detecting evasion attack at high speed without reassembly
DESCRIPTION
Detecting Evasion Attack at High Speed without Reassembly. Presented by C.W. Hon K.K. To 26/Mar/2007. External attack. Internet. DMZONE. Enterprise switch. DNS. WEB. MAIL. Internal servers. Clients. Internal attack. Internet. DMZONE. Enterprise switch. DNS. WEB. MAIL. - PowerPoint PPT PresentationTRANSCRIPT
1
Detecting Evasion Attackat
High Speed without Reassembly
Presented by
C.W. Hon
K.K. To
26/Mar/2007
2
External attack
DNS WEB MAIL
DMZONE
Enterprise switch
Internal serversClients
3
Internal attack
DNS WEB MAIL
DMZONE
Enterprise switch
Internal serversClients
4
IDS/IPS integration
DNS WEB MAIL
DMZONE
Enterprise switch
Internal serversClients
5
IDS/IPS
IDS – Reactive approach
IPS – Proactive approach
IPS differs from IDS in that it takes a proactive approach to attacks - e.g. blocking the packets concerned - rather than a reactive approach - e.g. triggering human intervention.
6
IDS/IPS
• IPS can be describe as a subset of IDS where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule.
☼ Minimum false positive is required.
7
Signature based IDS/IPS
• An IDS/IPS consists of a database of rules.
• Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action.
8
Reassembly
• Both IDS and IPS are required to reassembly TCP flows and IP fragments.
• Ensures that a content string in a rule that is fragment across packets can be detected.
9
Normalization
• IPS is required to normalize TCP flows.
• Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker.
10
What is Normalization
IP v4 Header
11
IP Normalizations # IP Field Normalization Performed
1 Version Non-IPv4 packets dropped.
2 Header Len Drop if hdr_len too small.
3 Header Len Drop if hdr_len too large.
4 Diffserv Clear field.
5 ECN Clear field.
6Total Len Drop if tot_len > link layer
len.
7Total Len Trim if tot_len < link layer
len.
8 IP Identifier Encrypt ID.
9 Protocol Enforce specific protocols.
-Protocol Pass packet to
TCP,UDP,ICMP handlers.
10Frag offset Reassemble fragmented
packets.
11 Frag offset Drop if offset + len > 64KB.
# IP Field Normalization Performed
13 DF Drop if DF set and offset > 0.
14 Zero flag Clear.
15 Src addr Drop if class D or E.
16 Src addr Drop if MSByte=127 or 0.
17 Src addr Drop if 255.255.255.255.
18 Dst addr Drop if class E.
19 Dst addr Drop if MSByte=127 or 0.
20 Dst addr Drop if 255.255.255.255.
21TTL Raise TTL to configured
value.
22 Checksum Verify, drop if incorrect.
23 IP options Remove IP options.
24 IP options Zero padding bytes.
12
Bottlenecks in high speed IPS
Search content string
• regular expression
Reassemble and normalize the packets
• 1 million concurrent connections
• Avoid early timeout of late fragments
13
IPS
• As speed gets higher, reassembly and normalization in the network requires an increasing amount of resources in term of memory and processing.
BandwidthMemory
Processing
14
Argument
Folk Theorem
• Reassembly and normalization are sufficient to detect all evasions.
Challenge
• Are packet reassembly and normalization necessary to deal with evasions by attackers ?
15
Evasion Attack
• Attackers exploit the ambiguities between the IPS and the end hosts of handling packets.
ATTACK SIGNATURE
ATTA CK SIGN ATURE
16
IP Fragments
Problem-Not all IP fragments contains TCP header
Good news -IP fragment is rare in practice
Solution-All IP fragments redirect to slow path.
17
Types of Evasion Attack
• Misordered Fragments
• Interspersed Chaff
• Overlapping Fragments
- Combine with IP fragmentation
18
Example – Misordered Fragments
• Characteristics– Out-of-Order segments– Segments contains portion of the signature
SEQ=13, Data=“ACK” SEQ=10, Data=“ATT”
Arrival sequence
19
Example – Interspersed Chaff
• Characteristics– “Noise” or “Chaff” segments– Some segments with small TTL
SEQ=13, TTL=10, Data=“ACK”SEQ=10, TTL=10, Data=“ATT” SEQ=13, TTL=1, Data=“JKL”
Arrival sequence
…
20
Example – Overlapping Fragments
• Characteristics– Similar to the case of Interspersed Chaff– Signature embedded in arbitrary large
packets.
SEQ=13, Data=“ACK”SEQ=10, Data=“ATTJKL”
Arrival sequence
21
Basic Idea
- In case of high speed link, e.g. 20G bps
• Not all traffics are attack traffics, however, the classic IPS scans all traffic passing through it.
