Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar University of California at Berkeley presented.

Published byEdgar Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar University of California at Berkeley presented."— Presentation transcript:

1 Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented by Pei Pei Yan Guo University of South Carolina

2 Outline Network Intrusion Detection System (NIDS) Active Mapping NIDS Implementation Active Mapping Limitation Test results Conclusion

3 What is NIDS? NIDS passively monitors network traffic on a link, looking for suspicious activity as defined by its protocol analyzers A NIDS is essentially a glorified packet sniffer that matches traffic patterns to pre-defined signatures

4 IDS IDS are now standard equipment for large networks second only to firewall HIDS $50~$1000 per host NIDS $10,000~$30,000 It is estimated to be $443.5 million revenue for 2002, compare to $350 million in 2001

5 IDS classification Figure from http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html

6 Typical NIDS Cisco Secure IDS (formerly NetRanger) Hogwash Dragon E-Trust IDS

7 NIDS Pros and Cons Pros – Monitor a large amount of network traffic – Versatile: detects DoS, “ping of death”, all the traffics to a target host – Dropping packet will not affect network connection Cons – Higher amount of traffic will force the NIDS drop the traffic – False Negative, False Positive – Can’t detect attack by back doors of the network – Unable to look at encrypted packets (VPN, SSH)

8 Detection False False Positive False Negative

9 Ambiguity of NIDS NIDS needs to simulate exactly what the network will react to the traffic Without local network construction information, there exits ambiguity Example: “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, by T. H. Ptacek and T. N. Newsham

10 Attacks by Ambiguity 20 Hops

11 Attempts to Eliminate Ambiguity Traffic normalizer Drawbacks: 1. performance 2. reliability issue with resource exhaustion 3. changing the semantics of the stream (e.g. traceroute, path MTU discovery)

12 Aim of Active Mapping Aim: 1. to tell which packet will reach recipient 2. to predict the interpretation of the packet by the recipient Active Mapping makes NIDS context- sensitive

13 Active Mapping Design Goals Comparable with runtime performance Mapping should be lightweight Avoid harming the hosts

14 Active Mapping Mechanism

15 What Active Mapping Checks Hop count MTU (Maximum Transmission Unit) TCP RST Acceptance Overlapping and Inconsistent IP Fragments (different by policies)

16 “Hop Count” Definition 1. In a data communications network, the number of legs traversed by a packet between its source and destination. Note: Hop count may be used to determine the Time-To-Live for some packets. 2. The number of signal regenerating devices (such as repeaters, bridges, routers, and gateways) through which data must pass to reach their destination.

17 “MTU” Definition The Maximum Transmission Unit (MTU) is the largest size of IP datagram which may be transferred using a specific data link connection The MTU value is a design parameter of a LAN and is a mutually agreed value (i.e. both ends of a link agree to use the same specific value) for most WAN links. The size of MTU may vary greatly between different links (e.g. typically from 128 B up to 10 kB). http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/mtu.html

18 TCP RST Acceptance Receiver’s Window Packets

19 Overlapping and Inconsistent Fragments BSD, BSD-right, Linux, First, Last/RFC791, etc. Eg. BSD left-trim and first come occupy the digit

20 Limitation and Weakness Active Mapping assumes that all hosts behave in consistent and predictable way There are at least 3 sources of non- determinisms can be difficult to simulate in NIDS precisely ----- Application Level Parameters ----- New Semantics ----- Nondeterministic Packet Drops

21 Application Level Parameters User can change certain parameters that affect TCP/IP stack. The data of parameters could be delivered as signal or inline --- Example: TCP “Urgent” pointer, which marks part of the sequences as important and processed without delay

22 New Semantics NIDS must understand the semantic of a stream in order to interpret correctly Unknown TCP options can be ignored The best NIDS can do is to update regularly

23 Nondeterministic Packet Drops Two Ways Packet Drop can happen ---- When routers get saturated or hosts are under heavy traffic ---- Quality of Service guarantees

24 Timeout The NIDS must know when a host will timeout an IP fragment or TCP segment. Attacker can later retransmit the fragment or segment with different data NIDS will not know which is accepted, even it knows which will be accepted It is difficult to obtain precise timeout value with active mapping

25 Dealing with packet drops Partial reconstruction of host state --- If acknowledgement of TCP Segment of response to UPD or ICMP request --- then the request is accepted using only packets preceded the response --- if no response, then packets are dropped

26 Continued If NIDS can send “keep alive” packet(out of sequence) in real time, it can elicit an ACK that show current sequence number NIDS can get timeouts information from ICMP message. Not all hosts send this. And this may leak information to attackers, need to be only seen by NIDS. (Mapping?)

