guy (2001). History and Evolution of Intrusion Detection. [online]. Last accessed 23 April 2011 at:
  9. CARLO, Corbin Del (2003). IDS Evasion: How Attackers Get Past The Burglar Alarm SANS Reading Room. [online]. Last accessed 6 June 2011 at:
  10. CHAMPION, A Samuel Gorton and Terrence G. (Undated). Combining Evasion Techniques to Avoid Network Intrusion Detection Systems. Skain Corporation.
  11. CONKLIN, Greg White and WM Arthur (2009). All-in-one CompTIA Security + Study Guide.
  12. CORETEZ, Giovanni (2000). Passive Mapping: An offensive use of IDS. [online]. Last accessed 7 June 2011 at:
  13. DAVID COWEN, Mike Shema Chris Davis (2006). Anti-Hacker Tool-Kit. McGraw-Hill/Osborne.
  14. EXPERIMENT RESOURCES (2009). Comparing Quantitative and Qualitative Research. [online]. Last accessed 20 June 2011 at:
  15. FRED, Cohen ((undated)). 50 Ways to defeat your Intrusion Detection System. [online]. Last accessed 23 July 2011 at:
  16. GEORGE KURTZ, Joel Scambray Stuart McClure (2009). Hacking Exposed: Network Security Secrets and Solutions. 6th ed., McGraw-Hill.
  17. GIOVANNI, Cortez (1999). Bypassing Secure Web transactions via DNS corruption. [online]. Last accessed 23 July 2011 at:
  18. GORDON, Mike (undated). IDS Tutorials – IDS Limitations. [online]. Last accessed 22 Aug 2011 at:
  19. GRAZIANO, Almerindo (2011). Ethical Ninja 1 Hacking Techniques Course Modul Material, Sheffield Hallam University. Unpublished.
  20. GRAZIANO, Almerindo (2011). IDS Module course material. Unpublished. Sheffield Hallam University,
  21. GREENWOOD, Brandon (2007). Tuning an IDS/IPS from the ground up, GCIA Gold Certification, SANS Reading Room. [online]. Last accessed 1 Oct 2011 at:
  22. GREGG, Michael (2008). Build Your Own Security Lab: A field Guide for Network Testing. Wiley Publishing.
  23. HAKAN, Kvarnstrom (1999). A survey of Commercial tools for Intrusion Detection. [online]. Last accessed 5 June 2011 at:
  24. HORIZON, PHRACK MAGAZINE (1998). “Defeating Sniffers and Intrusion Detection Systems. [online]. Last accessed 1 Jun 2011 at: Google Scholar
  25. HULME, George V. (2003). Gartner: Intrusion Detection On the Way Out. [online]. Last accessed 18 Sep 2011 at:
  26. IDEFENCE SECURITY TEAM (2006). Intrusion Detection Systems (IDS) Evasion. [online]. Last accessed 10 Sep 2011 at: Google Scholar
  27. JONATHAN NESS, Shon Harris Chris Eagle (2008). Gray Hat Hacking: The Ethical Hacker’s Handbook. 2nd ed., McGraw-Hill.
  28. KALETON INTERNET (2003). Combining Misuse and Anomaly based IDS. [online]. Last accessed 10 Sep 2011 at:
  29. KANNAN, Ratna Deepika (2011). An Experimental Study of Detecting and Correlating Different Intrusions SANS Reading Room. [online]. Last accessed 1 Oct 2011 at:
  30. KARWASKI, Michael (2009). Efficiently Deducing IDS False Posatives Using System Profiling GCIA Gold Certification. [online]. Last accessed 19 June 2011 at:
  31. KARWASKI, Michael (2009). Efficiently Deducing IDS False Positives using System Profiling. [online]. Last accessed 12 Aug 2011 at:
  32. KEVIN BEAVER, David Maynor K. K. Mookhy (2007). Metasploit Toolkit for Penetration Testing. Syngress.
  33. LEE, Prahlad Fogla and Wenke (2006). Evading Network Anomaly Detection Systems: Formal Reasoning and Practical Techniques. [online]. Last accessed 7 June 2011 at: Google Scholar
  34. MARC ZISSMAN, Peter Mell Richard Lippmann (undated). An overview of Issues in testing IDSs NIST-7007-IDS. [online]. Last accessed 25 May 2011 at: www.nist.gove
  35. MELL, Karen Scarfone and Peter (2007). Guide to Intrusion Detection and Prevention Systems (IDPS): Recommendations of the National Institute of Standards and Technology. NIST Computer Security Division IT Labs.
