In network security, evasion is bypassing an information security defense in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls and defeat malware analysis. A further target of evasions can be to crash a network security defense, rendering it in-effective to subsequent targeted attacks.
Evasions can be particularly nasty because a well-planned and implemented evasion can enable full sessions to be carried forth in packets that evade an IDS. Attacks carried in such sessions will happen right under the nose of the network and service administrators.
The security systems are rendered ineffective against well-designed evasion techniques, in the same way a stealth fighter can attack without detection by radar and other defensive systems.
A good analogy to evasions is a system designed to recognize keywords in speech patterns on a phone system, such as “break into system X”. A simple evasion would be to use a language other than English, but which both parties can still understand, and wishfully a language that as few people as possible can talk.
Various advanced and targeted evasion attacks have been known since the mid-1990s:
The 1997 article[1] mostly discusses various shell-scripting and character-based tricks to fool an IDS. The Phrack Magazine article[3] and the technical report from Ptacek et al.[2] discusses TCP/IP protocol exploits, evasions and others. More recent discussions on evasions include the report by Kevin Timm.[4]
The challenge in protecting servers from evasions is to model the end-host operation at the network security device, i.e., the device should be able to know how the target host would interpret the traffic, and if it would be harmful, or not. A key solution in protecting against evasions is traffic normalization at the IDS/IPS device. The other way separation internet access can be implemented based on how endpoint user can be safe accessing the internet segment.[5]
Lately there has been discussions on putting more effort on research in evasion techniques. A presentation at Hack.lu discussed some potentially new evasion techniques and how to apply multiple evasion techniques to by-pass network security devices.[6]