Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Published byAdrien Jobson Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut."— Presentation transcript:

1 Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut Flavio Bonomi in ACM SIGCOMM 2006 Presented by: Sailesh Kumar

2 2 - Sailesh Kumar - 4/30/2015 Overview n IDP/IPS »Introduction to Evasion Attacks n Evasion by Fragmentation/Out-of-order n Complications: Overlapping segments n Solution: Split-Detect n Analysis and Results

3 3 - Sailesh Kumar - 4/30/2015 IDS/IPS n Signature based IDS (Intrusion Detection Systems) »Matches a set rules »Rules contains –Packet header types –Content strings –Alerts »Multi-billion dollar business n IPS (Intrusion Prevention Systems) »For some rules: Alerts = Action = Drop packets »Pick only rules with small false positive

4 4 - Sailesh Kumar - 4/30/2015 IDS/IPS n IPS integrated in a switch »ASICs for content inspection »Memory for TCP states –5-tuple –RTT worth of data »> 1 Gb n Alternative model »Fast path: common case »Slow path: exception packets »If we divert few packets to the slow path => speedup »Fast path: On-chip memory

5 5 - Sailesh Kumar - 4/30/2015 Art of Evasion n Use TCP/IP fragmentation »Fragment the signature and sent them out of order »Solution: Reassemble each TCP data stream n Another attack: Use chaff between packets »IPS does not know, if data is “ATTJNK” or “ATTACK” »Solution: Normalize TCP streams –Pick a canonical ordering, Overwrite a fully overlapping n Overlapping segments »Fragment + chaff => large packets SEQ=13, DATA=“ACK” SEQ=10, DATA=“ATT” SEQ=10, TTL=10, “ATT” SEQ=13, TTL=1, “JNK” SEQ=13, TTL=10, “ACK” SEQ=10, DATA=“ATTJNK” SEQ=13, DATA=“ACK”

6 6 - Sailesh Kumar - 4/30/2015 Art of Evasion n More difficult attack »Chaffs can lead to exponential numbers of reordering »Extremely compute intensive to find out the right ordering which creates the attack signature n Solution: Weak Atomicity »None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered. »If inconsistent data => reset connection –Thus in the above case, end host will reset the connection SEQ=10, TTL=10, “ATT” SEQ=11, TTL=1, “JNK” SEQ=13, TTL=10, “ACK”

7 7 - Sailesh Kumar - 4/30/2015 Art of Evasion n Even with weak atomicity, attacker can still »Break up an attack signature »Send out-of-order fragments »Send chaffs with low TTLs n Objective is to devise a solution that »Does not require full normalization or reassembly »And still is able to detect evasion attacks

8 8 - Sailesh Kumar - 4/30/2015 Approach n Fast path + slow path n Fast path »Detects evasion attempts »Diverts such connection to slow path n Slow path »Performs full TCP reassembly and normalization n Objective »Small fast path memory requirement »Small number of flows diverted to slow path

9 9 - Sailesh Kumar - 4/30/2015 Fast Path Algorithm n Use Split-Detect n Split: Break a signature into K pieces »Fast path detects each of the K pieces n Detect: Divert connection to slow path if »Fast path detects any piece »Fast path detects small packets or out-of-order behavior n Attacker has to use small packets to evade detection

10 10 - Sailesh Kumar - 4/30/2015 Fast Path Algorithm n If a packet contains a piece, it will be detected n Hence all K pieces must be split n All but first and last segments are small packets »Payload size < 2*piece_size – 1 n One may detect evasion attempt by looking for consecutive small packets »Unfortunately attacker may still use out-of-order and “chaff”

11 11 - Sailesh Kumar - 4/30/2015 Fast Path State Machine n Build a state machine to detect »K-1 small packets in order »Or K-1 out-of-order small packets n Terminology »Consecutive small packets: Two small packets with no small packet in between n Look for K-1 anomalous events. An anomalous event is: »Closely spaced small packets: Consecutive small packets whose sequence number differs by < the signature length –Connections which sends small packets spaced apart will not be diverted »Out-of-order: Two consecutive small packets, between which there is 1+ out-of-order transition –Connections which sends very few out-of-order small packets will not be diverted

