Detecting Evasion Attack at High Speed without Reassembly.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Chapter 7 – Transport Layer Protocols
Computer Networks 2 Lecture 2 TCP – I - Transport Protocols: TCP Segments, Flow control and Connection Setup.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
TCP/IP Protocol Suite 1 Chapter 13 Upon completion you will be able to: Stream Control Transmission Protocol Be able to name and understand the services.
Anomaly Based Intrusion Detection System
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5-1 Internet Protocol (IP): Packet Format, Fragmentation, Options Shivkumar Kalyanaraman Rensselaer.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #07 Shivkumar Kalyanaraman: GOOGLE: “Shiv RPI”
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
Internet Networking Spring 2003
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #8 Explicit Congestion Notification (RFC 3168) Limited Transmit.
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Internetworking Fundamentals (Lecture #2) Andres Rengifo Copyright 2008.
Gursharan Singh Tatla Transport Layer 16-May
TCP: flow and congestion control. Flow Control Flow Control is a technique for speed-matching of transmitter and receiver. Flow control ensures that a.
Lect3..ppt - 09/12/04 CIS 4100 Systems Performance and Evaluation Lecture 3 by Zornitza Genova Prodanoff.
Guide to TCP/IP, Third Edition
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
Internet Protocol (IP)
3: Transport Layer3b-1 Principles of Congestion Control Congestion: r informally: “too many sources sending too much data too fast for network to handle”
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Multi-part Messages in KMIP John Leiseboer, QuintessenceLabs.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
B 李奕德.  Abstract  Intro  ECN in DCTCP  TDCTCP  Performance evaluation  conclusion.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Routers and Routing Basics CCNA 2 Chapter 10.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Efficient & Robust TCP Stream Normalization Mythili Vutukuru Joint work with Hari Balakrishnan and Vern Paxson.
Packet switching network Data is divided into packets. Transfer of information as payload in data packets Packets undergo random delays & possible loss.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
1 CS 4396 Computer Networks Lab TCP – Part II. 2 Flow Control Congestion Control Retransmission Timeout TCP:
Internet Networking recitation #11
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
Fall 2004FSU CIS 5930 Internet Protocols1 TCP – Data Exchange Reading: Section 24.4.
UDP : User Datagram Protocol 백 일 우
CIS679: TCP and Multimedia r Review of last lecture r TCP and Multimedia.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Transmission Control Protocol (TCP) TCP Flow Control and Congestion Control CS 60008: Internet Architecture and Protocols Department of CSE, IIT Kharagpur.
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
TCP over Wireless PROF. MICHAEL TSAI 2016/6/3. TCP Congestion Control (TCP Tahoe) Only ACK correctly received packets Congestion Window Size: Maximum.
The Transport Layer Implementation Services Functions Protocols
Internet Networking recitation #9
Chapter 3 outline 3.1 transport-layer services
Transport Layer Unit 5.
Precept 2: TCP Congestion Control Review
Internet Protocol (IP)
Chapter 20 Network Layer: Internet Protocol
Internet Networking recitation #10
Congestion Control, Internet Transport Protocols: UDP
Net 323 D: Networks Protocols
ECSE-4670: Computer Communication Networks (CCN)
Transport Protocols: TCP Segments, Flow control and Connection Setup
The Transport Layer Chapter 6.
Detecting Evasion Attack at High Speed without Reassembly
Transport Protocols: TCP Segments, Flow control and Connection Setup
TCP flow and congestion control
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Detecting Evasion Attack at High Speed without Reassembly

IDS/IPS –IDS is alert administrator if intrusion packet appears –IPS is proactive drop intrusion packet –Signature-based –Both need packet reassembly for string matching –IPS need packet normalization for inconsistence

Bottleneck in high speed 1 million concurrent connections Avoid early timeout of late fragments Memory usage increases Processing time increase

Evasion Attack Misordered Fragments Interspersed Chaff Overlapping Fragments

Misordered Fragments

Interspersed Chaff

Overlapping segments

Challenge Reassembly and normalization are sufficient to detect all evasions Packet reassembly and normalization are necessary

Basic Idea Selected detection –Fast path for normal stream –Slow path for suspicious stream

Diagram

Three assumption A modification to TCP receivers A change in definition of signature detection A restriction to exact signatures or regular expressions with a fixed exact length

Mechanism IP Fragments all go to slow path –IP fragments may not contain TCP header Weak Atomicity –Overlapping segments attack Split-Detect –Misordered Fragments –Interspersed Chaff

IP Fragments IP fragments may not contain TCP header

IP Fragments All go to slow path But rare

Weak Atomicity Overlapping segments attack Dealing with overlapping segments needs large amount space

Weak Atomicity None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered Overlapping segments attack has no effect

Implement Maintain a additional overlap buffer An MSS size worth of the bytes last delivered to the socket buffer Compare any overlapping bytes with bytes in overlap buffer If there is inconsistency, reset connection

Advantage Preventing bad behavior. Do not need to implement a complete IPS at the end nodes. Fairly simple to implement. Allowing current IPS to scale.

Disadvantage New DOS attack –Use inconsistent data to reset other connection

Split-Detect Misordered Fragments Interspersed Chaff

Split-Detct Split –Break a signature into K equal pieces and arm the fast path to detect any piece Divert –Divert a TCP flow to the slow path Fast path detects any pece Fast path detects small packet or out-of-order behavior

Split Original signature signature pieces, 4 bytes per piece Attacker’s split ATTA ATTACK_SIGNATURE CK_SIGNATURE ATTACK_SIGNATURE

Small packets Evading piece matching PayloadSize < 2PieceSize - 1 ATTACK_SIGNATURE ATTACK_SIGNATURE

Fast Path Fast Path as a State Machine State variables –NES (Next Expected Sequence Number, 32 bits) –OOO (Out Of Order since last small packet, Boolean) –length (Length in bytes since last small packet, 7 bits) –count (Count of anomalies, 4 bits) –LUT (Last Update Time, 3 bits) Starts keeping states when the first small packet sent.

Implement count: count anomalies –Initialized to 1 when the flow is first placed in the flow table. –On receiving a small packet, increment if the packet’s sequence number not equal to NES, or OOO is true, or length ≤ SignatureLength

length: Measures the length for this flow since last received small packet –If the current packet is large, incremented by the payload length. –If the current packet is small, reset to 0.

OOO: A flag that detects out-of-order reception between small packets –If the current packet is large and sequence number is not equal to NES, set to true. –If the current packet is small, reset to false

NES: N ext expected in-order TCP segment –Set to s + l –s = current packet sequence number –l = current packet payload length

Slow Path diversion –After state update, the entire flow is diverted to the slow path if the packet contains a piece of signature. the anomaly count is equal to K-1. –If the flow is not diverted, the packet is forwarded normally, and forwarded to the slow path iff the packet is small.

Slow Path Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream.

Result Same flow, different parameters OC-48 Trace

Result

Different flow, the same parameters

Result

Advantage Speedup 10 times State compress 20 times

Disadvantage Modify TCP Client Detect Almost(S), not S Not support general regular expression Small token problem

Comment New idea for folk theorem But not practical… Make up one thing, but loss another

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.