Analyzing Network Traffic in the Presence of Adversaries Vern Paxson International Computer Science Institute / Lawrence Berkeley National Laboratory

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Chapter 7: Transport Layer
IS333, Ch. 26: TCP Victor Norman Calvin College 1.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Chapter 7 – Transport Layer Protocols
Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)
Fundamentals of Computer Networks ECE 478/578 Lecture #21: TCP Window Mechanism Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Firewalls and Intrusion Detection Systems
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #11 TCP Eiffel (RFC 3522)
IP Basics. Physical Link Network IP ARP ICMP RoutingTables.
1 Internet Networking Spring 2006 Tutorial 10 The Eifel Detection Algorithm for TCP RFC 3522.
IP Basics. IP encapsulates TCP IP packets travel through many different routers (hops) before reaching it’s destination MTU variation at the physical.
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.
Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer Science Institute Lawrence Berkeley National Laboratory
NET-REPLAY: A NEW NETWORK PRIMITIVE Ashok Anand Aditya Akella University of Wisconsin, Madison.
What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.
1 Transport Layer Computer Networks. 2 Where are we?
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
Mukesh N. Tekwani Elphinstone College Mumbai
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
Transport Layer: UDP, TCP
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
The Transmission Control Protocol (TCP) Application Services (Telnet, FTP, , WWW) Reliable Stream Transport (TCP) Connectionless Packet Delivery.
Chapter 22 Q and A Victor Norman CS 332 Spring 2014.
Dr. John P. Abraham Professor UTPA
Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.
Efficient & Robust TCP Stream Normalization Mythili Vutukuru Joint work with Hari Balakrishnan and Vern Paxson.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Detecting Evasion Attack at High Speed without Reassembly.
Chapter 24 Transport Control Protocol (TCP) Layer 4 protocol Responsible for reliable end-to-end transmission Provides illusion of reliable network to.
Prepared by Engr.Jawad Ali BSc(Hons)Computer Systems Engineering University of Engineering and Technology Peshawar.
1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.
Transport Protocols.
TCP continued. Discussion – TCP Throughput TCP will most likely generate the saw tooth type of traffic. – A rough estimate is that the congestion window.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
Network Intrusion Detection System (NIDS)
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection:
Chapter 9: Transport Layer
Instructor Materials Chapter 9: Transport Layer
Internet Networking recitation #9
Introduction to Networks
Reliable Transport I: Concepts
CCNA 2 v3.1 Module 10 Intermediate TCP/IP
Dr. John P. Abraham Professor UTPA
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
Dr. John P. Abraham Professor UTPA
Internet Networking recitation #10
Get rid of the ambiguities in the traffic stream
Detecting Evasion Attack at High Speed without Reassembly
Session 20 INST 346 Technologies, Infrastructure and Architecture
Vern Paxson (ICSI) Krste Asanovic (MIT)
Intrusion Detection Systems
Presentation transcript:

Analyzing Network Traffic in the Presence of Adversaries Vern Paxson International Computer Science Institute / Lawrence Berkeley National Laboratory / October 18, 2004

Roadmap In today’s Internet, attacks are the norm –Adversaries can create fundamental problems for network traffic analysis #1 problem: evasion by ambiguity “Active mapping” to resolve ambiguities “Normalization” to eliminate ambiguities #2: flooding directed at network devices How to design robust analysis hardware

Data courtesy of Rick Adams = 80% growth/year

= 60% growth/year

= 596% growth/year

Courtesy Mark Dedlow

In Today’s Internet Attacks are the Norm  Great interest in watching network traffic and analyzing what it’s doing Watching: monitor traffic at chokepoints, capture copy or perhaps intercept Analyzing: reconstruct protocol layers as seen by endpoints, interpret semantics How hard can it be? Attackers are adversaries: they don’t want to be caught and they want to make it painful for us to operate

The Problem of Evasion Evasion raises fundamental problems Network traffic seen from within a network is inherently ambiguous. Analyzing network traffic at a high semantic level requires extensive state … … which an adversary can target. Consider a network intrusion detection system (IDS; “Bro”) detecting occurrences of the string “root” inside a network connection (Let’s disregard the wholly separate issue of false positives: whether this is a good “signature”)

Detecting “root”: Attempt #1 Method: scan each packet for ‘r’, ‘o’, ‘o’, ‘t’ –Perhaps using Boyer-Moore, Aho-Corasick, Bloom filters … …….….root………..………… 1 But: TCP protocol doesn’t preserve text boundaries …….….ro 1 ot………..………… 2

Detecting “root”: Attempt #2 Method: remember match from end of previous packet …….….ro 1 ot………..………… 2 + But: TCP protocol doesn’t guarantee in-order arrival …….….ro 1 ot………..………… 2 ? - Now we’re managing state

Detecting “root”: Attempt #3 Method: reassemble entire byte stream –Keep track of full TCP connection state –So much for “simple” –What happens if we run out of memory? And: –Still evadable …

Evading Detection Via Ambiguous TCP Retransmission

It’s Not Just TTL Expiration Systematic study (w/ M. Handley & C. Kreibich) to analyze ambiguous protocol fields: –73 exploitable ambiguities IP/TCP/UDP/ICMP –E.g: control flags, flow control window, “don’t fragment”, old timestamps, service class, redundant length field, filtering on unused bits –Internet protocols not designed for analysis –Attacker toolkits already exist for exploiting these Answer: alert upon seeing ambiguous traffic?

