Evasion (network security) explained

In network security, evasion is bypassing an information security defense in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls and defeat malware analysis. A further target of evasions can be to crash a network security defense, rendering it in-effective to subsequent targeted attacks.

Description

Evasions can be particularly nasty because a well-planned and implemented evasion can enable full sessions to be carried forth in packets that evade an IDS. Attacks carried in such sessions will happen right under the nose of the network and service administrators.

The security systems are rendered ineffective against well-designed evasion techniques, in the same way a stealth fighter can attack without detection by radar and other defensive systems.

A good analogy to evasions is a system designed to recognize keywords in speech patterns on a phone system, such as “break into system X”. A simple evasion would be to use a language other than English, but which both parties can still understand, and wishfully a language that as few people as possible can talk.

Evasion attacks

Various advanced and targeted evasion attacks have been known since the mid-1990s:

Reports

The 1997 article[1] mostly discusses various shell-scripting and character-based tricks to fool an IDS. The Phrack Magazine article[3] and the technical report from Ptacek et al.[2] discusses TCP/IP protocol exploits, evasions and others. More recent discussions on evasions include the report by Kevin Timm.[4]

Protecting against evasions

The challenge in protecting servers from evasions is to model the end-host operation at the network security device, i.e., the device should be able to know how the target host would interpret the traffic, and if it would be harmful, or not. A key solution in protecting against evasions is traffic normalization at the IDS/IPS device. The other way separation internet access can be implemented based on how endpoint user can be safe accessing the internet segment.[5]

Lately there has been discussions on putting more effort on research in evasion techniques. A presentation at Hack.lu discussed some potentially new evasion techniques and how to apply multiple evasion techniques to by-pass network security devices.[6]

See also

References

Notes and References

  1. http://all.net/Analyst/netsec/1997-12.html 50 Ways to Defeat Your Intrusion Detection System
  2. Ptacek, Newsham: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Technical report, 1998.
  3. http://www.phrack.com/issues.html?issue=54&id=10 Defeating Sniffers and Intrusion Detection Systems
  4. https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ba77971f-f0c5-46f0-87bd-d9b1399a06be&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments IDS Evasion Techniques and Tactics
  5. M. Handley, V. Paxson, C. Kreibich, Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics, Usenix Security Symposium, 2001.
  6. Web site: Advanced Network Based IPS Evasion Techniques . 2010-10-11 . https://web.archive.org/web/20110722154851/http://2009.hack.lu/index.php/Workshops#Advanced_Network_Based_IPS_Evasion_Techniques . 2011-07-22 . dead .