There is a pretty well known paper written by Ptacek and Newsham "Intrusion
Detection System Insertion, Evasion, and Denial of ServicE" that outlines
multiple techniques for eluding IDS':
http://secinf.net/info/ids/idspaper/idspaper.html
A tool was created based on the techniques outlined in this paper called
Fragroute by Dug Song which illegaly fragments your outbound packets to a
destination host based on how you tell it to fragment the traffic.
"fragroute intercepts, modifies, and rewrites egress traffic destined for a
specified host, implementing most of the attacks described in the Secure
Networks "Insertion, Evasion, and Denial of Service: Eluding Network
Intrusion Detection" paper of January 1998. It features a simple ruleset
language to delay, duplicate, drop, fragment, overlap, print, reorder,
segment, source-route, or otherwise monkey with all outbound packets
destined for a target host, with minimal support for randomized or
probabilistic behaviour. "
http://monkey.org/~dugsong/fragroute/
I'd also recommend reading about and researching payload encryptors like
ADMmutate written by ADM. "In a nutshell, this API can mask buffer overflow
exploit signatures from Network IDS systems so that they are more difficult
to detect."
README: http://www.ktwo.ca/readme.html
Homepage: http://www.ktwo.ca/security.html
HTH.
Best Regards,
Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, Inc.
------------------------------------------------------------------------
1134 N. Main St. Tel: (877) 262-7593 x327
Algonquin, IL Fax: (877) 262-7593
60102 Mobile: (847) 456-6785
http://www.appliedwatch.com Email: eric.hines@appliedwatch.com
------------------------------------------------------------------------
"Redefining Open Source Enterprise Management"
------------------------------------------------------------------------
-----Original Message-----
From: Sec Traq [mailto:sectraq@gmail.com]
Sent: Saturday, November 27, 2004 4:44 PM
To: focus-ids@securityfocus.com
Subject: Foolin an IDS ?
Hi,
I have read a couple of papers on how to fool and IDS. One of them from
phrack. I find the subject really interesting and am considering it as an
MSc. project, but i need more advanced and technical papers. If any1 could
advice ur help would be appriciated.
Thnx
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
