Abstract:

Analyzing the detection technology of current NIDS,and the mechanism of formation and reassembly of IP fragmentations,we find that the conventional NIDS detection methods can’t detect the attack signatures contained in IP fragmentation very well,which is due to different fragmentation treatment strategies of different systems.Besides,the results of end hosts can’t be deduced from the results of NIDS,so the inconsistent behaviors between NIDS and end hosts,which means there may exist attack signatures in IP fragmentation,can easily evade NIDS detection.Therefore,we propose an antiIP fragmentationevasion method by adding a TPE  in the front of NIDS by serial method,which presets rules for IP fragmentation.Experimental results show that our method can effectively resist the IP fragmentation attack by about 90%.

Key words: NIDS;IP fragmentation reassemble;IP fragmentation;evasion;Traffic Preprocess Engine