Efficient - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Efficient

Description:

Or evict connection if avg segment size large. Small segments. ... Avg sgmt hold time = 200 ms. Sgmt arrival rate = (1 Gbps / 1000 B) Bytes per hash = 15 ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 27
Provided by: mythiliv
Category:
Tags: avg | efficient

less

Transcript and Presenter's Notes

Title: Efficient


1
Efficient Robust TCP Stream Normalization
  • Mythili Vutukuru
  • Joint work with Hari Balakrishnan and Vern Paxson

2
Network Intrusion Detection Systems
attack
attack
IDS
Evasion Attacks
3
Evasion by Fragmentation
at
tack
IDS must parse data stream in order.
4
Evasion by Ambiguity Inconsistent
Retransmissions
Low TTL
at
junk
tack
Inconsistent TCP segments
at
junk
tack
Tools to create such attacks exist.
Makes IDS ineffective.
5
TCP Stream Normalizer
at
junk
tack
at
junk
  • Removes ambiguity from network traffic.
  • Detects inconsistent TCP segments.

6
Existing Normalizer Designs
  • Buffer all unacknowledged data.
  • Buffer content hashes of unacknowledged data.

at
junk
tack
H(at)
H(junk)
H(tack)
7
Problems With Existing Designs
  • Too much memory.
  • Partial overlaps.
  • 2030 of retransmits
  • in 5 real-world traces.
  • Caused by repacketization.
  • State exhaustion attacks on the normalizer.

at
junk
tack
H(at)
H(junk)
?
H(tack)
8
Related Work
  • Evasion attacks. Ptacek and Newsham, 1998
  • Concept of normalization by storing all unacked
    data. Malan et al., 2000 Handley et al., 2001
  • Buffering hashes of data (without handling
    partial overlaps). Sugawara et al., 2005
    Commercial normalizers
  • Reassembling data streams robustly.
    Dharmapurikar and Paxson, 2005.
  • Normalization for signature matching only.
    Varghese et al., 2006

9
RoboNorm
  • Detects inconsistent TCP retransmissions.
  • Memory Efficiency stores only hashes.
  • Robustness
  • Handles partial overlaps correctly.
  • Withstands memory exhaustion attacks.

10
RoboNorm Basic Mechanism
1-100
101-200
101-200
51-150
H(1-100)
H(101-200)
Hash store
Equal
Not equal
H(101-200)
51-100
101-150
Partial retransmits held back ...
Fitting segments
1-50
... until fitting segments arrive.
151- 200
H(1-100)
11
Will segments be held forever?
ACK1
ACK101
H(1-100)
H(101-200)
Hash store
51-100
101-150
Partial retransmits held back.
1-50
Sender TCP stalls!!
101-150
2 in thousand connections prone.
12
TCP Stalling Fixing The Problem
ACK101
ACK151
H(1-100)
H(101-200)
Hash store
101-150
Partial retransmits held back.
ACK promotion
151-200
Necessary to check partial overlaps.
13
Putting it all together...
DATA
ACK
RoboNorm
Suitable for hardware implementation.
Hash Store
Held retransmits
14
Memory Footprint
Segment arrival rate holding time
Max concurrent connections
Max concurrent partial overlaps
15
Memory Footprint Trace Analysis
2.5 MB on a Gbps link.
10 X less than storing all content.
Up to 66 X in practice.
2 MB
375 KB
100 KB
16
RoboNorm
  • Detects inconsistent TCP retransmissions.
  • Memory efficiency stores only hashes.
  • Robustness
  • Handles partial overlaps correctly.
  • Withstands memory exhaustion attacks.

17
Memory Exhaustion
Hash Store
Held retransmits
Goal should not consume RoboNorm memory
cheaply.
No new vulnerability.
18
Connection Table
48 bytes
1 byte.
SYN ACK
Save 50 space with 5 min inactivity timer.
Inactive conn
  • Init state on first data.
  • Reclaim space for inactive conns.
  • Timeout Bloom Filter.
  • SYN Flood.
  • Keep conns idle.
  • Unterminated conns.

19
Connection Table
  • Exhaust connection table memory only by
  • Opening large number of conns.
  • Actively sending data on all of them.

No new vulnerability.
20
Hash Store
H(X)
H(XY)
H(Y)
  • Pick conn with largest
  • Coalesce hashes.
  • Or evict connection if avg segment size large.
  • Small segments.
  • Segments stored for long time.

21
Hash Store
  • Exhaust hash store memory only by
  • Sending data in large packets.
  • Clearing packets fast.

Fill hash store only by consuming link bandwidth.
22
Hash Function
  • Hn(X) (an.X bn) mod pn
  • pn n-bit prime
  • an in 1,...,pn-1 bn in 0,...,pn-1
  • Hn(XY) Hn(Y) 2k Hn(X) bn mod pn
  • n 64 provides sufficient security.

23
Conclusion
  • TCP Stream Normalizer design that
  • Is memory efficient.
  • Detects all inconsistent retransmissions.
  • Is robust to state-exhaustion attacks.

24
Backup Slides
25
Memory Footprint Trace Analysis
  • Connection table
  • peak conns 34,000
  • Bytes per conn 48
  • Hash store
  • Avg sgmt hold time 200 ms
  • Sgmt arrival rate (1 Gbps / 1000 B)
  • Bytes per hash 15
  • Held retransmits 100 KB

2 MB
375 KB
100 KB
2.5 MB
26
Eviction Policy of Hash Store
  • ?i avg rate of segment arrival
  • di avg hold time of segments.
  • si avg segment size.
  • ?i di hash memory consumed (cost)
  • ?i si bandwidth consumed (benefit)
  • di / si cost-to-benefit ratio.
  • Evict conn with largest di / si
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Efficient" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!