Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Evasion Attack at High Speed without Reassembly

Published byΖώνα Βασιλειάδης Modified over 5 years ago

Similar presentations

Presentation on theme: "Detecting Evasion Attack at High Speed without Reassembly"— Presentation transcript:

1 Detecting Evasion Attack at High Speed without Reassembly
Presented by C.W. Hon K.K. To 26/Mar/2007

2 External attack Internet DMZONE Enterprise switch DNS WEB MAIL
Internal servers Clients

3 Internal attack Internet DMZONE Enterprise switch DNS WEB MAIL
Internal servers Clients

4 IDS/IPS integration Internet DMZONE Enterprise switch DNS WEB MAIL
Internal servers Clients

5 IPS – Proactive approach
IDS/IPS IDS – Reactive approach IPS – Proactive approach IPS differs from IDS in that it takes a proactive approach to attacks - e.g. blocking the packets concerned - rather than a reactive approach - e.g. triggering human intervention.

6 IDS/IPS IPS can be describe as a subset of IDS where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule. ☼ Minimum false positive is required.

7 Signature based IDS/IPS
An IDS/IPS consists of a database of rules. Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action.

8 Reassembly Both IDS and IPS are required to reassembly TCP flows and IP fragments. Ensures that a content string in a rule that is fragment across packets can be detected.

9 Normalization IPS is required to normalize TCP flows.
Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker.

10 What is Normalization IP v4 Header                                                                              

11 IP Normalizations # IP Field Normalization Performed 1 Version
Non-IPv4 packets dropped. 2 Header Len Drop if hdr_len too small. 3 Drop if hdr_len too large. 4 Diffserv Clear field. 5 ECN 6 Total Len Drop if tot_len > link layer len. 7 Trim if tot_len < link layer len. 8 IP Identifier Encrypt ID.   9 Protocol Enforce specific protocols.   - Pass packet to TCP,UDP,ICMP handlers. 10 Frag offset Reassemble fragmented packets. 11 Drop if offset + len > 64KB. # IP Field Normalization Performed 13 DF Drop if DF set and offset > 0. 14 Zero flag Clear. 15 Src addr Drop if class D or E. 16 Drop if MSByte=127 or 0. 17 Drop if 18 Dst addr Drop if class E. 19 20 21 TTL Raise TTL to configured value. 22 Checksum Verify, drop if incorrect. 23 IP options Remove IP options.   24 Zero padding bytes.  

12 Bottlenecks in high speed IPS
Search content string regular expression Reassemble and normalize the packets 1 million concurrent connections Avoid early timeout of late fragments

13 IPS As speed gets higher, reassembly and normalization in the network requires an increasing amount of resources in term of memory and processing. Memory Bandwidth Processing

14 Argument Folk Theorem Reassembly and normalization are sufficient to detect all evasions. Challenge Are packet reassembly and normalization necessary to deal with evasions by attackers ?

15 Evasion Attack Attackers exploit the ambiguities between the IPS and the end hosts of handling packets. ATTACK SIGNATURE ATTA CK SIGN ATURE

16 IP Fragments Problem -Not all IP fragments contains TCP header
Good news -IP fragment is rare in practice Solution -All IP fragments redirect to slow path.

17 Types of Evasion Attack
Misordered Fragments Interspersed Chaff Overlapping Fragments - Combine with IP fragmentation

18 Example – Misordered Fragments
SEQ=13, Data=“ACK” SEQ=10, Data=“ATT” Arrival sequence Characteristics Out-of-Order segments Segments contains portion of the signature

19 Example – Interspersed Chaff
SEQ=10, TTL=10, Data=“ATT” SEQ=13, TTL=1, Data=“JKL” SEQ=13, TTL=10, Data=“ACK” Arrival sequence Characteristics “Noise” or “Chaff” segments Some segments with small TTL

20 Example – Overlapping Fragments
SEQ=10, Data=“ATTJKL” SEQ=13, Data=“ACK” Arrival sequence Characteristics Similar to the case of Interspersed Chaff Signature embedded in arbitrary large packets.

21 Basic Idea - In case of high speed link, e.g. 20G bps
Not all traffics are attack traffics, however, the classic IPS scans all traffic passing through it. Filter out the attack traffics by figuring out its characteristics and let good traffic passing through – path diversion

22 Classic IPS

23 Path Diversion

24 Proposed Solution Assumptions
A small modification to TCP receivers to check for inconsistent transmission – Weak Atomicity. A change in the definition of signature detection to allow the start and end of a signature to be missed – Split-Detect. A restriction to exact signature. Refer paper page 328, section 1.3, paragraph 3.

25 Weak Atomicity Definition:
None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered. Refer paper page 331. Delivered: Not merely means delivered to the end host, but also delivered to the application Inconsistent: Inconsistent in NES.

26 Weak Atomicity Implementation
Maintain a buffer – Overlap Detect Buffer. Store the last MSS size bytes sent. Compare the bytes of the new in-order packets with the bytes in the buffer, deliver it if there is no inconsistency, reset the connection if inconsistency found. Take more space (1 MSS) and more processing (comparison).

