384 Chapter 16 ■ Evading IDSs, Firewalls, and Honeypots
IDS. By using enumeration and system hacking methods it is possible for an attacker to
identify which resources are under load or are vital to the proper functioning of the IDS.
Once those resources are identified, the attacker can clog up or consume the resources to
make the IDS not function properly or become occupied by useless traffic.Obfuscating
Because an IDS can rely on being able to observe or read information, the process of
obscuring or obfuscating code can be an effective evasion technique. This technique relies
on manipulating information in such a way that the IDS cannot comprehend or understand
it but the target can. This can be accomplished via manual manipulation of code or
through the use of an obfuscator. One example that has been successful against older IDSs
is the use of Unicode. By changing standard code such as HTTP requests and responses to
their Unicode equivalents, you can produce code that the web server understands but the
IDS may not.Crying Wolf
Remember the story from your childhood of the boy who cried wolf? The shepherd boy
in the story cried wolf so many times as a joke that when the wolf was actually attacking
his flock no one believed him and his flock got eaten. The moral of the story is that liars
are rewarded with disbelief from others even when they tell the truth. How does this apply
to our IDS discussion? Essentially the same way as the boy in the story: An attacker can
target the IDS with an actual attack, causing it to react to the activity and alert the system
owner. If done repeatedly, the owner of the system will see log files full of information that
says an attack is happening, but no other evidence suggests the same. Eventually the system
owner may start to ignore these warnings, or what they perceive to be false positives,
and become lax in their observations. Thus an attacker can strike at their actual target in
plain sight.Session Splicing
The type of evasion technique known as session splicing is an IDS evasion technique that
exploits how some types of IDSs don’t reassemble or rebuild sessions before analyzing
traffic. Additionally, it is possible to fool some systems by fragmenting packets or
tampering with the transmission of packets in such a way that the IDS cannot analyze them
and instead forwards them to the target host.Tampering with the fragmentation of a packet can be a tremendously
effective way of evading an IDS. For example, adjusting the fragmentation
so that it takes longer to reassemble the fragments than the IDS will wait
can cause the fragments to be forwarded to a host. A second example
would be to adjust the fragments such that when they are reassembled
they overlap causing problems for the IDS, which again may result in the
fragments being forwarded on to the intended target.