HostedDB - Dedicated UNIX Servers
nst_11 11 If the attacker can guess the detection threshold of its target, he can reduce the chances of detection to a minimum or even to no detection at all, as long as he doesn’t include a signature with his packet that alerts the intrusion detection system in other way.   3.2.3 Fragmentation Scanning   All IP packets that carry data can be fragmented. If we need to send information using TCP and to fragment our data, normally the destination port and source port along with the flags field will be “traveling” at the first packet sent. RFC 79117 defines the minimum and maximum sizes of fragments. In the case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment18.   Some filtering devices and intrusion detection systems may incorrectly reassemble or completely miss portions of the scan. They may assume that this was just another segment of traffic that has already passed through their access list. Filtering devices that queue all IP fragments can handle this method. Linux is a good example with the CONFIG_IP_ALWAYS_DEFRAG kernel option. Some networks cannot afford the performance hit this causes and disable this feature19. This kind of scan has been fixed in most vendors’ products. 3.2.4 Decoy   Some network scanners include options for Decoys or spoofed addresses in their attacks. It would appear to the attacked network / host that the host(s) you specified as decoys are scanning them as well. This will drive intrusion detection systems into thinking that the target network is being port scanned by all the hosts, and determining who the real attacker is, will be nearly impossible. One way that helped intrusion detection systems detect the decoy hosts in the past was the TTL (Time to Live) field values in the scanned packets. If all the incoming packets TTL values have the same value, it is likely that they were generated in the same “factory”. If the attacker is using nmap intrusion detection systems cannot use this method since nmap generates random TTL fields between 51-65. Another way of detecting the real scan among the decoys is to try to traceroute the source IP. If the attacker used non-routable IPs or the IPs belongs to a host that is not up something is suspicious. This can also result in a denial of service. Attackers solved this by using spoofed IPs of hosts that were up. Another aspect of detection is using IPs rather than names, which is a really smart move, because the decoys network will not see the attackers IP in their name server’s log20.   17 http://www.ietf.org/rfc/rfc0791.txt 18 RFC 1858 http://www.ietf.org/rfc/rfc1858.txt 19 nmap network security scanner man page, http://insecure.org/nmap/nmap_manpage.html 20 Ron Gula, How to Handle and Identify Network Probes, Netowrk Defense Consultng.