IDS/IPS systems serve as a critical line of defense in many network security architectures. As pentesters, we need to be aware of how these systems operate, and crucially, how we can evade them when netrunning.
We will explore the purposes of IDS/IPS systems, the way their wares work,
and how we can evade them when conducting penetration tests. As you might
already know, performing network reconnaissance with port scanning tools
like nmap can generate a lot of “noise” on the target network. It is this very
noise which can, for
example, trigger an alert in an Intrusion Detection System (IDS). Generate enough noise and you might even get yourself blacklisted by the network by an Intrusion Prevention System (IPS).
As Offensive Security Engineers, we need to be able to perform our
reconnaissance without being detected. After all,
The quieter you are, the more you can hear.
The best way to exploit a system is to understand how it works. So what exactly are these systems?
Intrustion Detection Systems (IDS)
Intrustion Detection Systems (IDS) are softwares designed to monitor network
traffic for suspicious activity—resembling a digital buglary alarm. They
tend to come in two main flavors: signature-based detection, and
anomaly-based detection.
- Signature-based detection (SBD) relies on comparing network traffic to a set of
known attack signatures (think: Antivirus Software). The difference being
that Antivirus inspects the signature of a single file, while IDS can compare
the signatures of predefined malicious patterns—e.g., specific byte
sequences (traffic patterns), known malicious command strings, etc. This
provides a high-accuracy for known threats, but is less effective against
anomalous or zero-day attacks.
✅ Effective against: known threats
❌ Ineffective against: unknown threats
🛡️ Low false-positive rate
- Anomaly-based detection (ABD) works by establishing a baseline of normal network
behavior and then flagging any deviation from that baseline as
potentially malicious. This method is much more effective at detecting
unknown threats, and catching subtle, evolving attacks. However, they
suffer from a high false-positive rate; that is, unsual yet normal behavior
may be flagged as malicious. These types of systems often utilize machine
learning (ML) algorithms.
✅ Effective against: unknown threats
❌ High false-positive rate
🧠 Requires training and tuning
Intrustion Prevention Systems (IPS)
While IDS is passive (alerting only), an Intrusion Prevention System is active—it not only detects suspicious behavior but also blocks it. Think of it as a bouncer with a direct line to the alarm system. IPS is typically placed in-line with traffic flow, meaning it can drop packets, reset connections, or quarantine hosts in real time.
This makes IPS especially important to evade—get flagged, and your session might be cut off before it even starts.
Evading IDS/IPS with Nmap
Stealth/Timing
The -T option allows you to set the timing template for your scan. The
templates are as follows:
- -T0: Paranoid (serial, very slow scan, very useful for IDS evasion)
- -T1: Sneaky (slow scan, useful for IDS evasion)
- -T2: Polite (slightly slower than normal, useful for IDS evasion)
- -T3: Normal (default scan, normal speed)
- -T4: Aggressive (faster than normal, noisy, not stealthy)
- -T5: Insane (very fast, very noisy, not stealthy)
nmap <target> -T0 -sS
Running a SYN stealth scan with the paranoid timing. -sS only performs a
TCP SYN scan, i.e., it doesn’t complete the TCP handshake.
Decoy Scans
The nmap -D option allows you to use decoy scans to hide your true IP among
a set of decoy IPs,
“which makes it appear to the remote host that the [decoys] are scanning
the target network too. Thus their IDS might report 5-10 port scans from
unique IP addresses, but they won’t know which IP was scanning them and which
were innocent decoys”.
Because of this, decoy scans are a great way to evade Intrustion
Prevention Systems (IPS), because
nmap <target> -D RND:5
We use -D to specify the decoy IPs. We can generate random decoys with
RND:x, where x is the number of decoys. We can also specify a list
of decoys with -D <decoy1>,<decoy2>,....