Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Authors: Mark Handley and Vern Paxson (International Computer Science Institute) & Christian Kreibich (Technische Universitat Munchen) Presented by: Jamie Margaret Huenefeld

Introduction An Ambiguous Problem An Ambiguous Problem –NIDS Passively monitors network traffic to detect suspicious activity Requires knowledge of receiving host traffic and correct interpretation Result = Host vs. NIDS interpretation Limited to Network and Transport layer interpretation

Presentation Outline Normalization Normalization Active Mapping Active Mapping Comparision of Normalization and Active Mapping Comparision of Normalization and Active Mapping Experimental Results using Active Mapping Experimental Results using Active Mapping Conclusions Conclusions

Normalization Tool that directly filters network traffic to eliminate ambiguities before reaching NIDS Tool that directly filters network traffic to eliminate ambiguities before reaching NIDS –Removes some evasive opportunities (bump in the wire) –Authors attempt to identify all potential normalizations –Example, w/ Picture(page 3)

Why Normalization? The alternatives are not comprehensive enough The alternatives are not comprehensive enough –Host Based IDS Difficult deployment, Counter-NIDS solution –Understanding details of intranet Large networks will be cumbersome –Bifurcating Analysis Can result in exponential analysis

Normalization Tradeoffs As the degree of Normalization increases, performances decreases & has greater impacts on semantics As the degree of Normalization increases, performances decreases & has greater impacts on semantics –Normalization vs. Protection –End-to-End Semantics –Stateholding –Inbound vs. Outbound traffic

Two major Considerations.... “Cold Start” “Cold Start” –Analyzer lacks knowledge of previously- established connections Attacking the Normalizer Attacking the Normalizer –Stateholding Attacks Incorrect Headers Normalizer required to hold state CPU Overload

Header Walking – A Systematic Approach Consider value ranges, semantics and methods of exploitation within header elements Consider value ranges, semantics and methods of exploitation within header elements –Uses IP v.4 –Image from paper –We can just drop these packets w/o semantic consequences: Header Length > packet length or < 20 byte Length > Link-Layer Clear bit between IP Ident & DF DF set, Non-Zero fragmentation offset

Header Walking w/ Semantic Consequences Image from paper Image from paper Manipulation of TTL Manipulation of TTL –Establish minimum TTL in Normalizer, and propagate to packets w/ lower values –Effect on Semantics: Infinite Loop Break Traceroute Expanding Search Ring performance impaired

Header Walking w/ Semantic Consequences Image from paper Image from paper Invalid Source IP address, e.g , Invalid Source IP address, e.g , –Drop it! –Effect on Semantics: Can cause packet drops for internal machines –Source routing

Incompleteness of Normalization Restricted to internetwork and transport layers Restricted to internetwork and transport layers Difficult to remove all ambiguities Difficult to remove all ambiguities Similar to a firewall, but does more work Similar to a firewall, but does more work Must be extremely reliable, even during attacks Must be extremely reliable, even during attacks Changes semantics Changes semantics Can Active Mapping replace some Normalizations? Can Active Mapping replace some Normalizations?

Active Mapping Acquiring network knowledge to determine: Acquiring network knowledge to determine: –Packet Arrival –Interpretation Maintained in profile database Maintained in profile database Combined with some techniques used in NormalizationActive Mapping Combined with some techniques used in NormalizationActive Mapping

NIDS + Active Mapping = Disambiguation Resolves without intercepting or modifying stream Resolves without intercepting or modifying stream Opperational and Semantic Advantages Opperational and Semantic Advantages –Eliminates Confusion

Base Network Assumptions Stable Network Topology Stable Network Topology Attacker is outside network Attacker is outside network Firewall used for simple packet filtering Firewall used for simple packet filtering Consistent behavior in Host TCP/IP Stacks Consistent behavior in Host TCP/IP Stacks

Design Goals Comparable runtime performance Comparable runtime performance Mapping should be lightweight Mapping should be lightweight Avoid harming the hosts Avoid harming the hosts

Architecture Mapping Tool runs on topologically equivalent network to monitored network Mapping Tool runs on topologically equivalent network to monitored network

Protocol Details and Limitations Use of header-walking is a good place to start. Use of header-walking is a good place to start. Firewall Filters Firewall Filters Selected Mappings Selected Mappings Difficult/Intractable Cases Difficult/Intractable Cases Practical Considerations Practical Considerations

