1 / 43

presented by Pei Pei Yan Guo University of South Carolina

Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley. presented by Pei Pei Yan Guo University of South Carolina. Outline. N etwork I ntrusion D etection S ystem (NIDS)

digirolamo
Télécharger la présentation

presented by Pei Pei Yan Guo University of South Carolina

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Mapping: Resisting NIDS Evasion Without Altering Trafficwriten by Umesh Shankarushankar@cs.berkeley.eduUniversity of California at Berkeley presented by Pei Pei Yan Guo University of South Carolina

  2. Outline • Network Intrusion Detection System (NIDS) • Active Mapping NIDS Implementation • Active Mapping Limitation • Test results • Conclusion

  3. What is NIDS? NIDS passively monitors network traffic on a link, looking for suspicious activity as defined by its protocol analyzers A NIDS is essentially a glorified packet sniffer that matches traffic patterns to pre-defined signatures

  4. IDS • IDS are now standard equipment for large networks second only to firewall • HIDS $50~$1000 per host • NIDS $10,000~$30,000 • It is estimated to be $443.5 million revenue for 2002, compare to $350 million in 2001

  5. IDS classification • Figure from http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html

  6. Typical NIDS • Cisco Secure IDS (formerly NetRanger) • Hogwash • Dragon • E-Trust IDS

  7. NIDS Pros and Cons • Pros • Monitor a large amount of network traffic • Versatile: detects DoS, “ping of death”, all the traffics to a target host • Dropping packet will not affect network connection • Cons • Higher amount of traffic will force the NIDS drop the traffic • False Negative, False Positive • Can’t detect attack by back doors of the network • Unable to look at encrypted packets (VPN, SSH)

  8. Detection False • False Positive • False Negative

  9. Ambiguity of NIDS • NIDS needs to simulate exactly what the network will react to the traffic • Without local network construction information, there exits ambiguity • Example: “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, by T. H. Ptacek and T. N. Newsham

  10. Attacks by Ambiguity 20 Hops

  11. Attempts to Eliminate Ambiguity • Traffic normalizer Drawbacks: 1. performance 2. reliability issue with resource exhaustion 3. changing the semantics of the stream (e.g. traceroute, path MTU discovery)

  12. Aim of Active Mapping • Aim: 1. to tell which packet will reach recipient 2. to predict the interpretation of the packet by the recipient • Active Mapping makes NIDS context-sensitive

  13. Active Mapping Design Goals • Comparable with runtime performance • Mapping should be lightweight • Avoid harming the hosts

  14. Active Mapping Mechanism

  15. What Active Mapping Checks • Hop count • MTU (Maximum Transmission Unit) • TCP RST Acceptance • Overlapping and Inconsistent IP Fragments (different by policies)

  16. “Hop Count” Definition • 1. In a data communications network, the number of legs traversed by a packet between its source and destination. Note: Hop count may be used to determine the Time-To-Live for some packets. • 2. The number of signal regenerating devices (such as repeaters, bridges, routers, and gateways) through which data must pass to reach their destination.

  17. “MTU” Definition • The Maximum Transmission Unit (MTU) is the largest size of IP datagram which may be transferred using a specific data link connection The MTU value is a design parameter of a LAN and is a mutually agreed value (i.e. both ends of a link agree to use the same specific value) for most WAN links. The size of MTU may vary greatly between different links (e.g. typically from 128 B up to 10 kB). http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/mtu.html

  18. TCP RST Acceptance Receiver’s Window Packets

  19. Overlapping and Inconsistent Fragments BSD, BSD-right, Linux, First, Last/RFC791, etc. Eg. BSD left-trim and first come occupy the digit

  20. Limitation and Weakness • Active Mapping assumes that all hosts behave in consistent and predictable way • There are at least 3 sources of non-determinisms can be difficult to simulate in NIDS precisely ----- Application Level Parameters ----- New Semantics ----- Nondeterministic Packet Drops

  21. Application Level Parameters • User can change certain parameters that affect TCP/IP stack. The data of parameters could be delivered as signal or inline --- Example: TCP “Urgent” pointer, which marks part of the sequences as important and processed without delay

  22. New Semantics • NIDS must understand the semantic of a stream in order to interpret correctly • Unknown TCP options can be ignored • The best NIDS can do is to update regularly