  36. [online]. Last accessed 5 Aug 2011 at:
  37. MEYER, Russel (2008). Challenges of Managing an IDS in the Enterprise, GCIA Gold Cert, SANS Reading Room. [online]. Last accessed 12 April 2011 at:
  38. MEYER, Russell (2008). Challenges of Manging an IDS in the Enterprise GCIA Gold Certification SANS Reading Room. [online]. Last accessed 6 July 2011 at:
  39. MINHUA MA, David J Day Zheng Xuzhao (2010). Detecting Return-to-libc Buffer Overflow Attacks using IDSs. PhD, IEEE Computer Society.
  40. NEGUS, Chritopher (2006). Linux Bible. Wiley Publishing.
  41. NEWSHAM, Thomas H. Ptacek and Timothy H. (1998). “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”. [online]. Last accessed 7 Aug 2011 at: Google Scholar
  42. NICOLAS ROSSELOT , Lydia Parziale Chuck Davis (2006). TCP/IP Tutorial and Technical Overview. IBM International Technical Support Organization.
  43. [online]. Last accessed 15 July 2011 at:
  44. OCONNER, TJ (2010). Detecting and Responding to Data Link Layer Attacks GIAC Gold Certification SANS Reading Room. [online]. Last accessed 6 June 2011 at:
  45. [online]. Last accessed 20 Aug 2011 at:
  46. PAPPAS, Nicholas (2008). Network IDS & IPS Deployment Strategies GSEC Gold Certification SANS Reading Room. [online]. Last accessed 3 Sep 2011 at:
  47. PUPPY, Rain Forrest (1999). A look at whisker’s Anti-IDS tactics. [online]. Last accessed 1 Nov 2011 at:
  48. ROBERTS, Paul (2010). Warning About IDS Evasion. [online]. Last accessed 8 Jan 2012 at:
  49. RUVALCABA, Cristian (2009). Smart IDS-Hybrid Labrea Tarpit, SANS Reading Room. [online]. Last accessed 20 May 2011 at:
  50. SANS INTERNET STORM CENTRE ISC (2003). ISC. [online]. Last accessed 9 Jul 2011 at:
  51. SHEFFIELD HALLAM UNIVERSITY (2011). Research Principals and Practice Course Module.
  52. SNORT PROJECT TEAM (2011). Snort Manual. [online]. Last accessed 6 June 2011 at:
  53. STALLINGS, William (2000). Network Security Essentials: Application and Standards. Prentice Hall.
  54. STEVE MANZUIK, Bryan Burns Jennifer Stisa Granick (2007). Security Power Tools. Oreilly.
  55. STONESOFT CORPORATION (Undated). Advanced Evasion Techniques New Methods and Combinatorics for Bypassing IPS technologies. Article, Stonesoft Corporation.
  56. STUTTARD, Marcus Pinto and Dafydd (2008). The Web Application Hacker’s Handbook. Wiley Publishing.
  57. TIMM, Kevin (2002). IDS Evasion Techniques and Tactics. [online]. Last accessed 23 July 2011 at:
  58. WALDER, Bob (2010). Advanced Evasion Techniques: Weapon of Mass Destruction or Absolute Dud? [online]. Last accessed 26 Jul 2011 at: Stonesoft
  59. WIPPICH, Brian (2007). Detecting and Preventing Unauthorized Outbound Traffic GCIH Gold Certification SANS Reading Room. [online]. Last accessed 6 June 2011 at:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s