Detecting Evasion Attack at High Speed without Reassembly Presented by C.W. Hon K.K. To 26/Mar/2007
External attack Internet DMZONE Enterprise switch DNS WEB MAIL Internal servers Clients
Internal attack Internet DMZONE Enterprise switch DNS WEB MAIL Internal servers Clients
IDS/IPS integration Internet DMZONE Enterprise switch DNS WEB MAIL Internal servers Clients
IPS – Proactive approach IDS/IPS IDS – Reactive approach IPS – Proactive approach IPS differs from IDS in that it takes a proactive approach to attacks - e.g. blocking the packets concerned - rather than a reactive approach - e.g. triggering human intervention.
IDS/IPS IPS can be describe as a subset of IDS where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule. ☼ Minimum false positive is required.
Signature based IDS/IPS An IDS/IPS consists of a database of rules. Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action.
Reassembly Both IDS and IPS are required to reassembly TCP flows and IP fragments. Ensures that a content string in a rule that is fragment across packets can be detected.
Normalization IPS is required to normalize TCP flows. Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker.
What is Normalization IP v4 Header
IP Normalizations # IP Field Normalization Performed 1 Version Non-IPv4 packets dropped. 2 Header Len Drop if hdr_len too small. 3 Drop if hdr_len too large. 4 Diffserv Clear field. 5 ECN 6 Total Len Drop if tot_len > link layer len. 7 Trim if tot_len < link layer len. 8 IP Identifier Encrypt ID. 9 Protocol Enforce specific protocols. - Pass packet to TCP,UDP,ICMP handlers. 10 Frag offset Reassemble fragmented packets. 11 Drop if offset + len > 64KB. # IP Field Normalization Performed 13 DF Drop if DF set and offset > 0. 14 Zero flag Clear. 15 Src addr Drop if class D or E. 16 Drop if MSByte=127 or 0. 17 Drop if 255.255.255.255. 18 Dst addr Drop if class E. 19 20 21 TTL Raise TTL to configured value. 22 Checksum Verify, drop if incorrect. 23 IP options Remove IP options. 24 Zero padding bytes.
Bottlenecks in high speed IPS Search content string regular expression Reassemble and normalize the packets 1 million concurrent connections Avoid early timeout of late fragments
IPS As speed gets higher, reassembly and normalization in the network requires an increasing amount of resources in term of memory and processing. Memory Bandwidth Processing
Argument Folk Theorem Reassembly and normalization are sufficient to detect all evasions. Challenge Are packet reassembly and normalization necessary to deal with evasions by attackers ?
Evasion Attack Attackers exploit the ambiguities between the IPS and the end hosts of handling packets. ATTACK SIGNATURE ATTA CK SIGN ATURE
IP Fragments Problem -Not all IP fragments contains TCP header Good news -IP fragment is rare in practice Solution -All IP fragments redirect to slow path.
Types of Evasion Attack Misordered Fragments Interspersed Chaff Overlapping Fragments - Combine with IP fragmentation
Example – Misordered Fragments SEQ=13, Data=“ACK” SEQ=10, Data=“ATT” Arrival sequence Characteristics Out-of-Order segments Segments contains portion of the signature
Example – Interspersed Chaff SEQ=10, TTL=10, Data=“ATT” SEQ=13, TTL=1, Data=“JKL” … SEQ=13, TTL=10, Data=“ACK” Arrival sequence Characteristics “Noise” or “Chaff” segments Some segments with small TTL
Example – Overlapping Fragments SEQ=10, Data=“ATTJKL” SEQ=13, Data=“ACK” Arrival sequence Characteristics Similar to the case of Interspersed Chaff Signature embedded in arbitrary large packets.
Basic Idea - In case of high speed link, e.g. 20G bps Not all traffics are attack traffics, however, the classic IPS scans all traffic passing through it. Filter out the attack traffics by figuring out its characteristics and let good traffic passing through – path diversion
Classic IPS
Path Diversion
Proposed Solution Assumptions A small modification to TCP receivers to check for inconsistent transmission – Weak Atomicity. A change in the definition of signature detection to allow the start and end of a signature to be missed – Split-Detect. A restriction to exact signature. Refer paper page 328, section 1.3, paragraph 3.
Weak Atomicity Definition: None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered. Refer paper page 331. Delivered: Not merely means delivered to the end host, but also delivered to the application Inconsistent: Inconsistent in NES.