  23. Nondeterministic Packet Drops • Two Ways Packet Drop can happen ---- When routers get saturated or hosts are under heavy traffic ---- Quality of Service guarantees

  24. Timeout • The NIDS must know when a host will timeout an IP fragment or TCP segment. • Attacker can later retransmit the fragment or segment with different data • NIDS will not know which is accepted, even it knows which will be accepted • It is difficult to obtain precise timeout value with active mapping

  25. Dealing with packet drops • Partial reconstruction of host state --- If acknowledgement of TCP Segment of response to UPD or ICMP request --- then the request is accepted using only packets preceded the response --- if no response, then packets are dropped

  26. Continued • If NIDS can send “keep alive” packet(out of sequence) in real time, it can elicit an ACK that show current sequence number • NIDS can get timeouts information from ICMP message. Not all hosts send this. And this may leak information to attackers, need to be only seen by NIDS. (Mapping?)

  27. Practical Consideration Those concerns are not implemented in the prototype • NAT • DHCP • TCP Wrapper • Attacks on the Active Mapper

  28. NAT-Network Address Translator • Problems: NIDS can’t see private addresses, if NAT is running inside the monitored site. It is also difficult to detect if NAT is being used • Solution: Could map each port as though it belonged to a separate machine

  29. DHCP • Problems: DHCP server leases out addresses when clients request them, and leases expire periodically. If Integration with DHCP server is not possible, determining MAC is nontrivial • Solution: The Mapper could be triggered upon seeing DHCP requests

  30. TCP Wrappers • Problems: Some hosts use TCP Wrappers to restrict access to services to a set of hosts determined by an Access Control List • Solution: Mapper Must have access

  31. Attacks on the Active Mapper • Problems: Attacker may try to attack mapping machine. There is greater concern for direct internal attacks • Solution: Deny all outside request to the mapper, limit only the administrative machines to have access

  32. Prototype Implementation • Implemented in about 2,000 lines of Perl. • Ported to Unix and FreeBSD • It requires TCP/IP firewall capability. • Modify the Bro NIDS to use Active Mapping profile. A few hundred lines of C++ were needed

  33. Testing and Results • Observed Active Mapping Profiles Out of 4,800+ hosts, 173 were giving out inconsistent result. All of 29 of them are printers, routers. Most of the 29 are unknown operating systems, 36 of the 173 hosts have incomplete trials. Only 10 machines yield conflicting results

  34. Stability of Results • This test is to see if the profile stayed consistent 5 month later • In first mapping 4882 hosts provided nontrivial, consistent results • In second mapping, 4733 hosts did. • 1122 were in first set, but not second, of those 880 were in DHCP blocks • 973 were in second set but on in the first, 669 where in DHCP blocks

  35. Mapping Time • Mapping a single host requires 37 sec • Mapping 16 hosts took 10.1 seconds/host • Mapping 64 hosts took 5.7 seconds/host • Mapping 101 hosts took 5.3 seconds/host • 5 seconds/host for large scale mapping • 7 hours for a subnet with 4800 hosts

  36. Mapping Traffic

  37. NIDS Integration Tests • This is to test that AM will indeed produced correct interpretation • First, a synthetic test with ambiguous traffic. • Second, a comparison of the original and AM modified NIDS on real-world traces

  38. Synthetic Tests • HTTP attack traffic were generated to 8 hosts with evasion measures added using ‘fragroute’

  39. NIDS’ Performance • Two trace of 500 connections were used to the 8 hosts • In first, no connection was modified by fragroute • In second, connections to 2 of the machines were modified by fragroute. And AM was enabled. NIDS was actually 15% faster, since it can discard data

  40. Real World Tests • Two tests were performed • First one was of a non-HTTP traffic gathered during 1 hour at a busy site(100.2M data, 1.2M packets, 273K connections • Second was a 2 hour HTTP traffic. (137MB, 197k packets, 6379 connections) • Both tests yield same result. Execution time are same, memory usage was 200k higher with AM

  41. When To Scan? • Daily scan – a full class C subnet can be scanned in about 20min. What happens with large network? • Remapping can be triggered by any inconsistency between the stored policy and an observed one • On-the-fly mapping is not possible, since many tests take seconds

  42. Conclusion • Active Mapping can reduce the ambiguity of NIDS interpretation • It is better than Normalization • there are still many limitations and consideration, it is still hard to make it a robust commercial product, but it is surely a positive step toward building an ambiguity free NIDS

More Related