Firewall Filters Firewall should reject packets that could not be part of legitimate traffic Firewall should reject packets that could not be part of legitimate traffic –Handled by Stateless Packet Filtering –Example: Verifying IP Header

Selected Mappings Hop Count - # of hops to an end host Hop Count - # of hops to an end host PMTU - Packets discarded when > PMTU && DF set PMTU - Packets discarded when > PMTU && DF set TCP RST Acceptance – Noncompliant TCP can create connection discrepencies TCP RST Acceptance – Noncompliant TCP can create connection discrepencies Overlapping/Inconsistent IP Segments – Resolves segments to contain “new” data Overlapping/Inconsistent IP Segments – Resolves segments to contain “new” data –First policy

Difficult/Intractible Cases Application Level Parameters Application Level Parameters New Semantics New Semantics Nondeterministic Packet Drops Nondeterministic Packet Drops

Dealing with Timeouts and Packet Drops Can't notify about every router or host packet drop Can't notify about every router or host packet drop Send packets to receive packets Send packets to receive packets

Practical Considerations Active Mapping does not require a complete profile to be useful Active Mapping does not require a complete profile to be useful Can incrementally deploy while handling hurdles Can incrementally deploy while handling hurdles –NAT –DHCP –TCP Wrappers –Attacks on the active mapper

Prototype Implementation Implemented in Perl and ported to Linux and FreeBSD Implemented in Perl and ported to Linux and FreeBSD ICMP and TCP ICMP and TCP –Sent directly with raw sockets –User-level similar to Tbit Tests conducted in parallel with respect to Machine and Task Tests conducted in parallel with respect to Machine and Task

Mapping Tools Nmap/Queso – Determine O/S of host Nmap/Queso – Determine O/S of host –Neither utility is precise –O/S knowledge = reduces false positives Can serve as a proxy for mapping characteristics Ntop NIDS Ntop NIDS Tbit – Learns TCP (congestion control) behavior of web servers Tbit – Learns TCP (congestion control) behavior of web servers

Experiments and Results Observed Active Mapping Profiles Observed Active Mapping Profiles –Obtained signifigant data for over 4,800 hosts –Diversity –Few inconsistent results

Stability of Results Tests to determine the number of IP addresses and for profile consistency. Tests to determine the number of IP addresses and for profile consistency.

Mapping Time Test results depend on Host and Host's policies Test results depend on Host and Host's policies Inefficiencies and Limited Parallelism Inefficiencies and Limited Parallelism

Mapping Traffic Bidirectional Network Traffic Bidirectional Network Traffic

NIDS Integration Tests Correct data interpretation Correct data interpretation –Synthetic test w/ ambiguous traffic using fragroute –Reasonably Correct No additional runtime costs No additional runtime costs –Comparision on real-world traffic revealed accurate results

Conclusions and Recommendations Mapping can be performed frequently Mapping can be performed frequently –Remap large sites weekly (off-peak hours) Inconsistencies between Stored and Observed policies can trigger Remap Inconsistencies between Stored and Observed policies can trigger Remap On-the-fly Mapping is improbable On-the-fly Mapping is improbable Runtime performance not affected by Active Mapping Runtime performance not affected by Active Mapping –Success depends on correct host/policy!

Summary Ambiguity is a difficult problem to solve Ambiguity is a difficult problem to solve Elimination of Network and Transport Layer ambiguities is proposed in this paper Elimination of Network and Transport Layer ambiguities is proposed in this paper –Active Mapping infers by sending/receiving packets –Efficient in terms of time, speed, bandwidth & output

Summary Future Directions? Future Directions? –Passive monitoring to determine appropriate remapping –More mapping implementations –Application Layer implementations

Works Cited [0] Mark Handley, Christian Kreibich and Vern Paxson, “Network Intrusion Detection: Evasion, Traffic Normaliation, and End-to-End Protocol Semantics,” Proc. 10 th USENIX Security Symposium, [0] Mark Handley, Christian Kreibich and Vern Paxson, “Network Intrusion Detection: Evasion, Traffic Normaliation, and End-to-End Protocol Semantics,” Proc. 10 th USENIX Security Symposium, [1] Umesh Shankar and Vern Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic” [1] Umesh Shankar and Vern Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic”