IPS Evasion Techniques

IPS Evasion Techniques

Traffic Fragmentation
One of the early network IPS evasion techniques used fragmentation of traffic to attempt to bypass the network IPS sensor. Fragmentation-based evasion refers to any evasion attempts where the attacker fragments the malicious traffic, hoping to avoid detection or filtering in the following ways:

Bypassing the network IPS sensor if the IPS sensor does not perform any fragment reassembly

Reordering the fragments, hoping the network IPS sensor does not correctly reorder the fragments

Classic examples of fragmentation-based evasion include the following:

IP fragmentation takes place at the IP layer. In its most basic form, the attacker fragments all the IP traffic if the network IPS does not perform fragment reassembly. Because most IPS sensors perform fragment reassembly, the next step of the attacker could be to fragment IP traffic in a manner that is not uniquely interpreted, causing the IPS sensor to interpret it differently from the target, which interprets it in a way that compromises the target.

TCP streams are broken into units, called segments, for transportation across networks, and TCP segments are encapsulated into IP packets. When the segments are received by a remote host in a TCP conversation, they are reassembled into a stream, and then passed to the controlling application. By manipulating how a TCP stream is segmented, it is possible to evade detection by some IPS sensors. In doing so, an attacker could overwrite a portion of a previous TCP segment in a stream with new data in a subsequent TCP segment. This method could allow the attacker to hide or obfuscate the attack on the network.

In addition to the class of fragmentation attacks that have been discussed, there is also a class of attacks involving overlapping fragments. In this class of attack, the offset values in the IP header do not match up as they should; therefore, one fragment overlaps another. Different operating systems manage this situation differently, and the IPS sensor may not know how the target system will reassemble these packets.

Traffic Substitution and Insertion
Other classes of evasion attacks are traffic substitution and insertion. With traffic substitution, the attacker attempts to evade detection by substituting the payload data with other data in a different format but with the same meaning. If the IPS sensor does not recognize the true meaning of data, and only looks for data in a particular format, the IPS sensor may miss such malicious payloads. Examples of substitution attacks include the following:

Substitution of spaces with tabs, and vice versa—for example, inside HTTP requests

Insertion attacks are similar. For example, the attacker sends a malicious sequence byte-by-byte and inserts extra bytes of data within the malicious sequence. The IPS sensor would accept all the bytes (including the extra bytes of data) and recognize the complete sequence as non-malicious. If the victim host only accepts bytes that belong to the malicious sequence, then the insertion evasion is successful.

Encryption and Tunneling
Another common method of evasion that is used by attackers is to encrypt their traffic.

Attackers can also try to avoid detection by tunneling their traffic over a protocol that is normally permitted and may not be inspected, for example, tunneling the attack traffic inside DNS or HTTP.

Attackers can also combine both encryption and tunneling, for example, using HTTPS to tunnel their attack traffic where HTTPS traffic is encrypted using TLS or SSL.

Protocol-Level Misinterpretation
The attacker can also evade detection by causing the IPS sensor to misinterpret the end-to-end meaning of network protocols and see traffic differently from the target. Therefore, the IPS sensor will either ignore traffic that should not be ignored or vice versa.

For example, the attacker intentionally corrupts the TCP checksum of specific packets to confuse the IPS sensor that does not validate the TCP checksums. The IPS sensor will accept and process the packets with the bad TCP checksum, but most hosts will not. Therefore, the IPS sensor will see more data than what the end host will see.

Another technique is to manipulate the endian format of data in the packet in an attempt to make the IPS sensor misinterpret the meaning of the data. On Intel-based processor machines, data is stored in little endian format, which stores the low-order byte at the lowest address and the highest-order byte in the highest address. Big endian will store the low-order byte at the highest address and the high-order byte at the lowest address. The figure below demonstrates the relationship between big and little endian format.

In remote procedure call applications and other distributed computing environments, protocol headers allow the endian format to be specified. Attackers have used big endian to format data payloads in packets to exploit this capability and fool IPS sensors, which misinterpret the payload as safe data.

Resource Exhaustion
A less subtle method of evading detection is through extreme resource consumption. The attacker sends lots of fake traffic to produce noise. If the IPS sensor is too busy to analyze the noise traffic, the true attack traffic may go undetected. For example, attack tools can be used to create a tremendous number of false IPS alerts that consume the resources of the IPS sensor and prevent attacks from being detected.

Timing Attacks
Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows that the signatures use to correlate different packets together.

Comments are closed.