Weak Atomicity Implementation Maintain a buffer – Overlap Detect Buffer. Store the last MSS size bytes sent. Compare the bytes of the new in-order packets with the bytes in the buffer, deliver it if there is no inconsistency, reset the connection if inconsistency found. Take more space (1 MSS) and more processing (comparison).
Weak Atomicity Advantages Preventing bad behavior. Do not need to implement a complete IPS at the end nodes. Fairly simple to implement. Allowing current IPS to scale. Bad behavior: Interspersed chaff, intended to intrude the system or unintended.
Weak Atomicity Disadvantages Introduced a new DOS attack. by injecting inconsistent data and cause the connection to be reset.
Weak Atomicity What still remains? The attackers can still: Break up an attack signature. Send out-of-order fragments. Send small TTL packets, which will never reach the end nodes. From this point onward, we can consider only the case of misordered small fragments.
Split-Detect Basic Idea Split the signature into K equal pieces. Detect any pieces in the incoming packets at fast path. Divert a flow to the slow path if fast path detects any pieces, or fast path detects small packets or out-of-order behavior. Small packets: Why needed to be detect? If the incoming packets are small enough, it may not contains any signature pieces exactly. The attack packets cannot be large, because it can be detected easily and therefore be diverted to the slow path for the full reassembly and normalization. So the attack packets must be small enough to evade the detection in order to intrude to the system.
Small Packets Small packets defines the maximum payload size of a packet that contains portion of the signature but does not contains any signature pieces.
Small Packets A signature
Small Packets Signature pieces Attacker’s split
Small Packets Signature pieces Attacker’s split
Small Packets Signature pieces Attacker’s split payloadSize < 2PieceSize - 1
Fast Path Implementation Fast Path as a State Machine State variables NES (Next Expected Sequence Number, 32 bits) OOO (Out Of Order since last small packet, Boolean) length (Length in bytes since last small packet, 7 bits) count (Count of anomalies, 4 bits) LUT (Last Update Time, 3 bits) Starts keep states when the first small packet sent.
Fast Path Implementation State update mechanism (NES, OOO, length, count, LUT) Update of count: Initialized to 1 when the flow is first placed in the flow table. On receiving a small packet, increment if the packet’s sequence number not equal to NES, or OOO is true, or length ≤ SignatureLength Counting anomalies.
Fast Path Implementation State update mechanism (NES, OOO, length, count, LUT) Update of length: If the current packet is large, incremented by the payload length. If the current packet is small, reset to 0. Measures the length for this flow since last received small packet. Examples: In-sequence small segments 2. OOO small segments
Fast Path Implementation State update mechanism (NES, OOO, length, count, LUT) Update of OOO: If the current packet is large and sequence number is not equal to NES, set to true. If the current packet is small, reset to false. A flag that detects out-of-order reception between small packets.
Fast Path Implementation State update mechanism (NES, OOO, length, count, LUT) Update of NES: Set to s + l where s = current packet sequence number l = current packet payload length Reflects the sequence number of the next expected in-order TCP segment.
Fast Path Implementation State update mechanism (NES, OOO, length, count, LUT) Update of LUT: All packets causes it to be updated to the current time.
Fast Path Implementation Slow Path diversion After state update, the entire flow is diverted to the slow path if the packet contains a piece of signature. the anomaly count count is equal to K-1. If the flow is not diverted, the packet is forwarded normally, and forwarded to the slow path iff the packet is small.
Slow Path Implementation Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream. Drop the flow looks like data normalization, compare it.
Theorems Theorem 1: Fast Path Diversion A TCP connection containing string S in some reassembled stream will be diverted to the slow path before or while processing the critical packet in the fast path. Further, if prior to diversion, the fast path processed a collaborator of the critical packet, then a copy of the collaborator was sent to the slow path.
Theorems Theorem 2: Slow Path Blocking A TCP connection containing string S in some reassembled stream will have its critical packet dropped in the slow path (Safety). Conversely, a TCP connection that does not contain Almost(S) in some reassembly of the connection and has no inconsistent data will not have any packets dropped at the IPS (Liveness).
Results
Results
Results
Results
Results
Results
Results
Results
Results
Results
Advantages Speedup 10 times Memory Compression 25 folds ?
Disadvantages Need to change the TCP implementation at the end hosts. Compare only Almost(S) but not S. Restriction on the exact signature.
~ END ~