Getting Past an IDS

To get attack data past an IDS without being detected, an attacker needs to study how IDSs work and identify the weaknesses of each IDS component. Every IDS relies on a sniffer and a signature analysis engine. The easiest way to bypass them is to send encrypted data, which eventually would be decrypted at the attack endpoint. What more can a Web attacker ask for than SSL! Sending Web attacks over SSL renders almost all network IDSs useless.

The other way of fooling the IDS packet sniffer is to send data in out-of-sequence fragments. If fragments arrive out of sequence, the IDS has to spend time reassembling the entire sequence before it can pass the data to the signature analysis engine. Programs such as fragrouter (http://packetstormsecurity.org/UNIX/IDS/fragrouter-1.6.tar.gz) can be used to fragment attack data and send them out of sequence to the target system. Most IDSs now perform fragment reassembly and avoid this problem quite effectively.

The final, and at times, most effective way of defeating an IDS is to generate attack strings that confuse the signature analysis engine. A few buffer overflow exploits are written in polymorphic shellcode so that no two shellcode strings are the same. Polymorphic shellcode may seem like rocket science, but in the Web hacking universe, the signature analysis engine can easily be fooled. The technique lies in the attacker's ability to rewrite URLs and HTTP requests so that they end up looking different but do the same thing. We cover these techniques in detail as we go along.