Top 10 Firewall / IDS Evasion Techniques
This article covers the techniques and tools used by hackers to bypass Firewalls / Intrusion Detection Systems.
Introduction
An Intrusion Detection System is a set of tools or systems that monitors and analyzes the Network Traffic for any suspicious activities and issues alerts when any such activity is observed.
Similarly, a Firewall is a network security framework, that manages the outbound and inbound network traffic by permitting or blocking the packets based on the set of security rules.
Although the Firewalls and IDS can prevent the Malicious Packets from entering a network, an Attacker can send manipulated packets to the target such that it can evade the IDS / Firewall. There are several such evasion techniques.
PS: There is no magic bullet for detecting and bypassing the firewalls or IDS systems, all it requires are Skills and Experience.
Following are the Top 10 Techniques to evade the Firewall or an Intrusion Detection System:
1. Packet Fragmentation
Generally, as the name itself tells — A Packet Fragmentation is the method, where an attacker splits the probe packets into several smaller fragments, before sending them to the target network. As soon as the packets reach the target system, the IDS or Firewall enqueue them and process each of them one by one. However, being too many packets because of the fragmentation requires greater CPU and network resource consumption. Let me tell you, that most of the Intrusion Detection Systems are configured to skip the fragmented packets during the scanning.
Therefore, an attacker may use various tools such as NMAP or fragroute for splitting the probing packets into smaller packets, that can be easily evaded through the port-scanning techniques employed by IDS. Once, these fragments reach their destination, they are reassembled to form a single packet.
SYN/FIN Scanning using IP Fragments
Although the SYN / FIN scanning using IP Fragments is not a new scanning method, but a modification of previous methods. The TCP Header splits into several packets to evade the packet filter, which was our ultimate goal.
For a transmission, every TCP header should have the Source & the Destination port for the initial packet. The initialized flags in the next packet allow the remote host to reassemble the packet when received via an Internet Protocol module that detects.
Example of SYN/FIN scanning through NMAP
2. Source Routing
An IP datagram contains several fields which also include the source routing information and a list of IP addresses through which the packet will travel to reach its destination. If you don’t know this already, let me tell you when the packets travel through the different nodes in the network, each router examines the destination IP Address associated with it and chooses the next hop to direct the packet to its destination.
Now comes the question, “How can this help in Firewall/IDS evasion?”.So this is how the firewall or IDS evasion is done by source routing:
When an attacker sends the maliciously crafted packets to a target, these packets usually hop through various routers and gateways to reach their destination. However, in some cases, the path also includes the configured Firewalls and IDS to block such packets. Thus, to avoid them, attackers strict the routing mechanism in such a way that, the packet can reach the destination via some other route such that there is no Firewall or IDS in the path, therefore successfully evades the firewalls and IDS. The whole scenario can be understood as shown in the following figure:
3. Source Port Manipulation
Source Port Manipulation is a technique, used for bypassing the Firewalls and IDS, where the actual port numbers are manipulated with common port numbers for evading the IDS and Firewall rules. This is basically masquerading the port that is blocked in configuration rules of IDS or Firewall by the port that is allowed by the framework.
That is why it is advised not to trust the source port numbers blindly, to avoid security misconfiguration. Usually, the commonly used ports such as HTTP, DNS, or FTP are allowed for incoming traffic. The following figure describes how the Firewall allows the manipulated port 80 to the victim.
In NMAP, the -g or --source-port <port number> option is used to perform the source port manipulation. An example of the command for source code manipulation is shown below:
4. IP Address Decoy
This technique refers to generating or manually specifying the IP Addresses of the decoys to evade IDS / Firewalls. It appears to the target as well as the host are scanning the network. This technique makes it really difficult for the IDS / Firewalls to determine which IP Address is actually scanning the network and which IP addresses are a decoy.
We have a built-in scan function in NMAP called a decoy scan, that can be used in this case. This scan generates multiple IP Addresses, thus making it difficult for the target security frameworks to identify the source from the registered logs. The NMAP Decoy Scanning can be done as follows:
We are also given the option for manually specifying the IP Addresses of the decoys to scan the Victim’s network. All we have to do is to separate each decoy IP with a comma as shown below:
5. Spoofing the IP Address
Spoofing the IP Address is one of the hijacking techniques, where an attacker obtains a computer’s IP Address alters the packet headers, and then sends the request packets to the target machine, pretending it to be a legitimate host. The packets also appear to be coming from a legitimate source but actually are sent from the attacker’s machine.
