Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI
Papers on this topic Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection (Jan ‘98) Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01) IP Fragmentation and fragrouter (Dec ‘00) An Achilles’ Heel in Signature-based IDS: Squealing False Positives in SNORT (‘01)
Agenda Introduction to IDS –Some popular IDSs Problems with IDSs Normalizer IP Fragmentation & fragrouter “Squealing” in SNORT
Introduction to IDS Intrusion attempt or a threat: potential possibility of a deliberate unauthorized attempt to access/manipulate information, or render a system unreliable or unusable. Types of IDS –Host-based –Network IDS Example IDSs –ISS RealSecure, WheelGroup NetRanger, Network Flight Recorder, Snort
Principles of IDSs Common Intrusion Detection Framework –Event generators –Analysis Engines –Storage Mechanisms –Countermeasures
Principles of IDSs Common Intrusion Detection Framework
Principles of IDSs Passive monitoring Signature Analysis Need for reliable ID –accuracy: false positives and false negatives –“fail-open”: if an attacker disables the IDS, entire network is still accessible –forensic value of information
Fundamental problems of IDSs Deployed on a different box Could be on a different network segment Protocol implementation ambiguities –different protocol stacks have different behavior NIDS could see a different stream of packets than host
Fundamental problems of IDSs False positives –incorrectly identify an intrusion when none has occurred False negatives –incorrectly fail to identify an intrusion that has actually occurred
Attacks on IDSs Insertion –IDS thinks packets are valid; end system rejects these Evasion –end system accepts packets that IDS rejects Denial of Service –resource exhaustion Examples
Popular problems/attacks TCP/IP Options fields TCB Creation/Teardown TCP Stream Reassembly IP Fragmentation –overlapping fragments
Specific attacks Invalid MAC addresses? Invalid headers –Permissive in receiving, frugal in sending? –Bad IP checksum will be dropped? –IP options IP TTL ambiguity –Packer received or not?
Specific attacks Packet size –Packet too large for downstream link? Source-routed packets –Will destination reject such packets? Fragment or TCP handshake time-out –Will other parts of fragment/TCB still be at destination? Overlapping segments –Rewrite old data or not?
Specific attacks Weird TCP options –Destination might be configured to drop Old TCP timestamps (PAWS) –Destination might be configured to drop TCP RSTs with weird sequence numbers –Is connection reset? Addition of interpreted characters (“^H”) –How does OS interpret?
IP Fragmentation Allows IP traffic over different network media with different max packet sizes IP stacks do not handle reassembly well –can lead to DOS (teardrop, jolt2) Fragrouter –NIDS testing tool –accepts IP packets routed from another system –fragments these packets according to various schemes
Popular problems/attacks Resource Exhaustion –CPU, Memory, Network Bandwidth –CPU: Data-structure attack via fragments –Memory: Space attack via fragments –Network: Targeted DoS to disrupt TCP reassembly Abusing reactive IDS –attack to generate false positives –IDS shuts down valid connections, blocks valid traffic etc. –Results in IDS triggering a DOS
IP Fragmentation Allows IP traffic over different network media with different max packet sizes IP stacks do not handle reassembly well –can lead to DOS (teardrop, jolt2) Fragrouter –NIDS testing tool –accepts IP packets routed from another system –fragments these packets according to various schemes
Popular problems/attacks Resource Exhaustion –CPU, Memory, Network Bandwidth Abusing reactive IDS –attack to generate false positives –IDS shuts down valid connections, blocks valid traffic etc. –Results in IDS triggering a DOS
Methodology Black-box testing PHF attack –exploits a CGI script - phf to gain access to web servers Software Used –CASL –FreeBSD 2.2 –netcat –tcpdump
Results
Discussion Questions?
Network Intrusion Detection: Traffic Normalization & End-End Protocol Semantics "Transport and Application Protocol Scrubbing"
Recap of previous paper –IDSs are vulnerable to attacks –fundamental problems: IDS sees different streams than target host protocol implementation ambiguities
Introduction Paper introduces concept of “normalizer” Approach & implementation Performance
Normalizer
Sits directly in path of traffic into a site Patch up or normalize the packet stream Result: same traffic and unambiguous behavior for NIDS and host Differs from a firewall Other approaches –host-based IDS, details of intranet, bifurcating analysis
Normalization Tradeoffs Protection –not meant to but can act as a firewall Need to preserve End-End Semantics Impacts end-end performance Stateholding attack –create excess state than Normalizer can handle Inbound vs Outbound traffic
Other Considerations Cold Start –is a “real world” requirement –what happens to existing connections? –Initiate state for connections from trusted network Attacking the normalizer itself
Systematic Approach Walk through packet headers of each protocol Identify what is the “correct” normalization
Example Attack IP Identifier and stealth port scans
Normalization for this Solution for patsy –Scramble ids of incoming and outgoing packets –Breaks diagnostic protocols Solution for victim –Reliable RSTs –Normalizer sends “keep-alive” packet to host to determine if connection was actually closed
Implementation Code in C - uses libpcap user-level application attention to completeness, correctness & performance Evaluated using trace-driven approach –NetDuDE
Performance Platform: 1.1GHz AMD Athlon, FreeBSD 4.2, 133 MHz SDRAM a normalizer implemented in kernel mode (as a click module) could forward traffic at line-speed on bi-directional 100 Mbps link
Discussion Questions?
An Achilles’ Heel to Signature-Based IDS: Squealing False Positives in Snort (‘01)
Paper documents attacking Snort using false positives Snort : open-source, free, lightweight NIDS Squealing –noise made by pigs during periods of distemperment Boy cried wolf too many times –additionally, boy may not recognize the wolf when it actually appears! Introduction
Attacking Snort Limitation is not in correctly identifying attacks, but in the ability to suppress false positives PCP –Tool for generating false positives –packet writing and argument parsing
Squeal Attack types Noise-masked attacks –diverts attention from a covert attack Attack misdirection –source of attack is spoofed Evidence Reputability Target Conditioning Statistical Poisoning –when training an IDS
How easy is it? Using SOCK_RAW LIBNET, Nemesis Script-driven tools available (snot, stick, trichinosis)
Proposed Solutions Adaption –changing the signature-matching algorithms rapidly State awareness –make IDS have a “context” which checking packets
Conclusions IDSs have been around for more than a decade Several fundamental problems identified in IDS IDSs themselves are vulnerable to attacks –and fail-open Upcoming paper groups
References online.securityfocus.com/ids