1 / 44

Detecting Evasion Attack at High Speed without Reassembly

Detecting Evasion Attack at High Speed without Reassembly. IDS/IPS. IDS is alert administrator if intrusion packet appears IPS is proactive drop intrusion packet Signature-based Both need packet reassembly for string matching IPS need packet normalization for inconsistence.

woody
Download Presentation

Detecting Evasion Attack at High Speed without Reassembly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Evasion AttackatHigh Speed without Reassembly

  2. IDS/IPS • IDS is alert administrator if intrusion packet appears • IPS is proactive drop intrusion packet • Signature-based • Both need packet reassembly for string matching • IPS need packet normalization for inconsistence

  3. Bottleneck in high speed • 1 million concurrent connections • Avoid early timeout of late fragments • Memory usage increases • Processing time increase

  4. Evasion Attack • Misordered Fragments • Interspersed Chaff • Overlapping Fragments

  5. Misordered Fragments

  6. Interspersed Chaff

  7. Overlapping segments

  8. Challenge • Reassembly and normalization are sufficient to detect all evasions • Packet reassembly and normalization are necessary

  9. Basic Idea • Selected detection • Fast path for normal stream • Slow path for suspicious stream

  10. Diagram

  11. Diagram

  12. Three assumption • A modification to TCP receivers • A change in definition of signature detection • A restriction to exact signatures or regular expressions with a fixed exact length

  13. Mechanism • IP Fragments all go to slow path • IP fragments may not contain TCP header • Weak Atomicity • Overlapping segments attack • Split-Detect • Misordered Fragments • Interspersed Chaff

  14. IP Fragments • IP fragments may not contain TCP header

  15. IP Fragments • All go to slow path • But rare

  16. Weak Atomicity • Overlapping segments attack • Dealing with overlapping segments needs large amount space

  17. Weak Atomicity • None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered • Overlapping segments attack has no effect

  18. Implement • Maintain a additional overlap buffer • An MSS size worth of the bytes last delivered to the socket buffer • Compare any overlapping bytes with bytes in overlap buffer • If there is inconsistency, reset connection

  19. Advantage • Preventing bad behavior. • Do not need to implement a complete IPS at the end nodes. • Fairly simple to implement. • Allowing current IPS to scale.

  20. Disadvantage • New DOS attack • Use inconsistent data to reset other connection

  21. Split-Detect • Misordered Fragments • Interspersed Chaff

  22. Split-Detct • Split • Break a signature into K equal pieces and arm the fast path to detect any piece • Divert • Divert a TCP flow to the slow path • Fast path detects any pece • Fast path detects small packet or out-of-order behavior

  23. Split • Original signature • signature pieces, 4 bytes per piece • Attacker’s split ATTACK_SIGNATURE ATTA CK_S IGNA TURE ATT AC K_SI GNATUR E

  24. Small packets • Evading piece matching • PayloadSize < 2PieceSize - 1 ATTA CK_S IGNA TURE ATT AC K_SI GNATUR E

  25. Fast Path • Fast Path as a State Machine • State variables • NES (Next Expected Sequence Number, 32 bits) • OOO (Out Of Order since last small packet, Boolean) • length (Length in bytes since last small packet, 7 bits) • count (Count of anomalies, 4 bits) • LUT (Last Update Time, 3 bits) • Starts keeping states when the first small packet sent.

  26. Implement • count: count anomalies • Initialized to 1 when the flow is first placed in the flow table. • On receiving a small packet, increment if • the packet’s sequence number not equal to NES, or • OOO is true, or • length≤ SignatureLength

  27. length: Measures the length for this flow since last received small packet • If the current packet is large, incremented by the payload length. • If the current packet is small, reset to 0.

  28. OOO: A flag that detects out-of-order reception between small packets • If the current packet is large and sequence number is not equal to NES, set to true. • If the current packet is small, reset to false

  29. NES: Next expected in-order TCP segment • Set to s + l • s = current packet sequence number • l = current packet payload length

  30. Slow Path diversion • After state update, the entire flow is diverted to the slow path if • the packet contains a piece of signature. • the anomaly count is equal to K-1. • If the flow is not diverted, the packet is • forwarded normally, and • forwarded to the slow path iff the packet is small.

  31. Slow Path • Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. • If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. • For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. • If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream.

  32. Result • Same flow, different parameters • OC-48 Trace

  33. Result

  34. Result

  35. Result

  36. Result

  37. Result • Different flow, the same parameters

  38. Result

  39. Result

  40. Result

  41. Result

  42. Advantage • Speedup 10 times • State compress 20 times

  43. Disadvantage • Modify TCP Client • Detect Almost(S), not S • Not support general regular expression • Small token problem

  44. Comment • New idea for folk theorem • But not practical… • Make up one thing, but loss another

More Related