1 / 32

Extensible Architectures for Passive and Active Protocol Interposition

Extensible Architectures for Passive and Active Protocol Interposition. Farnam Jahanian Department of EECS University of Michigan http://www.eecs.umich.edu/~farnam (joint work with G.R. Malan, P. Howell, and D. Watson). Roadmap. Motivation Windmill extensible probe Protocol scrubbers

wanda
Download Presentation

Extensible Architectures for Passive and Active Protocol Interposition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extensible Architectures for Passive and Active Protocol Interposition Farnam Jahanian Department of EECS University of Michigan http://www.eecs.umich.edu/~farnam (joint work with G.R. Malan, P. Howell, and D. Watson)

  2. Roadmap • Motivation • Windmill extensible probe • Protocol scrubbers • Summary

  3. Context • Routers • Name Servers • Critical Services Survivable Network Infrastructure Network Infrastructure • Protocol Scrubbers • Network Attacks • Replication schemes • Operational Faults • Countermeasures • S/H Failures Active Response Capabilities Anomalous Network Events • Netflow Statistics • Event Aggregation Analysis Engines Coarse and Fine Grained Measurement Tools • Windmill Probes • Data Mining

  4. Protocol Interposition Tools • Windmill Measurement Probe: • Passive measurement mechanism for on-line reconstruction of functional and performance behavior of infrastructure and application-level protocols from low-level network traffic • Programmable and extensible • Protocol Scrubbers: • New class of active interposition mechanisms for on-line monitoring and enforcement of network security policies • Transparent protection of networking infrastructure such as routers and switches

  5. Windmill Overview • An open-architecture programmable tool for passive measurement • Infer performance & functional behavior through eavesdropping & on-line state reconstruction How does it work? • High-speed Packet Filter: Extracts from a network vantage point’s underlying data flows • Abstract Protocol Modules: Reconstructs higher-level protocols (BGP, RIP, HTTP) from network traffic in real-time • Experiment Engine: Supports dynamically loadable run-time experiments

  6. Windmill Architecture Experiment Engine Abstract Protocol Modules IP TCP BGP Exp2 Exp1 RIP UDP ... Packet Dispatcher HTTP Windmill Packet Filter Packet Flows

  7. Windmill's Features • Measure overloaded, shrink-wrapped system • Correlate events from different layers • Feedback mechanism for active measurements • Data reduction at the measurement point • Support for 24x7 measurement • Dynamically add/remove concurrent experiments

  8. Windmill Packet Filter (WPF) • Allows one-to-many multiplexing • Avoids problems with ambiguous filters • Dynamically compiled machine language module: • Constructs an intermediate DAG rep. of subscriptions • Compiles this graph to a native machine lang. Module • Installs this module in the probe machine’s kernel

  9. Abstract Protocol Modules • Used to reconstruct target protocol • Inverts protocol stack, drills down • Don't run the whole stack on packet • "Opens the Hood" on underlying protocols • Each module exports its protocol abstraction • Semantics taken from BSD stack

  10. Extensible Experiment Engine • Manages the set of concurrent experiments • Add • Remove • Execute • Modify State • Provides interface for storage and dissemination • Custom loader dynamically links experiments as they are loaded.

  11. BGP routing protocol congestion collapse - SIGCOMM’98 • RIP intra-domain routing protocol - OPENSIG’99 • Overloaded web servers (Microsoft vs. Netscape) • Campus network traffic characterization - OPENSIG’99 • Detection of NMAP scans - UM tech report • Space science collaboratory application - SIGCOMM’98 Broad Range of Studies Conducted using Windmill

  12. Border Gateway Protocol (BGP) Sprint MCI • Interdomain protocol between Autonomous Systems at exchange points • Routing peers exchange reachability information incrementally using TCP • SIGCOMM’97 paper identified major instability and pathological behavior in BGP routing

  13. BGP Congestion Collapse HypothesisValidated Using Windmill Congestion causes underlying TCP to backoff BGP-level timers expire, causing termination Interaction between BGP and TCP leads to router congestion collapse High bandwidth utilization  BGP Instability

  14. Demonstrates: • Measure overloaded, shrink-wrapped system • No modification of web servers / end hosts • Data reduction at the measurement point • Support for 24x7 measurement • Obtain "hard to get" metrics: • TCP connections dropped by server • HTTP connection establishment latency • Server's Aggregate bandwidth Web Server Experiments

