Evasion (network security)

In network security, evasion is bypassing an information security device in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls. A further target of evasions can be to crash a network security device, rendering it in-effective to subsequent targeted attacks.

Description

Evasions can be particularly nasty because a well-planned and implemented evasion can enable full sessions to be carried forth in packets that evade an IDS. Attacks carried in such sessions will happen right under the nose of the network and service administrators.

The security systems are rendered ineffective against well-designed evasion techniques, in the same way a stealth fighter can attack without detection by radar and other defensive systems.

A good analogy to evasions is a system designed to recognize keywords in speech patterns on a phone system, such as “break into system X”. A simple evasion would be to use a language other than English, but which both parties can still understand, and wishfully a language that as few people as possible can talk.

Evasion attacks

Various advanced and targeted evasion attacks have been known since the mid-1990s:

A seminal text describing the attacks against IDS systems appeared in 1997.^[1]
One of the first comprehensive description of attacks was reported by Ptacek and Newsham in a technical report in 1998.^[2]
In 1998, also an article in the Phrack Magazine describes ways to by-pass network intrusion detection.^[3]

Reports

The 1997 article ^[1] mostly discusses various shell-scripting and character-based tricks to fool an IDS. The Phrack Magazine article ^[3] and the technical report from Ptacek et al.^[2] discusses TCP/IP protocol exploits, evasions and others. More recent discussions on evasions include the report by Kevin Timm.^[4]

Protecting against evasions

The challenge in protecting servers from evasions is to model the end-host operation at the network security device, i.e., the device should be able to know how the target host would interpret the traffic, and if it would be harmful, or not. A key solution in protecting against evasions is traffic normalization at the IDS/IPS device.^[5]

Lately there has been discussions on putting more effort on research in evasion techniques. A presentation at Hack.lu discussed some potentially new evasion techniques and how to apply multiple evasion techniques to by-pass network security devices.^[6]

References

1 2 50 Ways to Defeat Your Intrusion Detection System
1 2 Ptacek, Newsham: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Technical report, 1998.
1 2 Defeating Sniffers and Intrusion Detection Systems
↑ IDS Evasion Techniques and Tactics
↑ M. Handley, V. Paxson, C. Kreibich, Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics, Usenix Security Symposium, 2001.
↑ Advanced Network Based IPS Evasion Techniques