This article covers the techniques and tools used by hackers to bypass Firewalls / Intrusion Detection Systems.

Introduction

An Intrusion Detection System is a set of tools or systems that monitors and analyzes the Network Traffic for any suspicious activities and issues alerts when any such activity is observed.

Similarly, a Firewall is a network security framework, that manages the outbound and inbound network traffic by permitting or blocking the packets based on the set of security rules.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f8d57a89-604c-4c31-a07d-d402953d5ede/0yDR5jxAVEyWrV4A3

Hacker vs Firewall (Source: GIPHY)

Although the Firewalls and IDS can prevent the Malicious Packets from entering a network, an Attacker can send manipulated packets to the target such that it can evade the IDS / Firewall. There are several such evasion techniques.

PS: There is no magic bullet for detecting and bypassing the firewalls or IDS systems, all it requires are Skills and Experience.

Following are the Top 10 Techniques to evade the Firewall or an Intrusion Detection System:

1. Packet Fragmentation

Generally, as the name itself tells — A Packet Fragmentation is the method, where an attacker splits the probe packets into several smaller fragments, before sending them to the target network. As soon as the packets reach the target system, the IDS or Firewall enqueue them and process each of them one by one. However, being too many packets because of the fragmentation requires greater CPU and network resource consumption. Let me tell you, that most of the Intrusion Detection Systems are configured to skip the fragmented packets during the scanning.

Therefore, an attacker may use various tools such as NMAP or fragroute for splitting the probing packets into smaller packets, that can be easily evaded through the port-scanning techniques employed by IDS. Once, these fragments reach their destination, they are reassembled to form a single packet.

SYN/FIN Scanning using IP Fragments

Although the SYN / FIN scanning using IP Fragments is not a new scanning method, but a modification of previous methods. The TCP Header splits into several packets to evade the packet filter, which was our ultimate goal.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/5bb0962b-3eec-44c1-834f-7514a13af71b/1YcpOY5WCivi8cxj12BI5mQ.png

The SYN/FIN Scanning

For a transmission, every TCP header should have the Source & the Destination port for the initial packet. The initialized flags in the next packet allow the remote host to reassemble the packet when received via an Internet Protocol module that detects.

Example of SYN/FIN scanning through NMAP