420 likes | 591 Views
Intrusion Detection Issues. Presented by Deepa Srinivasan CSE581, Winter 2002, OGI. Papers on this topic. Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection (Jan ‘98) Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01)
E N D
Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI
Papers on this topic • Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection(Jan ‘98) • Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01) • IP Fragmentation and fragrouter (Dec ‘00) • An Achilles’ Heel in Signature-based IDS: Squealing False Positives in SNORT(‘01)
Agenda • Introduction to IDS • Some popular IDSs • Problems with IDSs • Normalizer • IP Fragmentation & fragrouter • “Squealing” in SNORT
Introduction to IDS • Intrusion attempt or a threat: potential possibility of a deliberate unauthorized attempt to access/manipulate information, or render a system unreliable or unusable. • Types of IDS • Host-based • Network IDS • Example IDSs • ISS RealSecure, WheelGroup NetRanger, Network Flight Recorder, Snort
Principles of IDSs Common Intrusion Detection Framework • Event generators • Analysis Engines • Storage Mechanisms • Countermeasures
Principles of IDSs Common Intrusion Detection Framework
Principles of IDSs • Passive monitoring • Signature Analysis • Need for reliable ID • accuracy: false positives and false negatives • “fail-open”: if an attacker disables the IDS, entire network is still accessible • forensic value of information
Fundamental problems of IDSs • Deployed on a different box • Could be on a different network segment • Protocol implementation ambiguities • different protocol stacks have different behavior • NIDS could see a different stream of packets than host
Fundamental problems of IDSs • False positives • incorrectly identify an intrusion when none has occurred • False negatives • incorrectly fail to identify an intrusion that has actually occurred
Attacks on IDSs • Insertion • IDS thinks packets are valid; end system rejects these • Evasion • end system accepts packets that IDS rejects • Denial of Service • resource exhaustion • Examples
Popular problems/attacks • TCP/IP Options fields • TCB Creation/Teardown • TCP Stream Reassembly • IP Fragmentation • overlapping fragments
Specific attacks • Invalid MAC addresses? • Invalid headers • Permissive in receiving, frugal in sending? • Bad IP checksum will be dropped? • IP options • IP TTL ambiguity • Packer received or not?
Specific attacks • Packet size • Packet too large for downstream link? • Source-routed packets • Will destination reject such packets? • Fragment or TCP handshake time-out • Will other parts of fragment/TCB still be at destination? • Overlapping segments • Rewrite old data or not?
Specific attacks • Weird TCP options • Destination might be configured to drop • Old TCP timestamps (PAWS) • Destination might be configured to drop • TCP RSTs with weird sequence numbers • Is connection reset? • Addition of interpreted characters (“^H”) • How does OS interpret?
IP Fragmentation • Allows IP traffic over different network media with different max packet sizes • IP stacks do not handle reassembly well • can lead to DOS (teardrop, jolt2) • Fragrouter • NIDS testing tool • accepts IP packets routed from another system • fragments these packets according to various schemes
Popular problems/attacks • Resource Exhaustion • CPU, Memory, Network Bandwidth • CPU: Data-structure attack via fragments • Memory: Space attack via fragments • Network: Targeted DoS to disrupt TCP reassembly • Abusing reactive IDS • attack to generate false positives • IDS shuts down valid connections, blocks valid traffic etc. • Results in IDS triggering a DOS
IP Fragmentation • Allows IP traffic over different network media with different max packet sizes • IP stacks do not handle reassembly well • can lead to DOS (teardrop, jolt2) • Fragrouter • NIDS testing tool • accepts IP packets routed from another system • fragments these packets according to various schemes
Popular problems/attacks • Resource Exhaustion • CPU, Memory, Network Bandwidth • Abusing reactive IDS • attack to generate false positives • IDS shuts down valid connections, blocks valid traffic etc. • Results in IDS triggering a DOS
Methodology • Black-box testing • PHF attack • exploits a CGI script - phf to gain access to web servers • Software Used • CASL • FreeBSD 2.2 • netcat • tcpdump
Discussion Questions?
Network Intrusion Detection:Traffic Normalization & End-End Protocol Semantics"Transport and Application Protocol Scrubbing"
Recap of previous paper • IDSs are vulnerable to attacks • fundamental problems: • IDS sees different streams than target host • protocol implementation ambiguities
Introduction • Paper introduces concept of “normalizer” • Approach & implementation • Performance
Normalizer • Sits directly in path of traffic into a site • Patch up or normalize the packet stream • Result: same traffic and unambiguous behavior for NIDS and host • Differs from a firewall • Other approaches • host-based IDS, details of intranet, bifurcating analysis
Normalization Tradeoffs • Protection • not meant to but can act as a firewall • Need to preserve End-End Semantics • Impacts end-end performance • Stateholding attack • create excess state than Normalizer can handle • Inbound vs Outbound traffic
Other Considerations • Cold Start • is a “real world” requirement • what happens to existing connections? • Initiate state for connections from trusted network • Attacking the normalizer itself
Systematic Approach • Walk through packet headers of each protocol • Identify what is the “correct” normalization
Example Attack • IP Identifier and stealth port scans
Normalization for this • Solution for patsy • Scramble ids of incoming and outgoing packets • Breaks diagnostic protocols • Solution for victim • Reliable RSTs • Normalizer sends “keep-alive” packet to host to determine if connection was actually closed
Implementation • Code in C - uses libpcap • user-level application • attention to completeness, correctness & performance • Evaluated using trace-driven approach • NetDuDE
Performance • Platform: 1.1GHz AMD Athlon, FreeBSD 4.2, 133 MHz SDRAM • a normalizer implemented in kernel mode (as a click module) could forward traffic at line-speed on bi-directional 100 Mbps link
Discussion Questions?
An Achilles’ Heel to Signature-Based IDS:Squealing False Positives in Snort (‘01)
Introduction • Paper documents attacking Snort using false positives • Snort : open-source, free, lightweight NIDS • Squealing • noise made by pigs during periods of distemperment • Boy cried wolf too many times • additionally, boy may not recognize the wolf when it actually appears!
Attacking Snort • Limitation is not in correctly identifying attacks, but in the ability to suppress false positives • PCP • Tool for generating false positives • packet writing and argument parsing
Squeal Attack types • Noise-masked attacks • diverts attention from a covert attack • Attack misdirection • source of attack is spoofed • Evidence Reputability • Target Conditioning • Statistical Poisoning • when training an IDS
How easy is it? • Using SOCK_RAW • LIBNET, Nemesis • Script-driven tools available (snot, stick, trichinosis)
Proposed Solutions • Adaption • changing the signature-matching algorithms rapidly • State awareness • make IDS have a “context” which checking packets
Conclusions • IDSs have been around for more than a decade • Several fundamental problems identified in IDS • IDSs themselves are vulnerable to attacks • and fail-open • Upcoming paper groups
References • online.securityfocus.com/ids • www.snort.org • www.raid-symposium.org