Evading network-based intrusion detection systems

Presented at DEF CON 8 (2000), July 29, 2000, 11 a.m. (50 minutes)

You've just spent $10,000 on network IDS from a trustworthy company (obviously trustworthy because the vendor spends beaucoup $$$ on marketing). You are satisfied with the purchase because you're catching all these script-kiddies who think they are putting one over on you with their "stealth" scans. But then something bad happens: your servers get hacked through your firewall, and that expensive IDS never utters a peep. How did this happen? The root of the problem is that most commercial IDSs are little more than anti-script-kiddy tools and cannot detect ueberhackers. This talk will show how to evade these IDSs using popular tools like whisker and fragrouter. It will also reveal for the first time additional secret techniques used by ueberhackers.

Presenters:

• Robert Graham - CTO Network Ice
  Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents (http://www.robertgraham.com/pubs) and is a frequent speaker at conferences. IRL, he is the co-founder, CTO, and chief-architect at Network ICE.

Links:

• https://defcon.org/html/defcon-8/defcon-8-post.html#Robert_Graham
• https://infocon.org/cons/DEF CON/DEF CON 8/DEF CON 8 video/DEF CON 8 - Robert Graham - Evading Network Based Intrusion Detection Systems.mp4
• https://www.youtube.com/watch?v=_EDetkqkCY8