Please do not disable NTP .
If i am not wrong this is what you are looking for and IDS is unable to drop the packet .
The IDS doesn't fire an alarm because the IDS simply didn't get the packet. The most obvious example of this sort of attack is the leverage of IP Fragmentation and Overlapping TCP Segments. A few years ago, this method was highly effective against network IDS systems. Even today, these old school techniques can be effective.
Now stop and think for a minute - the stranger the packets that we send, the more an IDS system has to work to reconstruct them. For every exception - the 'perfect' IDS has to make the assumption that a packet could have been dropped by the target. The IDS must maintain two states for every packet - accepted and dropped. For every packet, this doubles the number of states that the IDS must follow. For every duplicate or replay packet, the IDS must account for 1/2 again the current load. For an IDS of this nature to even watch for a 10 character signature would require a great deal of memory. Assuming single byte packets, the IDS would need 10K of memory just to watch this one session. If my signature is 11 bytes long, the figure doubles to 20K - exponentially increasing in size for each byte thereafter! This is compounded by the fact that the smaller the packets are, the more possible permutations of state. As we halve the size of each packet, we double the required size of the IDS buffers. Clearly this is impossible, considering both that the signatures are most likely larger than 10 characters, and that there are close to 80 web hits a seconds going over our network. What's the point? There is no such thing as a 'perfect' IDS
https://www-secure.symantec.com/connect/articles/multiple-levels-de-synchronization-and-other-concerns-testing-ids-system