  15. Netscape Microsoft Client Client Client Client Web Experimental Apparatus Web Servers Windmill

  16. Connections Attempted vs. Established

  17. Key Challenge • Coarse-grained network flow measurement: are becoming more common in enterprise routers & switches from vendors • Fine-grained measurement technologies: provide packet traces and enable protocol state reconstruction (e.g., packet sniffers, Windmill) • Integration of two technologies has numerous applications in enterprise-wide networks: • Traffic characterization • Cache & replica placement • Denial of service & anomaly detection • Backtracing intrusion attacks

  18. Protocol Scrubbers A transparent interposition mechanism for on-line modification of traffic to comply with network security policies Enables protection of critical network infrastructure such as routers, switches and enterprise servers Ability to remove attacks targeted at distinct layers in the protocol stack Placed in front of critical infrastructure or eventually built into routers and switches

  19. Applications of Protocol Scrubbers Intrusion Detection Firewalls & attack removal Anti-fingerprinting Tools Content-based filtering Load-balancing Proxies ... TCP/IP Scrubber Application-level Scrubber Infrastructure Scrubber TCP, UDP, IP BGP, RIP, DNS HTTP, FTP

  20. TCP/IP Protocol Scrubber • TCP/IP Protocol Scrubber Implementation: • converts potentially ambiguous flows into homogenized well-behaved flows • maintains a very small amount of state per flow … lighter than full transport proxy • eliminates insertion and evasion attacks • FreeBSD implementation on Pentium. Next on Linux! • Performance comparable to IP forwarding and much better than commercial transport-level proxy

  21. Example Domain: Network Intrusion Detection • Network ID systems watch traffic • Look for malicious use and attacks • Doesn’t modify flow • Notifies security administrator upon detection • Attackers counter with crud

  22. Ambiguities in Protocol Implementation • Examples from [Ptacek and Newsham ‘98]: • IP TTL attack • Packet too large for link without fragmenting • DST configured to drop source routed packets • DST may timeout fragments differently • DST may reassemble fragments differently • DST doesn’t accept packets with certain options • DST may use PAWS and silently discard packets • DST may resolve conflicting segments differently • DST may not check seqno on RST packets

  23. Example Attack Packet 1 012345678 ?ood url NIDS Reconstruction: 012345678 NIDS Reconstruction: 012345678 ?ood url End Host Reconstruction: 012345678 End Host Reconstruction: 012345678 ?ood url

  24. Example Attack Packet 1 Packet 2 012345678 ?ood url. 012345678 go blue!! NIDS Reconstruction: 012345678 ?ood url. End Host Reconstruction: 012345678 ?ood url. NIDS Reconstruction: 012345678 good url. End Host Reconstruction: 012345678 go blue!!

  25. TCP/IP Scrubber: Use External Host (Untrusted) Scrubber or Transport Proxy Internal Host (Trusted)

  26. How the TCP Scrubber Solves the Previous Example 012345678 ?ood url. 012345678 go blue!! 012345678 good url. Packet 1-U Packet 2-U Packet 2-T NIDS Reconstruction: 012345678 NIDS Reconstruction: 012345678 good url. End Host Reconstruction: 012345678 End Host Reconstruction: 012345678 good url. Scrubber Reconstruction: 012345678 Scrubber Reconstruction: 012345678 ?ood url. Scrubber Reconstruction: 012345678 good url

  27. TCP/IP Scrubber: Micro-benchmarks • How does the scrubber affect throughput? • Measured at the TCP level using netperf • How does the scrubber affect forwarding latency in the kernel? • Measured using Pentium on-chip cycle counter

  28. TCP/IP Scrubber: Macro-benchmarks Macro-benchmarks (answer two questions): • How much overhead does the scrubber add? • Increase the number of clients and see how many connections per second we can sustain • Does the scrubber treat well-behaved flows adversely? • Inject range of artificial loss into flows to determine gross differences between IP forwarding and scrubbing

  29. TCP/IP Scrubber:Sustainable Connections With No Loss 2500 2000 Requests serviced per second 1500 IP Forwarding 1000 TCP/IP Scrubbing User space proxy 500 0 0 100 200 300 400 Number of concurrent connections

  30. TCP/IP Scrubber:Sustainable Connections With Artificial Loss 2500 Transport Scrubbing IP Forwarding 2000 1500 Requests serviced per second 1000 500 0 0 2 4 6 8 10 Packet loss (percentage)

  31. Infrastructure Protocol Scrubbing a lightweight transparent mechanism for preventing network attacks scrubber can masquerade as a set of network services allows protection of infrastructure level protocols (such as OSPF and BGP) enabled through a single modification to the socket API; no modification of client or server code Scrubber Client Set of Servers

  32. Final Remarks • Passive vs. active protocol interposition • Coarse-grained vs. fine-grained measurement • Open architectures and programmability • Future work

More Related