{
	"id": "e9a521c7-9374-4eb2-9d51-0f03a2027808",
	"created_at": "2026-04-06T00:16:12.137076Z",
	"updated_at": "2026-04-10T03:20:42.128014Z",
	"deleted_at": null,
	"sha1_hash": "6d553f2e58b69846ec1b80cb53e682cb3cf426d7",
	"title": "Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64378,
	"plain_text": "Chapter 10. Detecting and Subverting Firewalls and Intrusion\r\nDetection Systems\r\nArchived: 2026-04-05 16:10:02 UTC\r\nDownload Reference Guide Book Docs Zenmap GUI In the Movies\r\nNmap Network Scanning\r\nChapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems\r\nTable of Contents\r\nIntroduction\r\nWhy Would Ethical Professionals (White-hats) Ever Do This?\r\nDetermining Firewall Rules\r\nStandard SYN Scan\r\nSneaky firewalls that return RST\r\nACK Scan\r\nIP ID Tricks\r\nUDP Version Scanning\r\nBypassing Firewall Rules\r\nExotic Scan Flags\r\nSource Port Manipulation\r\nIPv6 Attacks\r\nIP ID Idle Scanning\r\nMultiple Ping Probes\r\nFragmentation\r\nProxies\r\nMAC Address Spoofing\r\nSource Routing\r\nFTP Bounce Scan\r\nTake an Alternative Path\r\nA Practical Real-life Example of Firewall Subversion\r\nSubverting Intrusion Detection Systems\r\nIntrusion Detection System Detection\r\nReverse probes\r\nSudden firewall changes and suspicious packets\r\nNaming conventions\r\nUnexplained TTL jumps\r\nAvoiding Intrusion Detection Systems\r\nSlow down\r\nhttps://nmap.org/book/firewalls.html\r\nPage 1 of 3\n\nScatter probes across networks rather than scanning hosts consecutively\r\nFragment packets\r\nEvade specific rules\r\nAvoid easily detected Nmap features\r\nMisleading Intrusion Detection Systems\r\nDecoys\r\nPort scan spoofing\r\nIdle scan\r\nDNS proxying\r\nDoS Attacks Against Reactive Systems\r\nExploiting Intrusion Detection Systems\r\nIgnoring Intrusion Detection Systems\r\nDetecting Packet Forgery by Firewall and Intrusion Detection Systems\r\nLook for TTL Consistency\r\nLook for IP ID and Sequence Number Consistency\r\nThe Bogus TCP Checksum Trick\r\nRound Trip Times\r\nClose Analysis of Packet Headers and Contents\r\nUnusual Network Uniformity\r\nIntroduction\r\nMany Internet pioneers envisioned a global open network with a universal IP address space allowing virtual\r\nconnections between any two nodes. This allows hosts to act as true peers, serving and retrieving information\r\nfrom each other. People could access all of their home systems from work, changing the climate control settings or\r\nunlocking the doors for early guests. This vision of universal connectivity has been stifled by address space\r\nshortages and security concerns. In the early 1990s, organizations began deploying firewalls for the express\r\npurpose of reducing connectivity. Huge networks were cordoned off from the unfiltered Internet by application\r\nproxies, network address translation devices, and packet filters. The unrestricted flow of information gave way to\r\ntight regulation of approved communication channels and the content that passes over them.\r\nNetwork obstructions such as firewalls can make mapping a network exceedingly difficult. It will not get any\r\neasier, as stifling casual reconnaissance is often a key goal of implementing the devices. Nevertheless, Nmap\r\noffers many features to help understand these complex networks, and to verify that filters are working as intended.\r\nIt even supports mechanisms for bypassing poorly implemented defenses. One of the best methods of\r\nunderstanding your network security posture is to try to defeat it. Place yourself in the mind-set of an attacker and\r\ndeploy techniques from this chapter against your networks. Launch an FTP bounce scan, idle scan, fragmentation\r\nattack, or try to tunnel through one of your own proxies.\r\nIn addition to restricting network activity, companies are increasingly monitoring traffic with intrusion detection\r\nsystems (IDS). All of the major IDSs ship with rules designed to detect Nmap scans because scans are sometimes\r\na precursor to attacks. Many of these products have morphed into intrusion prevention systems (IPS) that actively\r\nblock traffic deemed malicious. Unfortunately for network administrators and IDS vendors, reliably detecting bad\r\nhttps://nmap.org/book/firewalls.html\r\nPage 2 of 3\n\nintentions by analyzing packet data is a tough problem. Attackers with patience, skill, and the help of certain\r\nNmap options can usually pass by IDSs undetected. Meanwhile, administrators must cope with large numbers of\r\nfalse positive results where innocent activity is misdiagnosed and alerted on or blocked.\r\nSource: https://nmap.org/book/firewalls.html\r\nhttps://nmap.org/book/firewalls.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://nmap.org/book/firewalls.html"
	],
	"report_names": [
		"firewalls.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434572,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d553f2e58b69846ec1b80cb53e682cb3cf426d7.pdf",
		"text": "https://archive.orkl.eu/6d553f2e58b69846ec1b80cb53e682cb3cf426d7.txt",
		"img": "https://archive.orkl.eu/6d553f2e58b69846ec1b80cb53e682cb3cf426d7.jpg"
	}
}