1 / 58

Detecting Evasion Attack at High Speed without Reassembly

Detecting Evasion Attack at High Speed without Reassembly. Presented by C.W. Hon K.K. To 26/Mar/2007. External attack. Internet. DMZONE. Enterprise switch. DNS. WEB. MAIL. Internal servers. Clients. Internal attack. Internet. DMZONE. Enterprise switch. DNS. WEB. MAIL.

kin
Download Presentation

Detecting Evasion Attack at High Speed without Reassembly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Evasion AttackatHigh Speed without Reassembly Presented by C.W. Hon K.K. To 26/Mar/2007

  2. External attack Internet DMZONE Enterpriseswitch DNS WEB MAIL Internal servers Clients

  3. Internal attack Internet DMZONE Enterpriseswitch DNS WEB MAIL Internal servers Clients

  4. IDS/IPS integration Internet DMZONE Enterpriseswitch DNS WEB MAIL Internal servers Clients

  5. IDS/IPS IDS – Reactive approach IPS – Proactive approach IPS differs from IDS in that it takes a proactive approach to attacks - e.g. blocking the packets concerned - rather than a reactive approach - e.g. triggering human intervention.

  6. IDS/IPS • IPS can be describe as a subset of IDS where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule. ☼ Minimum false positive is required.

  7. Signature based IDS/IPS • An IDS/IPS consists of a database of rules. • Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action.

  8. Reassembly • Both IDS and IPS are required to reassembly TCP flows and IP fragments. • Ensures that a content string in a rule that is fragment across packets can be detected.

  9. Normalization • IPS is required to normalize TCP flows. • Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker.

  10. What is Normalization IP v4 Header

  11. IP Normalizations

  12. Bottlenecks in high speed IPS Search content string • regular expression Reassemble and normalize the packets • 1 million concurrent connections • Avoid early timeout of late fragments

  13. IPS • As speed gets higher, reassembly and normalization in the network requires an increasing amount of resources in term of memory and processing. Memory Bandwidth Processing

  14. Argument Folk Theorem • Reassembly and normalization are sufficient to detect all evasions. Challenge • Are packet reassembly and normalization necessary to deal with evasions by attackers ?

  15. Evasion Attack • Attackers exploit the ambiguities between the IPS and the end hosts of handling packets. ATTACK SIGNATURE ATTA CK SIGN ATURE

  16. IP Fragments Problem -Not all IP fragments contains TCP header Good news -IP fragment is rare in practice Solution -All IP fragments redirect to slow path.

  17. Types of Evasion Attack • Misordered Fragments • Interspersed Chaff • Overlapping Fragments - Combine with IP fragmentation

  18. Example – Misordered Fragments • Characteristics • Out-of-Order segments • Segments contains portion of the signature SEQ=13, Data=“ACK” SEQ=10, Data=“ATT” Arrival sequence

  19. Example – Interspersed Chaff • Characteristics • “Noise” or “Chaff” segments • Some segments with small TTL … SEQ=10, TTL=10, Data=“ATT” SEQ=13, TTL=1, Data=“JKL” SEQ=13, TTL=10, Data=“ACK” Arrival sequence

  20. Example – Overlapping Fragments • Characteristics • Similar to the case of Interspersed Chaff • Signature embedded in arbitrary large packets. SEQ=10, Data=“ATTJKL” SEQ=13, Data=“ACK” Arrival sequence

  21. Basic Idea - In case of high speed link, e.g. 20G bps • Not all traffics are attack traffics, however, the classic IPS scans all traffic passing through it. • Filter out the attack traffics by figuring out its characteristics and let good traffic passing through – path diversion

  22. Classic IPS

  23. Path Diversion

  24. Proposed Solution Assumptions • A small modification to TCP receivers to check for inconsistent transmission – Weak Atomicity. • A change in the definition of signature detection to allow the start and end of a signature to be missed – Split-Detect. • A restriction to exact signature.