12 12 - Sailesh Kumar - 4/30/2015 Fast Path State Machine n State Instantiation: The fast path keeps state for a flow only after it sends its first small packet n State Variables: Keeps following variables (indexed by the TCP connection 5-tuple, using say a CAM): »NES(Next Expected Sequence Number, 32 bits) »OOO(Out Of Order since last small packet, Boolean) »length(Length in bytes since last small packet, 7 bits can support signatures 127 bytes or shorter) »count(count of anomalies, 4 bits can support values of K up to 16, K − 1 strikes and the flow is out) »Total 48-bits + 96-bits

13 13 - Sailesh Kumar - 4/30/2015 Fast Path State Machine n Operation: n count is initialized to 1 when the flow is first placed in the flow table. n count is subsequently incremented on receiving a small packet for a flow if: »the packet’s sequence number is not equal to NES, or »OOO is true (i.e., some out-of-order since last small packet), or »length ≤ SignatureLength

14 14 - Sailesh Kumar - 4/30/2015 Fast Path State Machine n Flow is diverted to the slow path if »The packet is found to contain a piece of some signature, or »The anomaly count is equal to K − 1 (one less than the number of pieces) n If the flow is not diverted, the packet is forwarded normally but, in addition, a copy of the packet is sent to the slow path if and only if the packet is small. »packet contains plausible evidence (i.e., packet is small or contains a piece) »These copies are needed when a flow is diverted to slow path

15 15 - Sailesh Kumar - 4/30/2015 Slow Path n Copies of fragments are stored in a buffer n If a flow is diverted: »Add the fragment to the previous fragment copies –If a “near match” is found, reset connection »Perform reassembly, normalization and detection n This approach only detects Almost(S), where S is the actual signature »Almost(S) contains pieces 2 thru K-1 (first and last pieces can be large packets)

16 16 - Sailesh Kumar - 4/30/2015 Results n In summary, the IPS fast path maintains a flow table for every active TCP flow that has ever sent a small packet, where each flow entry contains a small amount of state (NES,OOO, length, count, LUT) for a total of 48 bits of state per flow that is kept track of (plus 96 bits for IPv4 source and destination address, and TCP source and destination port). n Max flows is the maximum number of flows in the fast path’s flow table at any time during the simulation over the packet trace.

17 17 - Sailesh Kumar - 4/30/2015 Discussion? n Splitting signatures can increase false positives! »Characters are not uniformly distributed in data stream n How about general regex rules? »Who cares about exact match? n Is it practical to ask for weak atomicity? »Against the rules we discussed in CSE 570 n DoS attack (send lot of small or out-of-order packets)

Download ppt "Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 SpaceWire Update NASA GSFC November 25, 2002. 2 GSFC SpaceWire Status New Link core with split clock domains complete (Much faster) New Router core.

1 SpaceWire Update NASA GSFC November 25, GSFC SpaceWire Status New Link core with split clock domains complete (Much faster) New Router core.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
IS333, Ch. 26: TCP Victor Norman Calvin College 1.

IS333, Ch. 26: TCP Victor Norman Calvin College 1.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.

CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
Internet Networking Spring 2004

Internet Networking Spring 2004
Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.

Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
CMPE 80N - Introduction to Networks and the Internet 1 CMPE 80N Winter 2004 Lecture 18 Introduction to Networks and the Internet.

CMPE 80N - Introduction to Networks and the Internet 1 CMPE 80N Winter 2004 Lecture 18 Introduction to Networks and the Internet.
Internetworking Fundamentals (Lecture #2) Andres Rengifo Copyright 2008.

Internetworking Fundamentals (Lecture #2) Andres Rengifo Copyright 2008.
Chapter 4 Queuing, Datagrams, and Addressing

Chapter 4 Queuing, Datagrams, and Addressing
Transmission Control Protocol Internet Protocol TCP/IP.

Transmission Control Protocol Internet Protocol TCP/IP.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google