Intrusion Detection Issues - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

Intrusion Detection Issues

Description:

... Heel in Signature-based IDS: Squealing False Positives in SNORT ( 01) ... Squeal Attack types. Noise-masked attacks. diverts attention from a covert attack ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 43
Provided by: deepasri
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Issues


1
Intrusion Detection Issues
  • Presented by
  • Deepa Srinivasan
  • CSE581, Winter 2002, OGI

2
Papers on this topic
  • Insertion, Evasion and Denial of Service Eluding
    Network Intrusion Detection (Jan 98)
  • Network Intrusion Detection Evasion, Traffic
    Normalization and End - End semantics (01)
  • IP Fragmentation and fragrouter (Dec 00)
  • An Achilles Heel in Signature-based IDS
    Squealing False Positives in SNORT (01)

3
Agenda
  • Introduction to IDS
  • Some popular IDSs
  • Problems with IDSs
  • Normalizer
  • IP Fragmentation fragrouter
  • Squealing in SNORT

4
Introduction to IDS
  • Intrusion attempt or a threat potential
    possibility of a deliberate unauthorized attempt
    to access/manipulate information, or render a
    system unreliable or unusable.
  • Types of IDS
  • Host-based
  • Network IDS
  • Example IDSs
  • ISS RealSecure, WheelGroup NetRanger, Network
    Flight Recorder, Snort

5
Principles of IDSs
  • Common Intrusion Detection Framework
  • Event generators
  • Analysis Engines
  • Storage Mechanisms
  • Countermeasures

6
Principles of IDSs
  • Common Intrusion Detection Framework

7
Principles of IDSs
  • Passive monitoring
  • Signature Analysis
  • Need for reliable ID
  • accuracy false positives and false negatives
  • fail-open if an attacker disables the IDS,
    entire network is still accessible
  • forensic value of information

8
Fundamental problems of IDSs
  • Deployed on a different box
  • Could be on a different network segment
  • Protocol implementation ambiguities
  • different protocol stacks have different behavior
  • NIDS could see a different stream of packets than
    host

9
Fundamental problems of IDSs
  • False positives
  • incorrectly identify an intrusion when none has
    occurred
  • False negatives
  • incorrectly fail to identify an intrusion that
    has actually occurred

10
Attacks on IDSs
  • Insertion
  • IDS thinks packets are valid end system rejects
    these
  • Evasion
  • end system accepts packets that IDS rejects
  • Denial of Service
  • resource exhaustion
  • Examples

11
Popular problems/attacks
  • TCP/IP Options fields
  • TCB Creation/Teardown
  • TCP Stream Reassembly
  • IP Fragmentation
  • overlapping fragments

12
Specific attacks
  • Invalid MAC addresses?
  • Invalid headers
  • Permissive in receiving, frugal in sending?
  • Bad IP checksum will be dropped?
  • IP options
  • IP TTL ambiguity
  • Packer received or not?

13
Specific attacks
  • Packet size
  • Packet too large for downstream link?
  • Source-routed packets
  • Will destination reject such packets?
  • Fragment or TCP handshake time-out
  • Will other parts of fragment/TCB still be at
    destination?
  • Overlapping segments
  • Rewrite old data or not?

14
Specific attacks
  • Weird TCP options
  • Destination might be configured to drop
  • Old TCP timestamps (PAWS)
  • Destination might be configured to drop
  • TCP RSTs with weird sequence numbers
  • Is connection reset?
  • Addition of interpreted characters (H)
  • How does OS interpret?

15
IP Fragmentation
  • Allows IP traffic over different network media
    with different max packet sizes
  • IP stacks do not handle reassembly well
  • can lead to DOS (teardrop, jolt2)
  • Fragrouter
  • NIDS testing tool
  • accepts IP packets routed from another system
  • fragments these packets according to various
    schemes

16
Popular problems/attacks
  • Resource Exhaustion
  • CPU, Memory, Network Bandwidth
  • CPU Data-structure attack via fragments
  • Memory Space attack via fragments
  • Network Targeted DoS to disrupt TCP reassembly
  • Abusing reactive IDS
  • attack to generate false positives
  • IDS shuts down valid connections, blocks valid
    traffic etc.
  • Results in IDS triggering a DOS

17
IP Fragmentation
  • Allows IP traffic over different network media
    with different max packet sizes
  • IP stacks do not handle reassembly well
  • can lead to DOS (teardrop, jolt2)
  • Fragrouter
  • NIDS testing tool
  • accepts IP packets routed from another system
  • fragments these packets according to various
    schemes

18
Popular problems/attacks
  • Resource Exhaustion
  • CPU, Memory, Network Bandwidth
  • Abusing reactive IDS
  • attack to generate false positives
  • IDS shuts down valid connections, blocks valid
    traffic etc.
  • Results in IDS triggering a DOS

19
Methodology
  • Black-box testing
  • PHF attack
  • exploits a CGI script - phf to gain access to web
    servers
  • Software Used
  • CASL
  • FreeBSD 2.2
  • netcat
  • tcpdump

20
Results
21
Discussion
  • Questions?

22
Network Intrusion DetectionTraffic
Normalization End-End Protocol
Semantics"Transport and Application Protocol
Scrubbing"
23
  • Recap of previous paper
  • IDSs are vulnerable to attacks
  • fundamental problems
  • IDS sees different streams than target host
  • protocol implementation ambiguities

24
Introduction
  • Paper introduces concept of normalizer
  • Approach implementation
  • Performance

25
Normalizer
26
Normalizer
  • Sits directly in path of traffic into a site
  • Patch up or normalize the packet stream
  • Result same traffic and unambiguous behavior for
    NIDS and host
  • Differs from a firewall
  • Other approaches
  • host-based IDS, details of intranet, bifurcating
    analysis

27
Normalization Tradeoffs
  • Protection
  • not meant to but can act as a firewall
  • Need to preserve End-End Semantics
  • