Exam CISSP topic 1 question 479 discussion

An example of evading intrusion detection system (IDS) signature detection is packet fragmentation (Option A). Packet fragmentation is a technique used by attackers to split a large data packet into smaller pieces before sending them to the target system. This can allow the attacker to bypass signature-based IDS detection, as the signature may be distributed across multiple packets or may not be recognizable in the smaller fragments. The attacker can then reassemble the fragmented packets on the target system and execute the attack without triggering the IDS signature.

Likely A. Packet fragmentation manipulates how the payload is transmitted at the network layer. Encoding manipulates the representation of the payload's content itself.

My intuition led me to D, but it seems they both can be used to an extent. Encoding involves altering the representation of malicious payloads (e.g., using Unicode, Base64, or hexadecimal) to bypass signature-based detection. Signature-based IDS (SIDS) rely on predefined patterns of known attacks. By encoding the payload, attackers transform it into a format the target system can decode but the IDS cannot recognize, thus evading signature matches. Direct Signature Evasion: Encoding fundamentally alters the attack’s signature itself, making it inherently undetectable unless the IDS decodes the payload. Applicability: Encoding works even against IDS that properly reassemble fragmented packets. Standard Evasion Tactic: Encoding is explicitly designed to bypass signature checks, while fragmentation relies on IDS implementation flaws (e.g., poor packet reassembly).

Most (IPS/)IDS-es do not re-assemble fragmented packets and simply discard them. This also aligns with secure defaults, improves performance and makes it more resillient against DoS attacks.This question may date back to 2005 though :D So the BEST way to evade, would be, IMHO, encoding.

A. Packet fragmentation

Agree with A. This technique involves breaking down a malicious payload into smaller packets that are transmitted separately. IDS systems that inspect packet contents often do so by reassembling the packets before analyzing them. If the fragmentation is done in such a way that the IDS either fails to reassemble the packets correctly or overlooks the malicious content, the attack can evade detection. This is a common method for evading IDS signature-based detection, as it can obscure the malicious payload from the system.

A. Packet fragmentation Packet fragmentation is a technique used to evade intrusion detection system (IDS) signature detection. In this method, an attacker splits an attack payload into smaller packets, taking advantage of the fact that many IDS systems may only inspect the initial fragment of a packet. By doing so, the attacker can try to avoid detection by spreading the attack payload across multiple packets, making it more difficult for the IDS to detect the malicious content. This technique is often used to bypass signature-based detection mechanisms.