27 Practical Consideration Those concerns are not implemented in the prototype NAT DHCP TCP Wrapper Attacks on the Active Mapper

28 NAT-Network Address Translator Problems: NIDS can’t see private addresses, if NAT is running inside the monitored site. It is also difficult to detect if NAT is being used Solution: Could map each port as though it belonged to a separate machine

29 DHCP Problems: DHCP server leases out addresses when clients request them, and leases expire periodically. If Integration with DHCP server is not possible, determining MAC is nontrivial Solution: The Mapper could be triggered upon seeing DHCP requests

30 TCP Wrappers Problems: Some hosts use TCP Wrappers to restrict access to services to a set of hosts determined by an Access Control List Solution: Mapper Must have access

31 Attacks on the Active Mapper Problems: Attacker may try to attack mapping machine. There is greater concern for direct internal attacks Solution: Deny all outside request to the mapper, limit only the administrative machines to have access

32 Prototype Implementation Implemented in about 2,000 lines of Perl. Ported to Unix and FreeBSD It requires TCP/IP firewall capability. Modify the Bro NIDS to use Active Mapping profile. A few hundred lines of C++ were needed

33 Testing and Results Observed Active Mapping Profiles Out of 4,800+ hosts, 173 were giving out inconsistent result. All of 29 of them are printers, routers. Most of the 29 are unknown operating systems, 36 of the 173 hosts have incomplete trials. Only 10 machines yield conflicting results

34 Stability of Results This test is to see if the profile stayed consistent 5 month later In first mapping 4882 hosts provided nontrivial, consistent results In second mapping, 4733 hosts did. 1122 were in first set, but not second, of those 880 were in DHCP blocks 973 were in second set but on in the first, 669 where in DHCP blocks

35

36 Mapping Time Mapping a single host requires 37 sec Mapping 16 hosts took 10.1 seconds/host Mapping 64 hosts took 5.7 seconds/host Mapping 101 hosts took 5.3 seconds/host 5 seconds/host for large scale mapping 7 hours for a subnet with 4800 hosts

37 Mapping Traffic

38 NIDS Integration Tests This is to test that AM will indeed produced correct interpretation First, a synthetic test with ambiguous traffic. Second, a comparison of the original and AM modified NIDS on real-world traces

39 Synthetic Tests HTTP attack traffic were generated to 8 hosts with evasion measures added using ‘fragroute’

40 NIDS’ Performance Two trace of 500 connections were used to the 8 hosts In first, no connection was modified by fragroute In second, connections to 2 of the machines were modified by fragroute. And AM was enabled. NIDS was actually 15% faster, since it can discard data

41 Real World Tests Two tests were performed First one was of a non-HTTP traffic gathered during 1 hour at a busy site(100.2M data, 1.2M packets, 273K connections Second was a 2 hour HTTP traffic. (137MB, 197k packets, 6379 connections) Both tests yield same result. Execution time are same, memory usage was 200k higher with AM

42 When To Scan? Daily scan – a full class C subnet can be scanned in about 20min. What happens with large network? Remapping can be triggered by any inconsistency between the stored policy and an observed one On-the-fly mapping is not possible, since many tests take seconds

43 Conclusion Active Mapping can reduce the ambiguity of NIDS interpretation It is better than Normalization there are still many limitations and consideration, it is still hard to make it a robust commercial product, but it is surely a positive step toward building an ambiguity free NIDS

Download ppt "Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar University of California at Berkeley presented."

Similar presentations

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Examining IP Header Fields

Examining IP Header Fields
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.

Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.

Similar presentations

Ads by Google