1 / 42

Intrusion Detection Issues

Intrusion Detection Issues. Presented by Deepa Srinivasan CSE581, Winter 2002, OGI. Papers on this topic. Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection (Jan ‘98) Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01)

Download Presentation

Intrusion Detection Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI

  2. Papers on this topic • Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection(Jan ‘98) • Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01) • IP Fragmentation and fragrouter (Dec ‘00) • An Achilles’ Heel in Signature-based IDS: Squealing False Positives in SNORT(‘01)

  3. Agenda • Introduction to IDS • Some popular IDSs • Problems with IDSs • Normalizer • IP Fragmentation & fragrouter • “Squealing” in SNORT

  4. Introduction to IDS • Intrusion attempt or a threat: potential possibility of a deliberate unauthorized attempt to access/manipulate information, or render a system unreliable or unusable. • Types of IDS • Host-based • Network IDS • Example IDSs • ISS RealSecure, WheelGroup NetRanger, Network Flight Recorder, Snort

  5. Principles of IDSs Common Intrusion Detection Framework • Event generators • Analysis Engines • Storage Mechanisms • Countermeasures

  6. Principles of IDSs Common Intrusion Detection Framework

  7. Principles of IDSs • Passive monitoring • Signature Analysis • Need for reliable ID • accuracy: false positives and false negatives • “fail-open”: if an attacker disables the IDS, entire network is still accessible • forensic value of information

  8. Fundamental problems of IDSs • Deployed on a different box • Could be on a different network segment • Protocol implementation ambiguities • different protocol stacks have different behavior • NIDS could see a different stream of packets than host

  9. Fundamental problems of IDSs • False positives • incorrectly identify an intrusion when none has occurred • False negatives • incorrectly fail to identify an intrusion that has actually occurred

  10. Attacks on IDSs • Insertion • IDS thinks packets are valid; end system rejects these • Evasion • end system accepts packets that IDS rejects • Denial of Service • resource exhaustion • Examples

  11. Popular problems/attacks • TCP/IP Options fields • TCB Creation/Teardown • TCP Stream Reassembly • IP Fragmentation • overlapping fragments

  12. Specific attacks • Invalid MAC addresses? • Invalid headers • Permissive in receiving, frugal in sending? • Bad IP checksum will be dropped? • IP options • IP TTL ambiguity • Packer received or not?

  13. Specific attacks • Packet size • Packet too large for downstream link? • Source-routed packets • Will destination reject such packets? • Fragment or TCP handshake time-out • Will other parts of fragment/TCB still be at destination? • Overlapping segments • Rewrite old data or not?

  14. Specific attacks • Weird TCP options • Destination might be configured to drop • Old TCP timestamps (PAWS) • Destination might be configured to drop • TCP RSTs with weird sequence numbers • Is connection reset? • Addition of interpreted characters (“^H”) • How does OS interpret?

  15. IP Fragmentation • Allows IP traffic over different network media with different max packet sizes • IP stacks do not handle reassembly well • can lead to DOS (teardrop, jolt2) • Fragrouter • NIDS testing tool • accepts IP packets routed from another system • fragments these packets according to various schemes

  16. Popular problems/attacks • Resource Exhaustion • CPU, Memory, Network Bandwidth • CPU: Data-structure attack via fragments • Memory: Space attack via fragments • Network: Targeted DoS to disrupt TCP reassembly • Abusing reactive IDS • attack to generate false positives • IDS shuts down valid connections, blocks valid traffic etc. • Results in IDS triggering a DOS

  17. IP Fragmentation • Allows IP traffic over different network media with different max packet sizes • IP stacks do not handle reassembly well • can lead to DOS (teardrop, jolt2) • Fragrouter • NIDS testing tool • accepts IP packets routed from another system • fragments these packets according to various schemes

  18. Popular problems/attacks • Resource Exhaustion • CPU, Memory, Network Bandwidth • Abusing reactive IDS • attack to generate false positives • IDS shuts down valid connections, blocks valid traffic etc. • Results in IDS triggering a DOS

  19. Methodology • Black-box testing • PHF attack • exploits a CGI script - phf to gain access to web servers • Software Used • CASL • FreeBSD 2.2 • netcat • tcpdump

  20. Results

  21. Discussion Questions?

  22. Network Intrusion Detection:Traffic Normalization & End-End Protocol Semantics"Transport and Application Protocol Scrubbing"

  23. Recap of previous paper • IDSs are vulnerable to attacks • fundamental problems: • IDS sees different streams than target host • protocol implementation ambiguities

  24. Introduction • Paper introduces concept of “normalizer” • Approach & implementation • Performance

  25. Normalizer

  26. Normalizer • Sits directly in path of traffic into a site • Patch up or normalize the packet stream • Result: same traffic and unambiguous behavior for NIDS and host • Differs from a firewall • Other approaches • host-based IDS, details of intranet, bifurcating analysis

  27. Normalization Tradeoffs • Protection • not meant to but can act as a firewall • Need to preserve End-End Semantics • Impacts end-end performance • Stateholding attack • create excess state than Normalizer can handle • Inbound vs Outbound traffic

  28. Other Considerations • Cold Start • is a “real world” requirement • what happens to existing connections? • Initiate state for connections from trusted network • Attacking the normalizer itself

  29. Systematic Approach • Walk through packet headers of each protocol • Identify what is the “correct” normalization

  30. Example Attack • IP Identifier and stealth port scans

  31. Normalization for this • Solution for patsy • Scramble ids of incoming and outgoing packets • Breaks diagnostic protocols • Solution for victim • Reliable RSTs • Normalizer sends “keep-alive” packet to host to determine if connection was actually closed

  32. Implementation • Code in C - uses libpcap • user-level application • attention to completeness, correctness & performance • Evaluated using trace-driven approach • NetDuDE

  33. Performance • Platform: 1.1GHz AMD Athlon, FreeBSD 4.2, 133 MHz SDRAM • a normalizer implemented in kernel mode (as a click module) could forward traffic at line-speed on bi-directional 100 Mbps link

  34. Discussion Questions?

  35. An Achilles’ Heel to Signature-Based IDS:Squealing False Positives in Snort (‘01)

  36. Introduction • Paper documents attacking Snort using false positives • Snort : open-source, free, lightweight NIDS • Squealing • noise made by pigs during periods of distemperment • Boy cried wolf too many times • additionally, boy may not recognize the wolf when it actually appears!

  37. Attacking Snort • Limitation is not in correctly identifying attacks, but in the ability to suppress false positives • PCP • Tool for generating false positives • packet writing and argument parsing

  38. Squeal Attack types • Noise-masked attacks • diverts attention from a covert attack • Attack misdirection • source of attack is spoofed • Evidence Reputability • Target Conditioning • Statistical Poisoning • when training an IDS

  39. How easy is it? • Using SOCK_RAW • LIBNET, Nemesis • Script-driven tools available (snot, stick, trichinosis)

  40. Proposed Solutions • Adaption • changing the signature-matching algorithms rapidly • State awareness • make IDS have a “context” which checking packets

  41. Conclusions • IDSs have been around for more than a decade • Several fundamental problems identified in IDS • IDSs themselves are vulnerable to attacks • and fail-open • Upcoming paper groups

  42. References • online.securityfocus.com/ids • www.snort.org • www.raid-symposium.org

More Related