Detecting Evasion Attack at High Speed without Reassembly

1
Detecting Evasion AttackatHigh Speed without
Reassembly
Presented by C.W. Hon K.K. To 26/Mar/2007
2
External attack
Internet
DMZONE
Enterprise switch
DNS
WEB
MAIL
Internal servers
Clients
3
Internal attack
Internet
DMZONE
Enterprise switch
DNS
WEB
MAIL
Internal servers
Clients
4
IDS/IPS integration
Internet
DMZONE
Enterprise switch
DNS
WEB
MAIL
Internal servers
Clients
5
IDS/IPS

• IDS Reactive approach
• IPS Proactive approach
• IPS differs from IDS in that it takes a
  proactive approach to attacks - e.g. blocking the
  packets concerned - rather than a reactive
  approach - e.g. triggering human intervention.

6
IDS/IPS

• IPS can be describe as a subset of IDS where a
  subset of rules are enabled with the
  corresponding action to drop any packet that
  matches this rule.
• Minimum false positive is required.

7
Signature based IDS/IPS

• An IDS/IPS consists of a database of rules.
• Each rule specifies a predicate on packet
  headers, optionally contains a content string,
  and has an associated action.

8
Reassembly

• Both IDS and IPS are required to reassembly TCP
  flows and IP fragments.
• Ensures that a content string in a rule that is
  fragment across packets can be detected.

9
Normalization

• IPS is required to normalize TCP flows.
• Normalization seeks to normalize the data sent in
  a flow to avoid inconsistencies that can be
  exploited by an attacker.

10
What is Normalization
IP v4 Header

11
IP Normalizations
12
Bottlenecks in high speed IPS

• Search content string
• regular expression
• Reassemble and normalize the packets
• 1 million concurrent connections
• Avoid early timeout of late fragments

13
IPS

• As speed gets higher, reassembly and
  normalization in the network requires an
  increasing amount of resources in term of memory
  and processing.

Memory
Bandwidth
Processing
14
Argument

• Folk Theorem
• Reassembly and normalization are sufficient to
  detect all evasions.
• Challenge
• Are packet reassembly and normalization necessary
  to deal with evasions by attackers ?

15
Evasion Attack

• Attackers exploit the ambiguities between the IPS
  and the end hosts of handling packets.

ATTACK SIGNATURE
ATTA
CK SIGN
ATURE
16
IP Fragments

• Problem
• -Not all IP fragments contains TCP header
• Good news
• -IP fragment is rare in practice
• Solution
• -All IP fragments redirect to slow path.

17
Types of Evasion Attack

• Misordered Fragments
• Interspersed Chaff
• Overlapping Fragments
• - Combine with IP fragmentation

18
Example Misordered Fragments
SEQ13, DataACK
SEQ10, DataATT
Arrival sequence

• Characteristics
• Out-of-Order segments
• Segments contains portion of the signature

19
Example Interspersed Chaff

SEQ13, TTL10, DataACK
SEQ10, TTL10, DataATT
SEQ13, TTL1, DataJKL
Arrival sequence

• Characteristics
• Noise or Chaff segments
• Some segments with small TTL

20
Example Overlapping Fragments
SEQ13, DataACK
SEQ10, DataATTJKL
Arrival sequence

• Characteristics
• Similar to the case of Interspersed Chaff
• Signature embedded in arbitrary large packets.

21
Basic Idea

• - In case of high speed link, e.g. 20G bps
• Not all traffics are attack traffics, however,
  the classic IPS scans all traffic passing through
  it.
• Filter out the attack traffics by figuring out
  its characteristics and let good traffic passing
  through path diversion

22
Classic IPS
23
Path Diversion
24
Proposed Solution

• Assumptions
• A small modification to TCP receivers to check
  for inconsistent transmission Weak Atomicity.
• A change in the definition of signature detection
  to allow the start and end of a signature to be
  missed Split-Detect.
• A restriction to exact signature.

25
Weak Atomicity

• Definition
• None of the bytes in a TCP segment that are
  delivered will be inconsistent with bytes of
  another TCP segment that are delivered.

26
Weak Atomicity

• Implementation
• Maintain a buffer Overlap Detect Buffer.
• Store the last MSS size bytes sent.
• Compare the bytes of the new in-order packets
  with the bytes in the buffer, deliver it if there
  is no inconsistency, reset the connection if
  inconsistency found.
• Take more space (1 MSS) and more processing
  (comparison).

27
Weak Atomicity

• Advantages
• Preventing bad behavior.
• Do not need to implement a complete IPS at the
  end nodes.
• Fairly simple to implement.
• Allowing current IPS to scale.

