Re: IPS Vendor Evasion

All IDS and IPS are vulnerable.

Moore et al listed dozens of different known IDS/IPS evasion attacks, at different OSI layers and network protocols. These attacks can be mounted in many different ways to evade different solutions. Some of the attacks they discuss in the presentation (insertion, fragmentation) are almost a decade old and still work (with the caveat that some attacks may require knowledge of the OS and configuration of the IPS and target host to guarantee successful evasion).

For example, most IDS / IPS have a choice of reassembling packets and decoding packet payload in one or a few ways, but cannot inspect using every possible way. The Moore presentation gives at least five different ways overlapping packet fragments can be reassembled by different OSes. Mount the attack in one way to evade some IDS/IPSes, or mount it in another way to evade most of the others.

Moore also reminds us that most solutions don't detect attacks within traffic encrypted by SSL / SSH, etc. All IPS solutions can be fooled by a flood of spoofed attacks that fill up the logs with attacks, hiding the real attack. And most all solutions have hardware limitations such as memory and CPU limits that both put it at risk to a flood-type of attack, and prevent it from being able to inspect all traffic in all possible ways.

An IPS that tried to inspect packets with all possible methods, in order to have decreased chance of missing attacks, would then be at increased risk of a denial of service attack, at which point an IDS would miss attacks or an IPS would cause degraded network performance. No IDS vendor wants their product to cause network latency. So most all IDS / IPS solutions strike a trade off between risk of false negatives and risk of IDS denial of service. Just what kind of balance you actually get depends only somewhat on whose product you buy... depending as much or more on how you configure your IDS / IPS once you get it.

Like almost every other security countermeasure out there, IDS and IPS are best effort solutions that MANAGE and REDUCE risk, not eliminate it. If you're looking for information to help you choose the most secure IPS, know that all of them are vulnerable to evasion. There is no one single magic bullet you can buy that is universally the "best" solution for everyone. I think success with IDS and IPS involves being aware of this and managing expectations.

I don't know if they verbally described some new vendor-specific evasion technique that I didn't see in the posted presentation, but I don't see how that could matter very much for your purposes, given how successful all of the old evasion techniques continue to be.

The good news for you is that most attacks still don't bother all that much with evasion techniques, because in so many cases, attacks can go on unconcealed and not be noticed for a long time. Besides, IDS can still be helpful in detecting evasion and the resulting compromises, via signatures to detect fragmentation, anomaly-based detection to notice changes in activity, host-based IDS that monitor logged activity, etc. Many of these attacks listed by Moore can be detected by security software on the host, because at some point the attack must be decoded and normalized to be executed by the host software.

kind regards,
Karl Levinson

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.