Intrusion Detection Issues

Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI

Papers on this topic • Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection(Jan ‘98) • Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01) • IP Fragmentation and fragrouter (Dec ‘00) • An Achilles’ Heel in Signature-based IDS: Squealing False Positives in SNORT(‘01)

Agenda • Introduction to IDS • Some popular IDSs • Problems with IDSs • Normalizer • IP Fragmentation & fragrouter • “Squealing” in SNORT

Introduction to IDS • Intrusion attempt or a threat: potential possibility of a deliberate unauthorized attempt to access/manipulate information, or render a system unreliable or unusable. • Types of IDS • Host-based • Network IDS • Example IDSs • ISS RealSecure, WheelGroup NetRanger, Network Flight Recorder, Snort

Principles of IDSs Common Intrusion Detection Framework • Event generators • Analysis Engines • Storage Mechanisms • Countermeasures

Principles of IDSs Common Intrusion Detection Framework

Principles of IDSs • Passive monitoring • Signature Analysis • Need for reliable ID • accuracy: false positives and false negatives • “fail-open”: if an attacker disables the IDS, entire network is still accessible • forensic value of information

Fundamental problems of IDSs • Deployed on a different box • Could be on a different network segment • Protocol implementation ambiguities • different protocol stacks have different behavior • NIDS could see a different stream of packets than host

Fundamental problems of IDSs • False positives • incorrectly identify an intrusion when none has occurred • False negatives • incorrectly fail to identify an intrusion that has actually occurred

Attacks on IDSs • Insertion • IDS thinks packets are valid; end system rejects these • Evasion • end system accepts packets that IDS rejects • Denial of Service • resource exhaustion • Examples

Popular problems/attacks • TCP/IP Options fields • TCB Creation/Teardown • TCP Stream Reassembly • IP Fragmentation • overlapping fragments

Specific attacks • Invalid MAC addresses? • Invalid headers • Permissive in receiving, frugal in sending? • Bad IP checksum will be dropped? • IP options • IP TTL ambiguity • Packer received or not?

Specific attacks • Packet size • Packet too large for downstream link? • Source-routed packets • Will destination reject such packets? • Fragment or TCP handshake time-out • Will other parts of fragment/TCB still be at destination? • Overlapping segments • Rewrite old data or not?

Specific attacks • Weird TCP options • Destination might be configured to drop • Old TCP timestamps (PAWS) • Destination might be configured to drop • TCP RSTs with weird sequence numbers • Is connection reset? • Addition of interpreted characters (“^H”) • How does OS interpret?

IP Fragmentation • Allows IP traffic over different network media with different max packet sizes • IP stacks do not handle reassembly well • can lead to DOS (teardrop, jolt2) • Fragrouter • NIDS testing tool • accepts IP packets routed from another system • fragments these packets according to various schemes

Popular problems/attacks • Resource Exhaustion • CPU, Memory, Network Bandwidth • CPU: Data-structure attack via fragments • Memory: Space attack via fragments • Network: Targeted DoS to disrupt TCP reassembly • Abusing reactive IDS • attack to generate false positives • IDS shuts down valid connections, blocks valid traffic etc. • Results in IDS triggering a DOS

IP Fragmentation • Allows IP traffic over different network media with different max packet sizes • IP stacks do not handle reassembly well • can lead to DOS (teardrop, jolt2) • Fragrouter • NIDS testing tool • accepts IP packets routed from another system • fragments these packets according to various schemes

Popular problems/attacks • Resource Exhaustion • CPU, Memory, Network Bandwidth • Abusing reactive IDS • attack to generate false positives • IDS shuts down valid connections, blocks valid traffic etc. • Results in IDS triggering a DOS

Methodology • Black-box testing • PHF attack • exploits a CGI script - phf to gain access to web servers • Software Used • CASL • FreeBSD 2.2 • netcat • tcpdump

Results

Discussion Questions?

Network Intrusion Detection:Traffic Normalization & End-End Protocol Semantics"Transport and Application Protocol Scrubbing"

Recap of previous paper • IDSs are vulnerable to attacks • fundamental problems: • IDS sees different streams than target host • protocol implementation ambiguities

Introduction • Paper introduces concept of “normalizer” • Approach & implementation • Performance

Normalizer

Normalizer • Sits directly in path of traffic into a site • Patch up or normalize the packet stream • Result: same traffic and unambiguous behavior for NIDS and host • Differs from a firewall • Other approaches • host-based IDS, details of intranet, bifurcating analysis

Normalization Tradeoffs • Protection • not meant to but can act as a firewall • Need to preserve End-End Semantics • Impacts end-end performance • Stateholding attack • create excess state than Normalizer can handle • Inbound vs Outbound traffic

Other Considerations • Cold Start • is a “real world” requirement • what happens to existing connections? • Initiate state for connections from trusted network • Attacking the normalizer itself

Systematic Approach • Walk through packet headers of each protocol • Identify what is the “correct” normalization

Example Attack • IP Identifier and stealth port scans

Normalization for this • Solution for patsy • Scramble ids of incoming and outgoing packets • Breaks diagnostic protocols • Solution for victim • Reliable RSTs • Normalizer sends “keep-alive” packet to host to determine if connection was actually closed

Implementation • Code in C - uses libpcap • user-level application • attention to completeness, correctness & performance • Evaluated using trace-driven approach • NetDuDE

Performance • Platform: 1.1GHz AMD Athlon, FreeBSD 4.2, 133 MHz SDRAM • a normalizer implemented in kernel mode (as a click module) could forward traffic at line-speed on bi-directional 100 Mbps link

Discussion Questions?

An Achilles’ Heel to Signature-Based IDS:Squealing False Positives in Snort (‘01)

Introduction • Paper documents attacking Snort using false positives • Snort : open-source, free, lightweight NIDS • Squealing • noise made by pigs during periods of distemperment • Boy cried wolf too many times • additionally, boy may not recognize the wolf when it actually appears!

Attacking Snort • Limitation is not in correctly identifying attacks, but in the ability to suppress false positives • PCP • Tool for generating false positives • packet writing and argument parsing

Squeal Attack types • Noise-masked attacks • diverts attention from a covert attack • Attack misdirection • source of attack is spoofed • Evidence Reputability • Target Conditioning • Statistical Poisoning • when training an IDS

How easy is it? • Using SOCK_RAW • LIBNET, Nemesis • Script-driven tools available (snot, stick, trichinosis)

Proposed Solutions • Adaption • changing the signature-matching algorithms rapidly • State awareness • make IDS have a “context” which checking packets

Conclusions • IDSs have been around for more than a decade • Several fundamental problems identified in IDS • IDSs themselves are vulnerable to attacks • and fail-open • Upcoming paper groups

References • online.securityfocus.com/ids • www.snort.org • www.raid-symposium.org

Intrusion Detection Issues

Intrusion Detection Issues

Presentation Transcript

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection

Intrusion Detection