The Problem of “Crud” Unfortunately, ambiguities occur in benign traffic, too: –Legitimate tiny fragments, overlapping fragments –Receivers that acknowledge data they did not receive –Senders that retransmit different data than originally In a diverse traffic stream, you will see these : –What is the intent? Loss of alert precision  “Maybe there’s an attack”

Countering Evasion-by-Ambiguity: Active Mapping Idea (w/ Umesh Shankar, UCB): Probe end-host in advance to resolve vantage- point ambiguities –E.g., how many hops to it? –E.g., how does it resolve ambiguous retransmissions? –Gray-box testing

Mapping Setup

Grey-box Inference of Reassembly Policy

A Plethora of Inferred Policies

Issues for Active Mapping Probing for most ambiguities requires eliciting a response –Some hosts won’t respond when not actively engaged –For some responses, need to trick host into echoing back what it saw Have to take churn into account –At a large site, something’s always changing –Lack of identity due to NAT, DHCP –Our implementation takes ≈ 5 sec/host

Countering Evasion-by-Ambiguity: Normalization Idea (w/ Mark Handley, Christian Kreibich): Introduce network element to rewrite traffic passing through it to eliminate ambiguities –E.g., regenerate low TTLs (dicey!) –E.g., regularize flags, unused fields –E.g., trim out-of-window data –E.g., reassemble streams & remove inconsistent retransmissions

Issues for Normalization Effect on end-to-end semantics? –Some normalizations harmless (e.g., inconsistent streams) –Some actually improve protocol (e.g., reliable RSTs) –Some degrade performance in the presence of cold start (e.g., stripping TCP window scaling) Performance: element is in-line –Prototype (1.1 GHz): 400 Mbps –Would like to use custom hardware …

Robust Hardware for Analyzing Traffic in the Presence of Adversaries Ongoing work w/ Sarang Dharmapurikar (WUSTL) Basic building-block for boosting network analysis: in-line TCP stream reassembly –If data arrives in-sequence, hand it to analyzer module –If data arrives out-of-sequence, it creates a “hole” Buffer for later delivery How hard can it be?

How Much Buffer for Holes Do We Need? Most previous work says: “Zero” –Skip out-of-sequence packets Commercial work says: “Yes” –Claim out-of-sequence packets buffered, but with no details Answer for sound operation depends critically on whether we consider adversaries …

Measured Buffer Required Per-Hole

Measured Duration of Holes

Instantaneous Aggregate Hole Buffer

How Much Buffer for Holes Do We Need?, con’t Trace analysis says: a few hundred KB suffices even for a large site’s access link... … But: an adversary can maliciously create holes, overflowing the buffer. On overflow, we can either: –Stop analyzing evicted connection, allowing adversary to evade –Kill unanalyzable connection, allowing adversary to inflict collateral damage

Adversary-Resistant Stream Reassembly Trace analysis also says: –Very few connections have concurrent holes Can limit adversary to one hole per connection –No hosts have concurrent connections w/ holes Can limit adversary to one hole per Zombie Consider randomized eviction: –If buffer size >> requirements of legit connections, then most evictions evict the attacker’s own holes

Zombie Equations Let: –M, P = total memory (pages) available for holes –M l, P l = memory (pages) for legitimate holes –e = tolerable eviction rate for legit. connections –r = rate at which a zombie can transmit (bytes/sec) –g = page size (granularity) for hole buffer –Z = # of zombies required to achieve eviction rate Then for attacker creating small/large holes:

Zombie Implications If we only terminate connections with > 2 packets buffered; allow each connection 10KB of buffer; and use 512MB DRAM … … then collateral damage rate X of legitimate connections terminated per second is:  By throwing memory at the problem, we can weather a large attack

Summary The lay of the land has changed –Ecosystem of endemic hostility Adversaries can exploit ambiguity and pressures of holding state to evade detection or inflict collateral damage Internet protocols not designed with “wire analysis” in mind … … But it is possible to design to address these issues if they are properly considered

Summary, con’t Network analysis amidst adversaries is a new area: –Did not talk about: application-level evasion, polymorphism, tunneling, compromising passive monitors –In many ways, reminiscent of Internet measurement a decade ago: Low-hanging fruit Daunting problems Fun!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.