28
Weak Atomicity

• Disadvantages
• Introduced a new DOS attack.
• by injecting inconsistent data and cause the
  connection to be reset.

29
Weak Atomicity

• What still remains?
• The attackers can still
• Break up an attack signature.
• Send out-of-order fragments.
• Send small TTL packets, which will never reach
  the end nodes.

30
Split-Detect

• Basic Idea
• Split the signature into K equal pieces.
• Detect any pieces in the incoming packets at fast
  path.
• Divert a flow to the slow path if
• fast path detects any pieces, or
• fast path detects small packets or out-of-order
  behavior.

31
Small Packets

• Small packets defines the maximum payload size of
  a packet that contains portion of the signature
  but does not contains any signature pieces.

32
Small Packets

• A signature

33
Small Packets

• Signature pieces

• Attackers split

34
Small Packets

• Signature pieces

• Attackers split

35
Small Packets

• Signature pieces

• Attackers split

• payloadSize lt 2PieceSize - 1

36
Fast Path

• Implementation
• Fast Path as a State Machine
• State variables
• NES (Next Expected Sequence Number, 32 bits)
• OOO (Out Of Order since last small packet,
  Boolean)
• length (Length in bytes since last small packet,
  7 bits)
• count (Count of anomalies, 4 bits)
• LUT (Last Update Time, 3 bits)
• Starts keep states when the first small packet
  sent.

37
Fast Path

• Implementation
• State update mechanism (NES, OOO, length, count,
  LUT)
• Update of count
• Initialized to 1 when the flow is first placed in
  the flow table.
• On receiving a small packet, increment if
• the packets sequence number not equal to NES, or
• OOO is true, or
• length SignatureLength
• Counting anomalies.

38
Fast Path

• Implementation
• State update mechanism (NES, OOO, length, count,
  LUT)
• Update of length
• If the current packet is large, incremented by
  the payload length.
• If the current packet is small, reset to 0.
• Measures the length for this flow since last
  received small packet.

39
Fast Path

• Implementation
• State update mechanism (NES, OOO, length, count,
  LUT)
• Update of OOO
• If the current packet is large and sequence
  number is not equal to NES, set to true.
• If the current packet is small, reset to false.
• A flag that detects out-of-order reception
  between small packets.

40
Fast Path

• Implementation
• State update mechanism (NES, OOO, length, count,
  LUT)
• Update of NES
• Set to s l
• where s current packet sequence number
• l current packet payload length
• Reflects the sequence number of the next
  expected in-order TCP segment.

41
Fast Path

• Implementation
• State update mechanism (NES, OOO, length, count,
  LUT)
• Update of LUT
• All packets causes it to be updated to the
  current time.

42
Fast Path

• Implementation
• Slow Path diversion
• After state update, the entire flow is diverted
  to the slow path if
• the packet contains a piece of signature.
• the anomaly count count is equal to K-1.
• If the flow is not diverted, the packet is
• forwarded normally, and
• forwarded to the slow path iff the packet is
  small.

43
Slow Path

• Implementation
• Additional information indicating whether it is a
  copy of a forwarded packet, or diverted packet.
• If a flow is a diverted flow, it is responsible
  for deciding whether to forward the packet on to
  the receiver.
• For every flow, it maintains a single version of
  the reassembled TCP stream. Drop the flow if
  there is inconsistency.
• If a flow is a diverted flow, it looks for the
  concatenation of pieces 2 to K-1 in the
  reassembled stream.

44
Theorems

• Theorem 1 Fast Path Diversion
• A TCP connection containing string S in some
  reassembled stream will be diverted to the slow
  path before or while processing the critical
  packet in the fast path.Further, if prior to
  diversion, the fast path processed a collaborator
  of the critical packet, then a copy of the
  collaborator was sent to the slow path.

45
Theorems

• Theorem 2 Slow Path Blocking
• A TCP connection containing string S in some
  reassembled stream will have its critical packet
  dropped in the slow path (Safety).
• Conversely, a TCP connection that does not
  contain Almost(S) in some reassembly of the
  connection and has no inconsistent data will not
  have any packets dropped at the IPS (Liveness).

46
Results
47
Results
48
Results
49
Results
50
Results
51
Results
52
Results
53
Results
54
Results
55
Results
56
Advantages

• Speedup
• 10 times
• Memory Compression
• 25 folds ?

57
Disadvantages

• Need to change the TCP implementation at the end
  hosts.
• Compare only Almost(S) but not S.
• Restriction on the exact signature.

58
END