Editing Intrusion detection system (section)

== Evasion techniques ==
{{main|Intrusion detection system evasion techniques}}
There are a number of techniques which attackers are using, the following are considered 'simple' measures which can be taken to evade IDS:
* Fragmentation: by sending fragmented packets, the attacker will be under the radar and can easily bypass the detection system's ability to detect the attack signature.
* Avoiding defaults: The TCP port utilised by a protocol does not always provide an indication to the protocol which is being transported. For example, an IDS may expect to detect a [[Trojan horse (computing)|trojan]] on port 12345. If an attacker had reconfigured it to use a different port, the IDS may not be able to detect the presence of the trojan.
* Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers (or agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.
* Address [[Spoofing attack|spoofing]]/proxying: attackers can increase the difficulty of the Security Administrators ability to determine the source of the attack by using poorly secured or incorrectly configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server, it makes it very difficult for IDS to detect the origin of the attack.
* Pattern change evasion: IDS generally rely on 'pattern matching' to detect an attack. By changing the data used in the attack slightly, it may be possible to evade detection. For example, an {{nobr|[[Internet Message Access Protocol]]}} (IMAP) server may be vulnerable to a buffer overflow, and an IDS is able to detect the attack signature of 10 common attack tools. By modifying the payload sent by the tool, so that it does not resemble the data that the IDS expects, it may be possible to evade detection.