Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are vital components of network security. These systems monitor network traffic for suspicious activities, issuing alerts or automatically taking action to prevent breaches. However, attackers have devised various techniques to evade these security measures. In this blog, we will explore ten common techniques used to bypass IDS/IPS systems, complete with detailed explanations and practical examples.

1. Packet Fragmentation

Packet fragmentation involves splitting probe packets into smaller fragments before sending them to the target network. IDS/IPS systems often struggle to reassemble these fragments, allowing attackers to bypass detection.

SYN/FIN Scanning Using IP Fragments

In SYN/FIN scanning, the TCP header is split into multiple packets to evade detection. Tools like NMAP can fragment packets. Here’s how you can perform SYN/FIN scanning with fragmented packets using NMAP:

nmap -sS -f 192.168.1.100

This command sends fragmented packets to the target IP address 192.168.1.100, making it harder for IDS/IPS to detect the scan.

2. Source Routing

Source routing allows the sender to specify the route that packets should take through the network. Attackers use this to avoid IDS/IPS by directing packets through less secure paths.

Source Routing with IP Options

By embedding source routing information in an IP datagram, attackers can specify a path that avoids security devices. Here's how to use hping3 to implement source routing:

hping3 -S 192.168.1.100 --source-route 10.0.0.1 10.0.0.2 10.0.0.3

This command specifies that packets should travel through the IP addresses 10.0.0.1, 10.0.0.2, and 10.0.0.3 before reaching the target 192.168.1.100.

3. Source Port Manipulation

Source port manipulation involves changing the source port number of packets to ports that are commonly allowed through firewalls, such as HTTP (port 80) or DNS (port 53).

NMAP Source Port Manipulation

NMAP can manipulate source ports using the -g or --source-port option:

nmap -g 80 192.168.1.100

This command uses port 80 as the source port, making the traffic appear legitimate to the firewall.

4. IP Address Decoy

IP address decoy generates multiple fake IP addresses along with the real IP address, confusing IDS/IPS systems about the actual source of the scan.

Example: NMAP Decoy Scan

NMAP’s decoy scan can generate multiple IP addresses:

nmap -D RND:10 192.168.1.100

This command uses 10 random decoy IP addresses, making it difficult for IDS/IPS to identify the true source of the scan.

5. IP Address Spoofing

IP address spoofing involves altering the source IP address of packets to make them appear as if they come from a trusted source.

Hping3 IP Address Spoofing

Hping3 can be used for IP spoofing:

hping3 -a 192.168.1.50 -S 192.168.1.100

This command sends packets with a forged source IP address 192.168.1.50 to the target 192.168.1.100, evading source-based filtering.

6. Customizing Packets

Attackers can create custom packets with specific characteristics to bypass IDS/IPS.

6.1: Creating Custom Packets with Packet Crafting Tools

Tools like Colasoft Packet Builder allow for crafting custom TCP packets. Here’s how to create and send a custom TCP packet:

  • Open Colasoft Packet Builder.
  • Create a new packet with the desired TCP flags and payload.
  • Send the packet to the target 192.168.1.100

Example 6.2: Appending Custom Binary Data

NMAP can append custom binary data to packets:

nmap --data 0xdeadbeef 192.168.1.100

This command appends the binary data 0xdeadbeef to the packet payload sent to 192.168.1.100.

6.3: Appending Custom Strings

NMAP allows appending custom strings as payloads:

nmap --data-string "Scan by SecurityOps" 192.168.1.100

This command adds the string "Scan by SecurityOps" to the packet payload.

6.4: Appending Random Data

Random data can be appended to packets using NMAP:

nmap --data-length 100 192.168.1.100

This command adds 100 bytes of random data to each packet sent to 192.168.1.100.

7. Randomizing the Order of Host Scans

Randomizing the order of host scans helps evade detection by making the scan pattern less predictable.

NMAP Randomizing Hosts

NMAP can randomize the order of host scans:

nmap --randomize-hosts 192.168.1.0/24

This command shuffles the order of hosts in the 192.168.1.0/24 subnet, making the scan less predictable.

8. Sending Bad Checksums

Sending packets with bad TCP/UDP checksums can confuse poorly configured IDS/IPS systems.

NMAP can send packets with incorrect checksums:

nmap --badsum 192.168.1.100

This command sends packets with invalid checksums to the target 192.168.1.100, testing if the IDS/IPS will drop or process them.

9. Proxy Servers

Proxy servers act as intermediaries, masking the original source of the traffic and helping evade detection.

Using a Proxy Server

Tools like Tor can be used to route traffic through a proxy:

  • Start the Tor service on your machine.
  • Configure NMAP to use the Tor proxy:
nmap --proxies socks4://127.0.0.1:9050 192.168.1.100

This command routes NMAP traffic through the Tor proxy running on 127.0.0.1:9050.

10. Anonymizers

Anonymizers, like proxies, hide the source of the traffic, making it difficult to trace back to the attacker.

Anonymizers like CyberGhost VPN can be used to maintain anonymity:

  1. Connect to a VPN server using CyberGhost.

  2. Run your scans or activities behind the anonymizer to mask your real IP address.

cyberghostvpn

By connecting through CyberGhost VPN, you ensure that your real IP address is not exposed, bypassing IDS/IPS rules that rely on source IP tracking.

Evasion techniques are constantly evolving as attackers find new ways to bypass IDS/IPS systems. Understanding these methods is crucial for developing robust security measures to detect and prevent intrusions.