27 Weak Atomicity Advantages Preventing bad behavior.
Do not need to implement a complete IPS at the end nodes. Fairly simple to implement. Allowing current IPS to scale. Bad behavior: Interspersed chaff, intended to intrude the system or unintended.

28 Weak Atomicity Disadvantages Introduced a new DOS attack.
by injecting inconsistent data and cause the connection to be reset.

29 Weak Atomicity What still remains? The attackers can still:
Break up an attack signature. Send out-of-order fragments. Send small TTL packets, which will never reach the end nodes. From this point onward, we can consider only the case of misordered small fragments.

30 Split-Detect Basic Idea Split the signature into K equal pieces.
Detect any pieces in the incoming packets at fast path. Divert a flow to the slow path if fast path detects any pieces, or fast path detects small packets or out-of-order behavior. Small packets: Why needed to be detect? If the incoming packets are small enough, it may not contains any signature pieces exactly. The attack packets cannot be large, because it can be detected easily and therefore be diverted to the slow path for the full reassembly and normalization. So the attack packets must be small enough to evade the detection in order to intrude to the system.

31 Small Packets Small packets defines the maximum payload size of a packet that contains portion of the signature but does not contains any signature pieces.

32 Small Packets A signature

33 Small Packets Signature pieces Attacker’s split

34 Small Packets Signature pieces Attacker’s split

35 Small Packets Signature pieces Attacker’s split
payloadSize < 2PieceSize - 1

36 Fast Path Implementation Fast Path as a State Machine State variables
NES (Next Expected Sequence Number, 32 bits) OOO (Out Of Order since last small packet, Boolean) length (Length in bytes since last small packet, 7 bits) count (Count of anomalies, 4 bits) LUT (Last Update Time, 3 bits) Starts keep states when the first small packet sent.

37 Fast Path Implementation
State update mechanism (NES, OOO, length, count, LUT) Update of count: Initialized to 1 when the flow is first placed in the flow table. On receiving a small packet, increment if the packet’s sequence number not equal to NES, or OOO is true, or length ≤ SignatureLength Counting anomalies.

38 Fast Path Implementation
State update mechanism (NES, OOO, length, count, LUT) Update of length: If the current packet is large, incremented by the payload length. If the current packet is small, reset to 0. Measures the length for this flow since last received small packet. Examples: In-sequence small segments 2. OOO small segments

39 Fast Path Implementation
State update mechanism (NES, OOO, length, count, LUT) Update of OOO: If the current packet is large and sequence number is not equal to NES, set to true. If the current packet is small, reset to false. A flag that detects out-of-order reception between small packets.

40 Fast Path Implementation
State update mechanism (NES, OOO, length, count, LUT) Update of NES: Set to s + l where s = current packet sequence number l = current packet payload length Reflects the sequence number of the next expected in-order TCP segment.

41 Fast Path Implementation
State update mechanism (NES, OOO, length, count, LUT) Update of LUT: All packets causes it to be updated to the current time.

42 Fast Path Implementation Slow Path diversion
After state update, the entire flow is diverted to the slow path if the packet contains a piece of signature. the anomaly count count is equal to K-1. If the flow is not diverted, the packet is forwarded normally, and forwarded to the slow path iff the packet is small.

43 Slow Path Implementation
Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream. Drop the flow looks like data normalization, compare it.

44 Theorems Theorem 1: Fast Path Diversion
A TCP connection containing string S in some reassembled stream will be diverted to the slow path before or while processing the critical packet in the fast path. Further, if prior to diversion, the fast path processed a collaborator of the critical packet, then a copy of the collaborator was sent to the slow path.

45 Theorems Theorem 2: Slow Path Blocking
A TCP connection containing string S in some reassembled stream will have its critical packet dropped in the slow path (Safety). Conversely, a TCP connection that does not contain Almost(S) in some reassembly of the connection and has no inconsistent data will not have any packets dropped at the IPS (Liveness).

46 Results

47 Results

48 Results

49 Results

50 Results

51 Results

52 Results

53 Results

54 Results

55 Results

56 Advantages Speedup 10 times Memory Compression 25 folds ?

57 Disadvantages Need to change the TCP implementation at the end hosts.
Compare only Almost(S) but not S. Restriction on the exact signature.

58 ~ END ~

Download ppt "Detecting Evasion Attack at High Speed without Reassembly"

Similar presentations

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Internet Networking Spring 2003

Internet Networking Spring 2003
1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.

1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker 2008-11-17.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Process-to-Process Delivery:

Process-to-Process Delivery:
Lect3..ppt - 09/12/04 CIS 4100 Systems Performance and Evaluation Lecture 3 by Zornitza Genova Prodanoff.

Lect3..ppt - 09/12/04 CIS 4100 Systems Performance and Evaluation Lecture 3 by Zornitza Genova Prodanoff.
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
Internet Protocol (IP)

Internet Protocol (IP)

Similar presentations

Ads by Google