This paper discusses the limitations and vulnerabilities of network intrusion detection (IDS) systems, particularly those that rely on passive protocol analysis. The authors identify two fundamental problems with passive protocol analysis: insufficient information on the wire to accurately reconstruct network activity and the inherent "fail-open" nature of these systems, which means that a compromise in the IDS does not necessarily compromise the network. They define three types of attacks—insertion, evasion, and denial of service (DoS)—that exploit these issues and describe how to apply these attacks to IP and TCP protocol analysis. The paper presents tests demonstrating that popular IDS systems are vulnerable to these attacks, suggesting that network ID systems need to be fundamentally redesigned to be more reliable and secure. The authors also discuss the importance of reliable intrusion detection, the need for countermeasures, and the potential for IDS systems to be targeted by attackers. They detail the vulnerabilities in event generation, analysis, storage, and countermeasures, and provide examples of how these vulnerabilities can be exploited. The paper concludes by highlighting specific problems at the IP and TCP layers, such as header field inconsistencies, IP fragmentation, and TCP connection monitoring, and how these can be leveraged by attackers to evade detection.This paper discusses the limitations and vulnerabilities of network intrusion detection (IDS) systems, particularly those that rely on passive protocol analysis. The authors identify two fundamental problems with passive protocol analysis: insufficient information on the wire to accurately reconstruct network activity and the inherent "fail-open" nature of these systems, which means that a compromise in the IDS does not necessarily compromise the network. They define three types of attacks—insertion, evasion, and denial of service (DoS)—that exploit these issues and describe how to apply these attacks to IP and TCP protocol analysis. The paper presents tests demonstrating that popular IDS systems are vulnerable to these attacks, suggesting that network ID systems need to be fundamentally redesigned to be more reliable and secure. The authors also discuss the importance of reliable intrusion detection, the need for countermeasures, and the potential for IDS systems to be targeted by attackers. They detail the vulnerabilities in event generation, analysis, storage, and countermeasures, and provide examples of how these vulnerabilities can be exploited. The paper concludes by highlighting specific problems at the IP and TCP layers, such as header field inconsistencies, IP fragmentation, and TCP connection monitoring, and how these can be leveraged by attackers to evade detection.