  25. Weak Atomicity Definition: None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered.

  26. Weak Atomicity Implementation • Maintain a buffer – Overlap Detect Buffer. • Store the last MSS size bytes sent. • Compare the bytes of the new in-order packets with the bytes in the buffer, deliver it if there is no inconsistency, reset the connection if inconsistency found. • Take more space (1 MSS) and more processing (comparison).

  27. Weak Atomicity Advantages • Preventing bad behavior. • Do not need to implement a complete IPS at the end nodes. • Fairly simple to implement. • Allowing current IPS to scale.

  28. Weak Atomicity Disadvantages • Introduced a new DOS attack. • by injecting inconsistent data and cause the connection to be reset.

  29. Weak Atomicity What still remains? The attackers can still: • Break up an attack signature. • Send out-of-order fragments. • Send small TTL packets, which will never reach the end nodes.

  30. Split-Detect Basic Idea • Split the signature into K equal pieces. • Detect any pieces in the incoming packets at fast path. • Divert a flow to the slow path if • fast path detects any pieces, or • fast path detects small packets or out-of-order behavior.

  31. Small Packets • Small packets defines the maximum payload size of a packet that contains portion of the signature but does not contains any signature pieces.

  32. Small Packets • A signature

  33. Small Packets • Signature pieces • Attacker’s split

  34. Small Packets • Signature pieces • Attacker’s split

  35. Small Packets • Signature pieces • Attacker’s split • payloadSize < 2PieceSize - 1

  36. Fast Path Implementation • Fast Path as a State Machine • State variables • NES (Next Expected Sequence Number, 32 bits) • OOO (Out Of Order since last small packet, Boolean) • length (Length in bytes since last small packet, 7 bits) • count (Count of anomalies, 4 bits) • LUT (Last Update Time, 3 bits) Starts keep states when the first small packet sent.

  37. Fast Path Implementation • State update mechanism (NES, OOO, length, count, LUT) Update of count: • Initialized to 1 when the flow is first placed in the flow table. • On receiving a small packet, increment if • the packet’s sequence number not equal to NES, or • OOO is true, or • length≤ SignatureLength Counting anomalies.

  38. Fast Path Implementation • State update mechanism (NES, OOO, length, count, LUT) Update of length: • If the current packet is large, incremented by the payload length. • If the current packet is small, reset to 0. Measures the length for this flow since last received small packet.

  39. Fast Path Implementation • State update mechanism (NES, OOO, length, count, LUT) Update of OOO: • If the current packet is large and sequence number is not equal to NES, set to true. • If the current packet is small, reset to false. A flag that detects out-of-order reception between small packets.

  40. Fast Path Implementation • State update mechanism (NES, OOO, length, count, LUT) Update of NES: • Set to s + l where s = current packet sequence number l = current packet payload length Reflects the sequence number of the next expected in-order TCP segment.

  41. Fast Path Implementation • State update mechanism (NES, OOO, length, count, LUT) Update of LUT: • All packets causes it to be updated to the current time.

  42. Fast Path Implementation • Slow Path diversion • After state update, the entire flow is diverted to the slow path if • the packet contains a piece of signature. • the anomaly count count is equal to K-1. • If the flow is not diverted, the packet is • forwarded normally, and • forwarded to the slow path iff the packet is small.

  43. Slow Path Implementation • Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. • If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. • For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. • If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream.

  44. Theorems Theorem 1: Fast Path Diversion A TCP connection containing string S in some reassembled stream will be diverted to the slow path before or while processing the critical packet in the fast path.Further, if prior to diversion, the fast path processed a collaborator of the critical packet, then a copy of the collaborator was sent to the slow path.

  45. Theorems Theorem 2: Slow Path Blocking A TCP connection containing string S in some reassembled stream will have its critical packet dropped in the slow path (Safety). Conversely, a TCP connection that does not contain Almost(S) in some reassembly of the connection and has no inconsistent data will not have any packets dropped at the IPS (Liveness).

  46. Results

  47. Results

  48. Results

  49. Results

  50. Results

More Related