16.3 Evading IDS (重要)(必考)
Insertion Attack (?)
- An IDS blindly believes and accepts a packet that an end system rejects.
- An attacker exploits this condition and inserts data into the IDS.
- This attack occurs when NIDS is less strict in processing packets.
- Attacker obscures extra traffic and IDS concludes traffic is harmless.
- Hence, the IDS gets more packets than the destination.
Session Splicing (重要)(?)
- A technique used to bypass IDS where an attacker splits the attack traffic in to many packets such that no single packet triggers the IDS.
- It is effective against IDSs that do not reconstruct packet before checking them against intrusion signatures.
- If attackers are aware of delay in packet reassembly at the IDS, they can add delays between packet transmissions to bypass the reassembly.
- Many IDSs stops reassembly if they do not receive packets within a certain time.
- IDS will stop working if the target host keeps session active for a time longer than the IDS reassembly time.
- Any attack attempt after a successful splicing attack will not be logged by the IDS.
Attackers can use different tools such as Nessus and Whisker for session-splicing attacks.
Other Types of Evasion
- Encryption: When the attacker has already established an encrypted session with the victim, it results in the most effective evasion attack.
- If an attacker succeeds in establishing an encrypted session with his/her target host using a secure shell (SSH), secure socket layer (SSL), or a virtual private network (VPN) tunnel, the IDS will not analyze the packets going through these encrypted communications.
- He/she can send the malicious traffic using this secure channel, thus evading IDS security.
- Flooding: The attacker sends loads of unnecessary traffic to produce noise, and if IDS does not analyze the noise traffic well, then the true attack traffic may go undetected.