In order to help you plan your security strategy, this section will show you how hackers exploit vulnerabilities in IDSs.
Fragmentation , or packet splitting, is the most common attack against IDSs. By splitting packets into smaller pieces, hackers can often fool the IDS. A stateful IDS can reassemble fragmented packets for analysis, but as throughput increases , this consumes more resources and becomes less accurate.
In addition to fragmenting data, it is also possible to spoof the TCP sequence number that the IDS sees. For example, by sending a post-connection SYN packet with a forged sequence number, the IDS will be desynchronized from the host. That is because the host will drop the unexpected and inappropriate SYN, whereas the IDS might reset itself to the new sequence number. Thus, the IDS will ignore the true data stream, because it is waiting for a new sequence number that does not exist. Sending a RST packet with a forged address that corresponds to the forged SYN can also close this new connection to the IDS.
Whisker (available from http://www.wiretrip.net) is a software tool designed to hack Web servers by sneaking carefully deformed HTTP requests past the IDS. For example, a typical cgi-bin request has the following standard HTTP format:
GET /cgi-bin/script.cgi HTTP/1.0
Obfuscated HTTP requests can often fool IDSs that parse Web traffic. For example, if an IDS scans for the classic phf exploit
/cgi-bin/phfthen you can often fool it by adding extra data to your request. For example, you can issue this request:
GET /cgi-bin/subdirectory/../script.cgi HTTP/1.0
In this case, you request a subdirectory, and then use the /../ to move back up to the parent directory and execute the target script. This sneaking in the back door is referred to as directory traversal , and is one of the most well-known exploits of all time.
Whisker automates a variety of such anti-IDS attacks. Because of this, Whisker is known as an Anti-IDS (AIDS) . Whisker has split into two projects: whisker (the scanner), and libwhisker (Perl module used by whisker) and has been updated regularly.