Introduction

One of the laws of security is that all signature-based detection mechanisms can be bypassed. This is as true for intrusion detection system (IDS) signatures as it is for virus signatures. IDS systems, which have all the problems of a virus scanner, plus the job of modeling network state, must operate at several layers simultaneously, and they can be fooled at each of those layers.

This chapter covers techniques for evading IDSs, which include playing games at the packet level, application level, and morphing the machine code. Each of these types can be used individually, or together, to evade detection by an IDS.

In this chapter, we present several examples of how an attack might evade detection.

Understanding How Signature-Based IDSs Work

An IDS is quite simply the high-tech equivalent of a burglar alarm a burglar alarm configured to monitor access points, hostile activities, and known intruders. These systems typically trigger on events by referencing network activity against an attack signature database. If a match is made, an alert will take place and will be logged for future reference. It is the makeup of this signature database that is the Achilles heel of these systems.

Attack signatures consist of several components used to uniquely describe an attack. An ideal signature would be one that is specific to the attack while being as simple as possible to match with the input data stream (large complex signatures may pose a serious processing burden). Just as there are varying types of attacks,...