• Filter out the attack traffics by figuring out its characteristics and let good traffic passing through – path diversion
22
Classic IPS
23
Path Diversion
24
Proposed Solution
Assumptions• A small modification to TCP receivers to check
for inconsistent transmission – Weak Atomicity.• A change in the definition of signature detection
to allow the start and end of a signature to be missed – Split-Detect.
• A restriction to exact signature.
25
Weak Atomicity
Definition:
None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered.
26
Weak Atomicity
Implementation• Maintain a buffer – Overlap Detect Buffer.• Store the last MSS size bytes sent.• Compare the bytes of the new in-order packets
with the bytes in the buffer, deliver it if there is no inconsistency, reset the connection if inconsistency found.
• Take more space (1 MSS) and more processing (comparison).
27
Weak Atomicity
Advantages• Preventing bad behavior.• Do not need to implement a complete IPS at the
end nodes.• Fairly simple to implement.• Allowing current IPS to scale.
28
Weak Atomicity
Disadvantages• Introduced a new DOS attack.
– by injecting inconsistent data and cause the connection to be reset.
29
Weak Atomicity
What still remains?
The attackers can still:• Break up an attack signature.• Send out-of-order fragments.• Send small TTL packets, which will never reach
the end nodes.
30
Split-Detect
Basic Idea• Split the signature into K equal pieces.• Detect any pieces in the incoming packets at
fast path.• Divert a flow to the slow path if
– fast path detects any pieces, or– fast path detects small packets or out-of-order
behavior.
31
Small Packets
• Small packets defines the maximum payload size of a packet that contains portion of the signature but does not contains any signature pieces.
32
Small Packets
• A signature
33
Small Packets
• Signature pieces
• Attacker’s split
34
Small Packets
• Signature pieces
• Attacker’s split
35
Small Packets
• Signature pieces
• Attacker’s split
• payloadSize < 2PieceSize - 1
36
Fast Path
Implementation• Fast Path as a State Machine• State variables
– NES (Next Expected Sequence Number, 32 bits)– OOO (Out Of Order since last small packet, Boolean)– length (Length in bytes since last small packet, 7 bits)– count (Count of anomalies, 4 bits)– LUT (Last Update Time, 3 bits)
Starts keep states when the first small packet sent.
37
Fast Path
Implementation• State update mechanism (NES, OOO, length, count, LUT)
Update of count:– Initialized to 1 when the flow is first placed in the flow
table.– On receiving a small packet, increment if
• the packet’s sequence number not equal to NES, or
• OOO is true, or
• length ≤ SignatureLength
Counting anomalies.
38
Fast Path
Implementation• State update mechanism (NES, OOO, length, count, LUT)
Update of length:– If the current packet is large, incremented by the
payload length.– If the current packet is small, reset to 0.
Measures the length for this flow since last received small packet.
39
Fast Path
Implementation• State update mechanism (NES, OOO, length, count, LUT)
Update of OOO:– If the current packet is large and sequence number is
not equal to NES, set to true.– If the current packet is small, reset to false.
A flag that detects out-of-order reception between small packets.
40
Fast Path
Implementation• State update mechanism (NES, OOO, length, count, LUT)
Update of NES:– Set to s + l
where s = current packet sequence number
l = current packet payload length
Reflects the sequence number of the next expected in-order TCP segment.
41
Fast Path
Implementation• State update mechanism (NES, OOO, length, count, LUT)
Update of LUT:– All packets causes it to be updated to the current
time.
42
Fast Path
Implementation• Slow Path diversion
– After state update, the entire flow is diverted to the slow path if
• the packet contains a piece of signature.• the anomaly count count is equal to K-1.
– If the flow is not diverted, the packet is• forwarded normally, and• forwarded to the slow path iff the packet is small.
43
Slow Path
Implementation• Additional information indicating whether it is a copy of a
forwarded packet, or diverted packet.• If a flow is a diverted flow, it is responsible for deciding
whether to forward the packet on to the receiver.• For every flow, it maintains a single version of the
reassembled TCP stream. Drop the flow if there is inconsistency.
• If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream.
44
Theorems
Theorem 1: Fast Path Diversion
A TCP connection containing string S in some reassembled stream will be diverted to the slow path before or while processing the critical packet in the fast path.
Further, if prior to diversion, the fast path processed a collaborator of the critical packet, then a copy of the collaborator was sent to the slow path.
45
Theorems
Theorem 2: Slow Path Blocking
A TCP connection containing string S in some reassembled stream will have its critical packet dropped in the slow path (Safety).
Conversely, a TCP connection that does not contain Almost(S) in some reassembly of the connection and has no inconsistent data will not have any packets dropped at the IPS (Liveness).
46
Results
47
Results
48
Results
49
Results
50
Results
51
Results
52
Results
53
Results
54
Results
55
Results
56
Advantages
• Speedup
10 times
• Memory Compression
25 folds ?
57
Disadvantages
• Need to change the TCP implementation at the end hosts.
• Compare only Almost(S) but not S.• Restriction on the exact signature.
58
~ END ~