Evading NIDS, revisited

The paper titled "Insertion, Evasion and Denial Of Service: Eluding NIDS" by Thomas.H.Ptacek and Tim Newsham [ref 1] triggered research in the field of eluding NIDS. Ever since this paper was published, people have been busy finding new techniques of eluding NIDS. Most intrusion detection systems (IDS) generally have support for TCP-reassembly and the capability to monitor sessions. Some of the DoS attacks focus on overflowing the stream-buffer cache of the IDS so that the stream being monitored gets disrupted. An Insertion Attack sends packets to an end-system (victim) that will reject, but that the IDS will think are valid, thus giving different streams to the IDS and target hosts. In comparison, an evasion attack sends packets which the IDS rejects but the target host accepts, again giving different streams to the IDS and target. In order to achieve these attacks, attackers also use packet fragmentation where the attack stream is broken into smaller ones. We will now describe some of these evasion techniques.
http://www.securityfocus.com/infocus/1852