Most intrusion detection systems work on a signature basis. It’s quite possible for the attacker to create a
custom packet payload that won’t match any of the signatures in the predefined database of the IDS. This way, the attacker can bypass the IDS and possibly compromise the remote system without creating any noisy alerts.
Following are some of the techniques used to evade and bypass an IDS.
Insertion attack :-
In an insertion attack, the attacker tries to confuse the IDS by sending invalid packets. The attacker crafts a malformed packet in such a way that the end system interprets the attack payload correctly but the IDS is unable to recognize the attack.
Denial of service :-
Many IDS systems use a centralized logging server to log all events and alerts. If the attackers know the IP address of this centralized logging server, they can launch a denial-of-service attack on that server so that the IDS won’t be able to log any more events.
Obfuscating and encoding :-
Obfuscating means converting normal readable text or code into something that is hard to read and interpret. This is often used for security and privacy reasons. Encoding is a similar way of converting plain text into a special format and is mainly used for web transmissions.
For example, if an attacker requests the URL http://example.com/php?id=<script>alert(“XSS”)</script > then the IDS might raise an alert since it has a Cross Site Scripting payload.
However, an attacker might choose to encode it using BASE64 format and convert it to aHR0cDovL2V4YW1wbGUuY29tL3BocD9pZD08c2NyaXB0PmFsZXJ0KCJYU1MiKTwvc2N
yaXB0Pg== . Now the IDS might treat this as normal text and forward it ahead without raising an alarm.
Session splicing and fragmentation :-
Session splicing and fragmentation involve breaking, slicing, and splitting packets into multiple pieces such that no single packet causes the IDS to trigger an alert. Many IDS systems tend to ignore packet reconstruction before a packet is matched against the signature database.
Invalid packets :-
Sending invalid TCP packets is another way of evading an IDS. An attacker can manipulate one of the six TCP flags or the packet checksum in order to pass it through the IDS.
Polymorphic shellcodes :-
Most IDS systems have a standard default set of intrusion signatures. Attackers can modify the attack payload so that it doesn’t match the default IDS signature and gets through it.