Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Evasion Attack at High Speed without Reassembly.

Published byPrudence Hardy Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Evasion Attack at High Speed without Reassembly."— Presentation transcript:

1 Detecting Evasion Attack at High Speed without Reassembly

2 IDS/IPS –IDS is alert administrator if intrusion packet appears –IPS is proactive drop intrusion packet –Signature-based –Both need packet reassembly for string matching –IPS need packet normalization for inconsistence

3 Bottleneck in high speed 1 million concurrent connections Avoid early timeout of late fragments Memory usage increases Processing time increase

4 Evasion Attack Misordered Fragments Interspersed Chaff Overlapping Fragments

5 Misordered Fragments

6 Interspersed Chaff

7 Overlapping segments

8 Challenge Reassembly and normalization are sufficient to detect all evasions Packet reassembly and normalization are necessary

9 Basic Idea Selected detection –Fast path for normal stream –Slow path for suspicious stream

10 Diagram

11

12 Three assumption A modification to TCP receivers A change in definition of signature detection A restriction to exact signatures or regular expressions with a fixed exact length

13 Mechanism IP Fragments all go to slow path –IP fragments may not contain TCP header Weak Atomicity –Overlapping segments attack Split-Detect –Misordered Fragments –Interspersed Chaff

14 IP Fragments IP fragments may not contain TCP header

15 IP Fragments All go to slow path But rare

16 Weak Atomicity Overlapping segments attack Dealing with overlapping segments needs large amount space

17 Weak Atomicity None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered Overlapping segments attack has no effect

18 Implement Maintain a additional overlap buffer An MSS size worth of the bytes last delivered to the socket buffer Compare any overlapping bytes with bytes in overlap buffer If there is inconsistency, reset connection

19 Advantage Preventing bad behavior. Do not need to implement a complete IPS at the end nodes. Fairly simple to implement. Allowing current IPS to scale.

20 Disadvantage New DOS attack –Use inconsistent data to reset other connection

21 Split-Detect Misordered Fragments Interspersed Chaff

22 Split-Detct Split –Break a signature into K equal pieces and arm the fast path to detect any piece Divert –Divert a TCP flow to the slow path Fast path detects any pece Fast path detects small packet or out-of-order behavior

23 Split Original signature signature pieces, 4 bytes per piece Attacker’s split ATTA ATTACK_SIGNATURE CK_SIGNATURE ATTACK_SIGNATURE

24 Small packets Evading piece matching PayloadSize < 2PieceSize - 1 ATTACK_SIGNATURE ATTACK_SIGNATURE

25 Fast Path Fast Path as a State Machine State variables –NES (Next Expected Sequence Number, 32 bits) –OOO (Out Of Order since last small packet, Boolean) –length (Length in bytes since last small packet, 7 bits) –count (Count of anomalies, 4 bits) –LUT (Last Update Time, 3 bits) Starts keeping states when the first small packet sent.

26 Implement count: count anomalies –Initialized to 1 when the flow is first placed in the flow table. –On receiving a small packet, increment if the packet’s sequence number not equal to NES, or OOO is true, or length ≤ SignatureLength

27 length: Measures the length for this flow since last received small packet –If the current packet is large, incremented by the payload length. –If the current packet is small, reset to 0.

28 OOO: A flag that detects out-of-order reception between small packets –If the current packet is large and sequence number is not equal to NES, set to true. –If the current packet is small, reset to false

29 NES: N ext expected in-order TCP segment –Set to s + l –s = current packet sequence number –l = current packet payload length

30 Slow Path diversion –After state update, the entire flow is diverted to the slow path if the packet contains a piece of signature. the anomaly count is equal to K-1. –If the flow is not diverted, the packet is forwarded normally, and forwarded to the slow path iff the packet is small.

31 Slow Path Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream.

32 Result Same flow, different parameters OC-48 Trace

33 Result

34

35

36

37 Different flow, the same parameters

38 Result

39

40

41

42 Advantage Speedup 10 times State compress 20 times

43 Disadvantage Modify TCP Client Detect Almost(S), not S Not support general regular expression Small token problem

44 Comment New idea for folk theorem But not practical… Make up one thing, but loss another

Download ppt "Detecting Evasion Attack at High Speed without Reassembly."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.

Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
Computer Networks 2 Lecture 2 TCP – I - Transport Protocols: TCP Segments, Flow control and Connection Setup.

Computer Networks 2 Lecture 2 TCP – I - Transport Protocols: TCP Segments, Flow control and Connection Setup.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.

CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
TCP/IP Protocol Suite 1 Chapter 13 Upon completion you will be able to: Stream Control Transmission Protocol Be able to name and understand the services.

TCP/IP Protocol Suite 1 Chapter 13 Upon completion you will be able to: Stream Control Transmission Protocol Be able to name and understand the services.
Anomaly Based Intrusion Detection System

Anomaly Based Intrusion Detection System
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5-1 Internet Protocol (IP): Packet Format, Fragmentation, Options Shivkumar Kalyanaraman Rensselaer.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5-1 Internet Protocol (IP): Packet Format, Fragmentation, Options Shivkumar Kalyanaraman Rensselaer.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #07 Shivkumar Kalyanaraman: GOOGLE: “Shiv RPI”

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #07 Shivkumar Kalyanaraman: GOOGLE: “Shiv RPI”
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
Internet Networking Spring 2003

Internet Networking Spring 2003
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #8 Explicit Congestion Notification (RFC 3168) Limited Transmit.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #8 Explicit Congestion Notification (RFC 3168) Limited Transmit.
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.

ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Similar presentations

Ads by Google