16.3 Evading IDS (重要)(必考)

Insertion Attack (?)

  1. An IDS blindly believes and accepts a packet that an end system rejects.
  2. An attacker exploits this condition and inserts data into the IDS.
  3. This attack occurs when NIDS is less strict in processing packets.
  4. Attacker obscures extra traffic and IDS concludes traffic is harmless.
  5. Hence, the IDS gets more packets than the destination.

Session Splicing (重要)(?)

  • A technique used to bypass IDS where an attacker splits the attack traffic in to many packets such that no single packet triggers the IDS.
  • It is effective against IDSs that do not reconstruct packet before checking them against intrusion signatures.
  • If attackers are aware of delay in packet reassembly at the IDS, they can add delays between packet transmissions to bypass the reassembly.
  • Many IDSs stops reassembly if they do not receive packets within a certain time.
  • IDS will stop working if the target host keeps session active for a time longer than the IDS reassembly time.
  • Any attack attempt after a successful splicing attack will not be logged by the IDS.

Attackers can use different tools such as Nessus and Whisker for session-splicing attacks.

Other Types of Evasion

  • Encryption: When the attacker has already established an encrypted session with the victim, it results in the most effective evasion attack.
    • If an attacker succeeds in establishing an encrypted session with his/her target host using a secure shell (SSH), secure socket layer (SSL), or a virtual private network (VPN) tunnel, the IDS will not analyze the packets going through these encrypted communications.
    • He/she can send the malicious traffic using this secure channel, thus evading IDS security.
  • Flooding: The attacker sends loads of unnecessary traffic to produce noise, and if IDS does not analyze the noise traffic well, then the true attack traffic may go undetected.

results matching ""

    No results matching ""