1 / 17

Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut Flavio Bonomi in ACM SIG

Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut Flavio Bonomi in ACM SIGCOMM 2006. Presented by: Sailesh Kumar. Overview. IDP/IPS Introduction to Evasion Attacks Evasion by Fragmentation/Out-of-order Complications: Overlapping segments

berit
Download Presentation

Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut Flavio Bonomi in ACM SIG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Detecting Evasion Attacks at High Speeds without ReassemblyGeorge VargheseJ. Andrew FingerhutFlavio Bonomiin ACM SIGCOMM 2006 Presented by: Sailesh Kumar

  2. Overview • IDP/IPS • Introduction to Evasion Attacks • Evasion by Fragmentation/Out-of-order • Complications: Overlapping segments • Solution: Split-Detect • Analysis and Results

  3. IDS/IPS • Signature based IDS (Intrusion Detection Systems) • Matches a set rules • Rules contains • Packet header types • Content strings • Alerts • Multi-billion dollar business • IPS (Intrusion Prevention Systems) • For some rules: Alerts = Action = Drop packets • Pick only rules with small false positive

  4. IDS/IPS • IPS integrated in a switch • ASICs for content inspection • Memory for TCP states • 5-tuple • RTT worth of data • > 1 Gb • Alternative model • Fast path: common case • Slow path: exception packets • If we divert few packets to the slow path => speedup • Fast path: On-chip memory

  5. Art of Evasion • Use TCP/IP fragmentation • Fragment the signature and sent them out of order • Solution: Reassemble each TCP data stream • Another attack: Use chaff between packets • IPS does not know, if data is “ATTJNK” or “ATTACK” • Solution: Normalize TCP streams • Pick a canonical ordering, Overwrite a fully overlapping • Overlapping segments • Fragment + chaff => large packets SEQ=10, DATA=“ATT” SEQ=13, DATA=“ACK” SEQ=13, TTL=10, “ACK” SEQ=13, TTL=1, “JNK” SEQ=10, TTL=10, “ATT” SEQ=13, DATA=“ACK” SEQ=10, DATA=“ATTJNK”

  6. Art of Evasion • More difficult attack • Chaffs can lead to exponential numbers of reordering • Extremely compute intensive to find out the right ordering which creates the attack signature • Solution: Weak Atomicity • None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered. • If inconsistent data => reset connection • Thus in the above case, end host will reset the connection SEQ=13, TTL=10, “ACK” SEQ=11, TTL=1, “JNK” SEQ=10, TTL=10, “ATT”

  7. Art of Evasion • Even with weak atomicity, attacker can still • Break up an attack signature • Send out-of-order fragments • Send chaffs with low TTLs • Objective is to devise a solution that • Does not require full normalization or reassembly • And still is able to detect evasion attacks

  8. Approach • Fast path + slow path • Fast path • Detects evasion attempts • Diverts such connection to slow path • Slow path • Performs full TCP reassembly and normalization • Objective • Small fast path memory requirement • Small number of flows diverted to slow path

  9. Fast Path Algorithm • Use Split-Detect • Split: Break a signature into K pieces • Fast path detects each of the K pieces • Detect: Divert connection to slow path if • Fast path detects any piece • Fast path detects small packets or out-of-order behavior • Attacker has to use small packets to evade detection

  10. Fast Path Algorithm • If a packet contains a piece, it will be detected • Hence all K pieces must be split • All but first and last segments are small packets • Payload size < 2*piece_size – 1 • One may detect evasion attempt by looking for consecutive small packets • Unfortunately attacker may still use out-of-order and “chaff”

  11. Fast Path State Machine • Build a state machine to detect • K-1 small packets in order • Or K-1 out-of-order small packets • Terminology • Consecutive small packets: Two small packets with no small packet in between • Look for K-1 anomalous events. An anomalous event is: • Closely spaced small packets: Consecutive small packets whose sequence number differs by < the signature length • Connections which sends small packets spaced apart will not be diverted • Out-of-order: Two consecutive small packets, between which there is 1+ out-of-order transition • Connections which sends very few out-of-order small packets will not be diverted

  12. Fast Path State Machine • State Instantiation: The fast path keeps state for a flow only after it sends its first small packet • State Variables: Keeps following variables (indexed by the TCP connection 5-tuple, using say a CAM): • NES(Next Expected Sequence Number, 32 bits) • OOO(Out Of Order since last small packet, Boolean) • length(Length in bytes since last small packet, 7 bits can support signatures 127 bytes or shorter) • count(count of anomalies, 4 bits can support values of K up to 16, K − 1 strikes and the flow is out) • Total 48-bits + 96-bits

  13. Fast Path State Machine • Operation: • count is initialized to 1 when the flow is first placed in the flow table. • count is subsequently incremented on receiving a small packet for a flow if: • the packet’s sequence number is not equal to NES, or • OOO is true (i.e., some out-of-order since last small packet), or • length ≤ SignatureLength

  14. Fast Path State Machine • Flow is diverted to the slow path if • The packet is found to contain a piece of some signature, or • The anomaly count is equal to K − 1 (one less than the number of pieces) • If the flow is not diverted, the packet is forwarded normally but, in addition, a copy of the packet is sent to the slow path if and only if the packet is small. • packet contains plausible evidence (i.e., packet is small or contains a piece) • These copies are needed when a flow is diverted to slow path

  15. Slow Path • Copies of fragments are stored in a buffer • If a flow is diverted: • Add the fragment to the previous fragment copies • If a “near match” is found, reset connection • Perform reassembly, normalization and detection • This approach only detects Almost(S), where S is the actual signature • Almost(S) contains pieces 2 thru K-1 (first and last pieces can be large packets)

  16. Results • In summary, the IPS fast path maintains a flow table for every active TCP flow that has ever sent a small packet, where each flow entry contains a small amount of state (NES,OOO, length, count, LUT) for a total of 48 bits of state per flow that is kept track of (plus 96 bits for IPv4 source and destination address, and TCP source and destination port). • Max flows is the maximum number of flows in the fast path’s flow table at any time during the simulation over the packet trace.

  17. Discussion? • Splitting signatures can increase false positives! • Characters are not uniformly distributed in data stream • How about general regex rules? • Who cares about exact match? • Is it practical to ask for weak atomicity? • Against the rules we discussed in CSE 570 • DoS attack (send lot of small or out-of-order packets)

More Related