Mostly firewalls filter packets based on the source IP Address. The firewalls examine the source IP Address and determine whether the packet is coming from a legitimate source or some other source. When the attackers send a connection request to the target, the target host thus replies to the spoofed IP Address.
IP Spoofing using Hping3
We can use Hping3 to perform the IP Address spoofing. The following example shows how to perform IP Address spoofing:
6. Customizing Packets
An attacker can create and send custom packets to scan the intended target beyond the Firewalls or IDS. This can be done by several methods, a few of them are explained below:
6.1 Creating Custom Packets by using Packet Crafting Tools
An attacker creates custom TCP Packets to scan the target by evading the firewalls. Several ‘Packet Crafting Tools’ such as Colasoft Packet Builder or NetScanTools pro can be used to scan the target beyond the defense mechanism. The main aim of the packet crafting tool is to craft and send packet streams using different protocols at different transfer rates.
6.2 Creating Custom Packets by Appending Custom Binary Data
This method includes sending binary data (0’s and 1’s) as payloads in the packets to the target machine present behind the defense framework of the target. We can use NMAP to customize packets by appending custom binary data. It is important to understand that to perform a byte-order conversion, the specified information should be based on the receiver’s expectation. This is how you can use NMAP in this case:
6.3 Creating Custom Packets by Appending Custom Strings
Crafting packets is not limited to the binary data, but an attacker can send the regular strings as payloads in the packets for scanning beyond the firewall as well.
Examples: --data-string "Scan conducted by Security Ops, extension 7192"
6.4 Creating Custom Packets by Appending Random Data
An attacker can append several random chunks of data to most packets sent without using and protocol-specific payloads. NMAP provides an option for appending random data to the packet by using --data-length <number>
7. Randomizing the order of Host
The attacker scans the number of hosts in the target network in a random order to scan the intended target that is secured behind the firewall. Our favorite tool NMAP provides us an option of randomizing hosts as well.
This methodology instructs the NMAP to shuffle each group of 16384 hosts before scanning with slow timing options, thus making the scan less notable to the network monitoring systems and firewalls. An example of using NMAP for randomizing the order hosts is shown below:
8. Sending the Bad Checksums
The defense frameworks can be bypassed by sending the packets with bad or deceptive TCP/UDP checksums to the intended target. The TCP/UDP checksums are used to ensure data integrity. Thus, when the packets with incorrect checksums are sent, it helps an attacker to acquire the information from improperly configured systems by checking for any response.
If there is any response, then it is most probably from the IDS or Firewall, which did not verify the obtained checksum. If there is no response means the packets are dropped, then it can be inferred that the system is configured. We can see the example below, to understand how to perform scanning by sending a bad checksum.
9. Proxy Servers
A proxy server is an application that can serve as an intermediary for connecting with other computers. A proxy server is used to fulfill the various purposes of firewall/IDS evasion, masquerading the original source, remotely accessing intranets, etc. The following image explains the working of a proxy server.
Proxy chaining is also an option that helps an attacker to maintain their Internet Anonymity. Some examples of proxy tools are Proxy Switcher, CyberGhost VPN, Tor, CCProxy, Hotspot Sheild, etc.
10. Anonymizers
This is the last methodology of this article. An anonymizer is an intermediate server that is placed between an attacker and the website to access the website on behalf of an attacker, to make the surfing and other activities untraceable. Most anonymizers usually anonymize the web, file transfer protocols, and similar other services.
An attacker uses the anonymizers to bypass the IDS and Firewall rules, to ensure their privacy, to access the contents that are restricted or not available publicly. There are several types of anonymizers like Networked Anonymizers.
Conclusion
These were some common Tools and Techniques, that can be used by a Hacker to bypass the Firewalls or Intrusion Detection Systems configured over a network. Packet fragmentation, source routing, source port manipulation, IP address decoy, IP Address spoofing, customizing packets, randomizing the order of hosts, proxy servers, sending the bad checksums, and anonymizers.
