Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang 2009.07.01.

Similar presentations


Presentation on theme: "Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang 2009.07.01."— Presentation transcript:

1 Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang

2 2/28 Outline Motivation Goals Libnids Introduction System architecture Approaches Implementation Experiment Result Conclusion Future work

3 3/28 Motivation Network security monitor is important API libraries are convenient Libnids is often used by network monitor systems Libnids drawback : –when packet lose, it cant reassemble following packets –It consumes a lot of memory to store packets

4 4/28 Goals To modify libnids - add a packet dispatch mechanism Let libnids can analyze and reassemble packets which already received Memory can be released normally Packet header informations delivered to AP layer

5 5/28 Libnids Introduction(1/2) Library Network Intrusion Detection System Emulates the IP stack of Linux 2.0.x Libnids capability: –IP defragmentation –TCP stream reassembly –TCP port scan detection

6 6/28 Libnids Introduction(2/2) Libnids applications: –Network Protocol Analysis –Sniffer –Network Intrusion Detection System –Other SNMP traffic analyze (May,2007) data reassembly Combine with dsniff (Nov.2006 & 2007) check connection state and session data Network tracing system (April,2009) IP defragmentation, TCP stream reassembly

7 7/28 System architecture

8 8/28 Libnids process

9 9/28 Approaches

10 10/28 Packet dispatch & Packet header informations Packet dispatch mechanism –A FIN or RESET packet has been received –Packet sequence number falls outside of the current sliding window –Users define timeout period for packets Packet header informations –An additional option

11 11/28 Implementation Use a sniffer program read offline packets Packet proceed to IP defragmentation Packet proceed to TCP stream reassembly –Check packet header length IP address –Check packet header flag –TCP packet or not –Check time stamp –Check TCP connection –Check data length add packet flag-FIN greater than 0 Packets go into TCP queue

12 12/28 Implementation

13

14 14/28 Packet dispatch mechanism A FIN or RESET packet has been received

15 15/28 Packet dispatch mechanism Packet sequence number falls outside of the current sliding window ACK

16 16/28 Packet dispatch mechanism Users define timeout period for packets May be retransmitted after 60s + User defined waiting time

17 17/28 Packet header informations Use option choice –Payload –Packet header informations payload source/destination IP source/destination port data length all packets byte data offset

18 18/28 Experiment Analyze

19 19/28 Experiment Analyze

20 20/28 Experiment Analyze

21 21/28 Experiment Analyze Application Layer

22 22/28 Experiment Result Packet lost Packet with information Result of analysis Original libnidsImproved libnids SuccessAnalysisSuccessAnalysis 16350%6100% %13100% %20100% %21100% %60100%

23 23/28 Experiment Result

24 24/28 Experiment Analyze

25 25/28 Experiment Result Packet late Packet with information Result of analysis Original libnidsImproved libnids SuccessAnalysisSuccessAnalysis %1393% %2296% %6098% %2496% %8498%

26 26/28 Experiment Result

27 27/28 Conclusion Libnids packet dispatch mechanism Libnids can reassemble suspended packets Do not consume a lot of memory Packet header informations delivered to AP layer

28 28/28 Thank you


Download ppt "Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang 2009.07.01."

Similar presentations


Ads by Google