Which fragmentation evasion techniques are commonly used against IDS/IPS?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Enhance your skills with the GCIA Traffic Analysis Test. Prepare with insightful questions and detailed explanations. Excel in your exam!

Multiple Choice

Which fragmentation evasion techniques are commonly used against IDS/IPS?

Explanation:
Fragmentation evasion against IDS/IPS relies on how those systems reassemble fragmented IP packets to inspect the payload. Attackers exploit weaknesses in reassembly to slip malicious content past detection. Overlapping fragments create ambiguity in what the final reassembled data should be. When two fragments contain overlapping data, different reassembly implementations might choose different bytes to keep, or the overlap might be resolved in inconsistent ways. This can leave portions of the payload unchecked or cause the IDS to misinterpret the data, allowing evasion. Delayed fragments are another tactic. By spacing fragments or sending them out of order so that the IDS’s reassembly window expires before all pieces arrive, the IDS may only see incomplete data or miss the full payload entirely. The host on the target system may still reassemble the fragments correctly, but the IDS never inspects the complete message. Large payloads and IP spoofing aren’t fragmentation techniques themselves, and disabling fragment reassembly on a device isn’t a standard, reliable evasion method attackers rely on. The first two techniques specifically exploit how fragmentation is handled by reassembly logic, which is why they’re the commonly observed methods.

Fragmentation evasion against IDS/IPS relies on how those systems reassemble fragmented IP packets to inspect the payload. Attackers exploit weaknesses in reassembly to slip malicious content past detection.

Overlapping fragments create ambiguity in what the final reassembled data should be. When two fragments contain overlapping data, different reassembly implementations might choose different bytes to keep, or the overlap might be resolved in inconsistent ways. This can leave portions of the payload unchecked or cause the IDS to misinterpret the data, allowing evasion.

Delayed fragments are another tactic. By spacing fragments or sending them out of order so that the IDS’s reassembly window expires before all pieces arrive, the IDS may only see incomplete data or miss the full payload entirely. The host on the target system may still reassemble the fragments correctly, but the IDS never inspects the complete message.

Large payloads and IP spoofing aren’t fragmentation techniques themselves, and disabling fragment reassembly on a device isn’t a standard, reliable evasion method attackers rely on. The first two techniques specifically exploit how fragmentation is handled by reassembly logic, which is why they’re the commonly observed methods.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy