440 likes | 570 Vues
Detecting Evasion Attack at High Speed without Reassembly. IDS/IPS. IDS is alert administrator if intrusion packet appears IPS is proactive drop intrusion packet Signature-based Both need packet reassembly for string matching IPS need packet normalization for inconsistence.
E N D
IDS/IPS • IDS is alert administrator if intrusion packet appears • IPS is proactive drop intrusion packet • Signature-based • Both need packet reassembly for string matching • IPS need packet normalization for inconsistence
Bottleneck in high speed • 1 million concurrent connections • Avoid early timeout of late fragments • Memory usage increases • Processing time increase
Evasion Attack • Misordered Fragments • Interspersed Chaff • Overlapping Fragments
Challenge • Reassembly and normalization are sufficient to detect all evasions • Packet reassembly and normalization are necessary
Basic Idea • Selected detection • Fast path for normal stream • Slow path for suspicious stream
Three assumption • A modification to TCP receivers • A change in definition of signature detection • A restriction to exact signatures or regular expressions with a fixed exact length
Mechanism • IP Fragments all go to slow path • IP fragments may not contain TCP header • Weak Atomicity • Overlapping segments attack • Split-Detect • Misordered Fragments • Interspersed Chaff
IP Fragments • IP fragments may not contain TCP header
IP Fragments • All go to slow path • But rare
Weak Atomicity • Overlapping segments attack • Dealing with overlapping segments needs large amount space
Weak Atomicity • None of the bytes in a TCP segment that are delivered will be inconsistent with bytes of another TCP segment that are delivered • Overlapping segments attack has no effect
Implement • Maintain a additional overlap buffer • An MSS size worth of the bytes last delivered to the socket buffer • Compare any overlapping bytes with bytes in overlap buffer • If there is inconsistency, reset connection
Advantage • Preventing bad behavior. • Do not need to implement a complete IPS at the end nodes. • Fairly simple to implement. • Allowing current IPS to scale.
Disadvantage • New DOS attack • Use inconsistent data to reset other connection
Split-Detect • Misordered Fragments • Interspersed Chaff
Split-Detct • Split • Break a signature into K equal pieces and arm the fast path to detect any piece • Divert • Divert a TCP flow to the slow path • Fast path detects any pece • Fast path detects small packet or out-of-order behavior
Split • Original signature • signature pieces, 4 bytes per piece • Attacker’s split ATTACK_SIGNATURE ATTA CK_S IGNA TURE ATT AC K_SI GNATUR E
Small packets • Evading piece matching • PayloadSize < 2PieceSize - 1 ATTA CK_S IGNA TURE ATT AC K_SI GNATUR E
Fast Path • Fast Path as a State Machine • State variables • NES (Next Expected Sequence Number, 32 bits) • OOO (Out Of Order since last small packet, Boolean) • length (Length in bytes since last small packet, 7 bits) • count (Count of anomalies, 4 bits) • LUT (Last Update Time, 3 bits) • Starts keeping states when the first small packet sent.
Implement • count: count anomalies • Initialized to 1 when the flow is first placed in the flow table. • On receiving a small packet, increment if • the packet’s sequence number not equal to NES, or • OOO is true, or • length≤ SignatureLength
length: Measures the length for this flow since last received small packet • If the current packet is large, incremented by the payload length. • If the current packet is small, reset to 0.
OOO: A flag that detects out-of-order reception between small packets • If the current packet is large and sequence number is not equal to NES, set to true. • If the current packet is small, reset to false
NES: Next expected in-order TCP segment • Set to s + l • s = current packet sequence number • l = current packet payload length
Slow Path diversion • After state update, the entire flow is diverted to the slow path if • the packet contains a piece of signature. • the anomaly count is equal to K-1. • If the flow is not diverted, the packet is • forwarded normally, and • forwarded to the slow path iff the packet is small.
Slow Path • Additional information indicating whether it is a copy of a forwarded packet, or diverted packet. • If a flow is a diverted flow, it is responsible for deciding whether to forward the packet on to the receiver. • For every flow, it maintains a single version of the reassembled TCP stream. Drop the flow if there is inconsistency. • If a flow is a diverted flow, it looks for the concatenation of pieces 2 to K-1 in the reassembled stream.
Result • Same flow, different parameters • OC-48 Trace
Result • Different flow, the same parameters
Advantage • Speedup 10 times • State compress 20 times
Disadvantage • Modify TCP Client • Detect Almost(S), not S • Not support general regular expression • Small token problem
Comment • New idea for folk theorem • But not practical… • Make up one thing, but loss another