Detecting Evasion Attack at High Speed without Reassembly
IDS/IPS –IDS is alert administrator if intrusion packet appears –IPS is proactive drop intrusion packet –Signature-based –Both need packet reassembly for string matching –IPS need packet normalization for inconsistence
Bottleneck in high speed 1 million concurrent connections Avoid early timeout of late fragments Memory usage increases Processing time increase
Evasion Attack Misordered Fragments Interspersed Chaff Overlapping Fragments
Misordered Fragments
Interspersed Chaff
Overlapping segments
Challenge Reassembly and normalization are sufficient to detect all evasions Packet reassembly and normalization are necessary
Basic Idea Selected detection –Fast path for normal stream –Slow path for suspicious stream
Diagram
Three assumption A modification to TCP receivers A change in definition of signature detection A restriction to exact signatures or regular expressions with a fixed exact length
Mechanism IP Fragments all go to slow path –IP fragments may not contain TCP header Weak Atomicity –Overlapping segments attack Split-Detect –Misordered Fragments –Interspersed Chaff
IP Fragments IP fragments may not contain TCP header
IP Fragments All go to slow path But rare
Weak Atomicity Overlapping segments attack Dealing with overlapping segments needs large amount space
Weak Atomicity None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered Overlapping segments attack has no effect
Implement Maintain a additional overlap buffer An MSS size worth of the bytes last delivered to the socket buffer Compare any overlapping bytes with bytes in overlap buffer If there is inconsistency, reset connection
Advantage Preventing bad behavior. Do not need to implement a complete IPS at the end nodes. Fairly simple to implement. Allowing current IPS to scale.
Disadvantage New DOS attack –Use inconsistent data to reset other connection
Split-Detect Misordered Fragments Interspersed Chaff
Split-Detct Split –Break a signature into K equal pieces and arm the fast path to detect any piece Divert –Divert a TCP flow to the slow path Fast path detects any pece Fast path detects small packet or out-of-order behavior
Split Original signature signature pieces, 4 bytes per piece Attacker’s split ATTA ATTACK_SIGNATURE CK_SIGNATURE ATTACK_SIGNATURE
Small packets Evading piece matching PayloadSize < 2PieceSize - 1 ATTACK_SIGNATURE ATTACK_SIGNATURE
Fast Path Fast Path as a State Machine State variables –NES (Next Expected Sequence Number, 32 bits) –OOO (Out Of Order since last small packet, Boolean) –length (Length in bytes since last small packet, 7 bits) –count (Count of anomalies, 4 bits) –LUT (Last Update Time, 3 bits) Starts keeping states when the first small packet sent.
Implement count: count anomalies –Initialized to 1 when the flow is first placed in the flow table. –On receiving a small packet, increment if the packet’s sequence number not equal to NES, or OOO is true, or length ≤ SignatureLength
length: Measures the length for this flow since last received small packet –If the current packet is large, incremented by the payload length. –If the current packet is small, reset to 0.
OOO: A flag that detects out-of-order reception between small packets –If the current packet is large and sequence number is not equal to NES, set to true. –If the current packet is small, reset to false
NES: N ext expected in-order TCP segment –Set to s + l –s = current packet sequence number –l = current packet payload length
Slow Path diversion –After state update, the entire flow is diverted to the slow path if the packet contains a piece of signature. the anomaly count is equal to K-1. –If the flow is not diverted, the packet is forwarded normally, and forwarded to the slow path iff the packet is small.
Slow Path Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream.
Result Same flow, different parameters OC-48 Trace
Result
Different flow, the same parameters
Result
Advantage Speedup 10 times State compress 20 times
Disadvantage Modify TCP Client Detect Almost(S), not S Not support general regular expression Small token problem
Comment New idea for folk theorem But not practical… Make up one thing, but loss another