Back

Lesson 9: Evasion Techniques

Learn stealth methods to bypass firewalls and intrusion detection

1 / 4

Firewall and IDS Evasion Fundamentals

Modern networks employ firewalls and intrusion detection systems to monitor and block scanning activities. Understanding evasion techniques helps penetration testers bypass these defenses for legitimate security assessments.

Legal and Ethical Notice

These techniques should only be used on networks you own or have explicit written permission to test. Unauthorized scanning may violate laws and regulations in your jurisdiction.

Common Network Defenses

Stateful Firewalls:
  • • Track connection states
  • • Block unsolicited packets
  • • Rate limit connections
  • • Log suspicious activity
  • • Apply access control lists
IDS/IPS Systems:
  • • Signature-based detection
  • • Behavioral analysis
  • • Anomaly detection
  • • Real-time blocking
  • • Alert generation
Application Firewalls:
  • • Deep packet inspection
  • • Protocol validation
  • • Content filtering
  • • Session tracking
  • • Application-level controls

Detection Signatures and Patterns

What Triggers Detection:
  • • High packet rates
  • • Sequential port scanning patterns
  • • Unusual packet flags (FIN, NULL, Xmas)
  • • Multiple connection attempts
  • • Specific NMAP fingerprints
  • • Predictable scan timing
Common Scan Signatures:
Alert: Port scan detected
Source: 192.168.1.10
Pattern: Sequential TCP SYN
Ports: 1-1000
Rate: 100 pps
Basic vs Evasive Scanning Comparison:
Detectable Scan:
nmap -sS -T4 target.com
Fast, obvious scan pattern
Easily detected and blocked
Evasive Scan:
nmap -sS -T1 -f -D RND:5 target.com
Slow, fragmented, with decoys
Harder to detect and attribute