1 / 25

Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking

Roya Ensafi , Jong Chun Park, Deepak Kapur , and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science. Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking. USENIX 2010. Outline. Introduction Related Work

nasia
Download Presentation

Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RoyaEnsafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking USENIX 2010

  2. Outline • Introduction • Related Work • Formalizing Non-interference Analysis • Finding Idle Scan • Experimental confirmation of counterexamples Advanced Defense Lab

  3. Introduction • Network reconnaissance is the important first step of virtually all network attacks. [Link] • Idle scans were introduced by Antirez in a 1998. [Link] • Based on non-random, sequential IPIDs of older network stacks Advanced Defense Lab

  4. Introduction - Idle Scan Advanced Defense Lab

  5. Introduction - Idle Scan • IPID-based idle scans have been implemented in nmap [Link] • But modern network stacks randomize the IPID [Link] • FTP bounce scans are currently the only known way to port scan a victim host or network without routing forged packets to that host or network from the attacker [Link] • This paper proposes another one Advanced Defense Lab

  6. Related Work • Stanifordet al. use simulated annealing to detect stealthy scans. [Link] • Leckie and Kotagiri present a probabilistic approach • Gates and Kang et al. consider the problem of stealth port scans based on using many distributed hosts (e.g., a botnet) to perform the scan. Advanced Defense Lab

  7. Related Work(cont.) • Non-interference [Link] is a widely used concept of information flow security • Non-interference proved to be a very useful property because it can be specified with Linear Temporal Logic (LTL [Link]). Advanced Defense Lab

  8. Formalizing Non-interference Analysis • A host is viewed to be at the end of the network, i.e., an end host. Advanced Defense Lab

  9. SYN Cache [Link] • The SYN cache is a cache for pending SYN packets for which a SYN/ACK has been sent and the host is waiting for an ACK. • In our model packets are only removed from the SYN cache when a TCP RST is received from the source IP address and port of the original SYN packet Advanced Defense Lab

  10. Idel Scan model Advanced Defense Lab

  11. Non-interference Analysis Model Advanced Defense Lab

  12. Formalizing Non-interference Analysis • Using SAL [Link] for modeling • SAT-based [Link] bounded model checker Advanced Defense Lab

  13. Advanced Defense Lab

  14. Advanced Defense Lab

  15. Formalizing Non-interference Analysis -- Assumptions • A major abstraction is that we consider the proper reply to SYN/ACK packets to be “drop” for open ports and RST for closed ports. • Another major abstraction is that each of the two buffers in our split SYN cache has only a single entry. Advanced Defense Lab

  16. Port Status Advanced Defense Lab

  17. Finding Idle Scan • RST rate limit Advanced Defense Lab

  18. Finding Idle Scan • SYN cache Advanced Defense Lab

  19. Experimental confirmation of counterexamples • Setup • VirtualBox • TUN/TAP [Link] • Zombie • kernel 2.4 host (Fedora Core 1) • Windows XP host with no service packs • Linux kernel 2.6 host (CentOS 5.2) • FreeBSD 7.1.1 host Advanced Defense Lab

  20. Experimental confirmation of counterexamples - RST rate • For a real FreeBSD system, RSTs are limited to a default of 200 per second • Our implementation sends 2000 each of two different types of packets, each at a rate of 180 per second, to the victim and FreeBSD zombie, respectively Advanced Defense Lab

  21. Experimental confirmation of counterexamples - RST rate Advanced Defense Lab

  22. Experimental confirmation of counterexamples – SYN cache • Linux kernel 2.4 uses a simple buffer for the SYN cache, with between 128 and 1024 entries depending on the memory available on the system. • our implementation • 50 forged SYNs, then 50 each of forged SYNs and SYNs where the attacker uses their own return IP (1000 per second) • 200 more forged SYNs (1000 per second) • sends 200 each of forged SYNs and SYNs where the attacker uses their own return IP address (400 per second) Advanced Defense Lab

  23. Experimental confirmation of counterexamples – SYN cache • Result between different OSes Advanced Defense Lab

  24. Experimental confirmation of counterexamples – SYN cache • Idle port scan • 20,000 forged SYN packets (with random return ports that are closed on the zombie) • At half the rate, alternating forged SYNs with the target port on the victim as the source port and valid SYNs with the return address of the attacker Advanced Defense Lab

  25. Experimental confirmation of counterexamples – SYN cache • Result for idle port scan Advanced Defense Lab

More Related