Evading Network IDS, Revisited

by Sumit Siddharth
Sept. 15, 2017 1 comment www.symantec.com

In this article we look at some of the most popular IDS evasion attack techniques. We start by looking at attacks that are based on fragmentation, which includes attacks based on different fragment reassembly timeouts of different operating systems. Then we go a step further and look at how various operating systems perform fragment reassembly differently and how this can be useful when performing an IDS evasion. These are known as attacks based on overlapping fragments. The remainder of this article will then look at attacks based on the TTL field. We will turn our focus to widely popular Snort NIDS and describe how Snort deals with all these attacks, as well as what parameters are involved in configuring snort to stop an IDS evasion.


Steven Ulm 8 months ago

I really admire the work of Symantec in Cyber Security. I am sure this won't represent a challenge for them! :)