170 likes | 401 Views
Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut Flavio Bonomi in ACM SIGCOMM 2006. Presented by: Sailesh Kumar. Overview. IDP/IPS Introduction to Evasion Attacks Evasion by Fragmentation/Out-of-order Complications: Overlapping segments
E N D
Detecting Evasion Attacks at High Speeds without ReassemblyGeorge VargheseJ. Andrew FingerhutFlavio Bonomiin ACM SIGCOMM 2006 Presented by: Sailesh Kumar
Overview • IDP/IPS • Introduction to Evasion Attacks • Evasion by Fragmentation/Out-of-order • Complications: Overlapping segments • Solution: Split-Detect • Analysis and Results
IDS/IPS • Signature based IDS (Intrusion Detection Systems) • Matches a set rules • Rules contains • Packet header types • Content strings • Alerts • Multi-billion dollar business • IPS (Intrusion Prevention Systems) • For some rules: Alerts = Action = Drop packets • Pick only rules with small false positive
IDS/IPS • IPS integrated in a switch • ASICs for content inspection • Memory for TCP states • 5-tuple • RTT worth of data • > 1 Gb • Alternative model • Fast path: common case • Slow path: exception packets • If we divert few packets to the slow path => speedup • Fast path: On-chip memory
Art of Evasion • Use TCP/IP fragmentation • Fragment the signature and sent them out of order • Solution: Reassemble each TCP data stream • Another attack: Use chaff between packets • IPS does not know, if data is “ATTJNK” or “ATTACK” • Solution: Normalize TCP streams • Pick a canonical ordering, Overwrite a fully overlapping • Overlapping segments • Fragment + chaff => large packets SEQ=10, DATA=“ATT” SEQ=13, DATA=“ACK” SEQ=13, TTL=10, “ACK” SEQ=13, TTL=1, “JNK” SEQ=10, TTL=10, “ATT” SEQ=13, DATA=“ACK” SEQ=10, DATA=“ATTJNK”
Art of Evasion • More difficult attack • Chaffs can lead to exponential numbers of reordering • Extremely compute intensive to find out the right ordering which creates the attack signature • Solution: Weak Atomicity • None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered. • If inconsistent data => reset connection • Thus in the above case, end host will reset the connection SEQ=13, TTL=10, “ACK” SEQ=11, TTL=1, “JNK” SEQ=10, TTL=10, “ATT”
Art of Evasion • Even with weak atomicity, attacker can still • Break up an attack signature • Send out-of-order fragments • Send chaffs with low TTLs • Objective is to devise a solution that • Does not require full normalization or reassembly • And still is able to detect evasion attacks
Approach • Fast path + slow path • Fast path • Detects evasion attempts • Diverts such connection to slow path • Slow path • Performs full TCP reassembly and normalization • Objective • Small fast path memory requirement • Small number of flows diverted to slow path
Fast Path Algorithm • Use Split-Detect • Split: Break a signature into K pieces • Fast path detects each of the K pieces • Detect: Divert connection to slow path if • Fast path detects any piece • Fast path detects small packets or out-of-order behavior • Attacker has to use small packets to evade detection
Fast Path Algorithm • If a packet contains a piece, it will be detected • Hence all K pieces must be split • All but first and last segments are small packets • Payload size < 2*piece_size – 1 • One may detect evasion attempt by looking for consecutive small packets • Unfortunately attacker may still use out-of-order and “chaff”
Fast Path State Machine • Build a state machine to detect • K-1 small packets in order • Or K-1 out-of-order small packets • Terminology • Consecutive small packets: Two small packets with no small packet in between • Look for K-1 anomalous events. An anomalous event is: • Closely spaced small packets: Consecutive small packets whose sequence number differs by < the signature length • Connections which sends small packets spaced apart will not be diverted • Out-of-order: Two consecutive small packets, between which there is 1+ out-of-order transition • Connections which sends very few out-of-order small packets will not be diverted
Fast Path State Machine • State Instantiation: The fast path keeps state for a flow only after it sends its first small packet • State Variables: Keeps following variables (indexed by the TCP connection 5-tuple, using say a CAM): • NES(Next Expected Sequence Number, 32 bits) • OOO(Out Of Order since last small packet, Boolean) • length(Length in bytes since last small packet, 7 bits can support signatures 127 bytes or shorter) • count(count of anomalies, 4 bits can support values of K up to 16, K − 1 strikes and the flow is out) • Total 48-bits + 96-bits
Fast Path State Machine • Operation: • count is initialized to 1 when the flow is first placed in the flow table. • count is subsequently incremented on receiving a small packet for a flow if: • the packet’s sequence number is not equal to NES, or • OOO is true (i.e., some out-of-order since last small packet), or • length ≤ SignatureLength
Fast Path State Machine • Flow is diverted to the slow path if • The packet is found to contain a piece of some signature, or • The anomaly count is equal to K − 1 (one less than the number of pieces) • If the flow is not diverted, the packet is forwarded normally but, in addition, a copy of the packet is sent to the slow path if and only if the packet is small. • packet contains plausible evidence (i.e., packet is small or contains a piece) • These copies are needed when a flow is diverted to slow path
Slow Path • Copies of fragments are stored in a buffer • If a flow is diverted: • Add the fragment to the previous fragment copies • If a “near match” is found, reset connection • Perform reassembly, normalization and detection • This approach only detects Almost(S), where S is the actual signature • Almost(S) contains pieces 2 thru K-1 (first and last pieces can be large packets)
Results • In summary, the IPS fast path maintains a flow table for every active TCP flow that has ever sent a small packet, where each flow entry contains a small amount of state (NES,OOO, length, count, LUT) for a total of 48 bits of state per flow that is kept track of (plus 96 bits for IPv4 source and destination address, and TCP source and destination port). • Max flows is the maximum number of flows in the fast path’s flow table at any time during the simulation over the packet trace.
Discussion? • Splitting signatures can increase false positives! • Characters are not uniformly distributed in data stream • How about general regex rules? • Who cares about exact match? • Is it practical to ask for weak atomicity? • Against the rules we discussed in CSE 570 • DoS attack (send lot of small or out-of-order packets)