Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Archived: 2026-04-05 16:10:02 UTC Download Reference Guide Book Docs Zenmap GUI In the Movies Nmap Network Scanning Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Table of Contents Introduction Why Would Ethical Professionals (White-hats) Ever Do This? Determining Firewall Rules Standard SYN Scan Sneaky firewalls that return RST ACK Scan IP ID Tricks UDP Version Scanning Bypassing Firewall Rules Exotic Scan Flags Source Port Manipulation IPv6 Attacks IP ID Idle Scanning Multiple Ping Probes Fragmentation Proxies MAC Address Spoofing Source Routing FTP Bounce Scan Take an Alternative Path A Practical Real-life Example of Firewall Subversion Subverting Intrusion Detection Systems Intrusion Detection System Detection Reverse probes Sudden firewall changes and suspicious packets Naming conventions Unexplained TTL jumps Avoiding Intrusion Detection Systems Slow down https://nmap.org/book/firewalls.html Page 1 of 3 Scatter probes across networks rather than scanning hosts consecutively Fragment packets Evade specific rules Avoid easily detected Nmap features Misleading Intrusion Detection Systems Decoys Port scan spoofing Idle scan DNS proxying DoS Attacks Against Reactive Systems Exploiting Intrusion Detection Systems Ignoring Intrusion Detection Systems Detecting Packet Forgery by Firewall and Intrusion Detection Systems Look for TTL Consistency Look for IP ID and Sequence Number Consistency The Bogus TCP Checksum Trick Round Trip Times Close Analysis of Packet Headers and Contents Unusual Network Uniformity Introduction Many Internet pioneers envisioned a global open network with a universal IP address space allowing virtual connections between any two nodes. This allows hosts to act as true peers, serving and retrieving information from each other. People could access all of their home systems from work, changing the climate control settings or unlocking the doors for early guests. This vision of universal connectivity has been stifled by address space shortages and security concerns. In the early 1990s, organizations began deploying firewalls for the express purpose of reducing connectivity. Huge networks were cordoned off from the unfiltered Internet by application proxies, network address translation devices, and packet filters. The unrestricted flow of information gave way to tight regulation of approved communication channels and the content that passes over them. Network obstructions such as firewalls can make mapping a network exceedingly difficult. It will not get any easier, as stifling casual reconnaissance is often a key goal of implementing the devices. Nevertheless, Nmap offers many features to help understand these complex networks, and to verify that filters are working as intended. It even supports mechanisms for bypassing poorly implemented defenses. One of the best methods of understanding your network security posture is to try to defeat it. Place yourself in the mind-set of an attacker and deploy techniques from this chapter against your networks. Launch an FTP bounce scan, idle scan, fragmentation attack, or try to tunnel through one of your own proxies. In addition to restricting network activity, companies are increasingly monitoring traffic with intrusion detection systems (IDS). All of the major IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks. Many of these products have morphed into intrusion prevention systems (IPS) that actively block traffic deemed malicious. Unfortunately for network administrators and IDS vendors, reliably detecting bad https://nmap.org/book/firewalls.html Page 2 of 3 intentions by analyzing packet data is a tough problem. Attackers with patience, skill, and the help of certain Nmap options can usually pass by IDSs undetected. Meanwhile, administrators must cope with large numbers of false positive results where innocent activity is misdiagnosed and alerted on or blocked. Source: https://nmap.org/book/firewalls.html https://nmap.org/book/firewalls.html Page 3 of 3