Monday, August 02, 2010

IDS Evasion by TCP Checksum

Good posting at Packetstan about potential evasion where IPS fails to validate TCP checksums.

Summary:

  • If IDS turns off the validation on TCP checksum, packet evasion is possible.
  • First, establish the 3 way-handshake.
  • Then, fool the IDS by sending a RST packet with bad TCP checksum.
  • Then continue sending the EVIL packets.