Attackers can bypass intrusion detection systems (IDS) through denial

Attackers
can bypass intrusion detection systems (IDS) through denial of service. This is
done by overloading the NIDS by flooding the unit with attacks from spoofed IP
addresses which will create countless alarms, making it hard for the security
personnel to find the actual attacker. This particular method depends on the
security not pulling the plug in light of all the events. To countermeasure
this attack, the security should be aware of this common attack and ensuring
that the system is patched against it in order to prevent any perceived threats.

In order to also prevent this situation is to differentiate between minor and
major attacks. 17

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

The
second method is through fragmentation.  This is when the attack has been broken into
multiple packets. The fragmented packets occurs normally and the hosts are
equipped to receiving data from the multiple pieces, which can be potentially
received in the wrong order. The host receiving end reassembles the fragmented
packets, receiving the data and orders the packets in the correct sequence with
the use of the unique packet sequence number that has been assigned to each
packets that only NIDS is able to see. As each part is not an attack packet,
the NIDS does not alert and some will reassemble the packets to avoid
fragmentation attacks. An attack can bypass intrusion detection systems by
sending a fragmentation attack. This is done by sending large amounts of
fragmented unwanted packets simultaneously. As the IDS attempts to reassemble
all the packets, the fragment attack may become unnoticed by the system. On the
other hand, if the attacker does not have enough resources to flood the NIDS,
the attacker can bypass by waiting for the capture buffer on the NIDS. This
means that NIDS will receive the first few packets, but not the entire attack
signature. As a result, because the last part of the fragments has not been
received within the given time interval, the first few packets received earlier
are dropped by the time the rest reaches the IDS and host. In the end, all the
packets gets reassembled on the host in a successful attack without the NIDS
alerting. 17 This can be mitigated, depending on the type and severity of the
attack. This involves inspecting the incoming packets to see if there are
violations of fragmentation rules such as using a router or a secured proxy. 18

 

Another
way attackers can bypass intrusion detection systems is through encryption.

This is where NIDS are needed in order to examine the payload of every single
packet that crosses its path so that it can be effective. This can be
disadvantageous in many ways, with the main reason being encrypted network
traffic. When IPSec, SSL and SSH encrypted tunnels are established, they
prevent the NIDS from being able to interpret the packet’s actual payload. As a
result, attackers are able to use a target’s security against themselves. The
impact is deadly when the system has the same root directory for both encrypted
(https) and unencrypted (http) websites. In order to countermeasure this
attack, future NIDS’ should alert if they encounter any outbound encrypted
sessions from any hosts that do not usually conduct encrypted sessions and any
large number of inbound session initiations that would be typical of a instinctive
force password guessing attack over an SSL VPN or SSH. 19

 

Lastly,
session splicing is another way attackers can bypass. Having attempted to match
a string with a packet without the concern for the session or how the attack may
be delivered partially in multiple packets. Session splicing divides the string
across several packets and delivering the data in a few bytes at a time,
evading the string match. To countermeasure this, the IDS can watch the session
and understand the session or to detect the attack’s technique through other
techniques e.g. low TTL values. 20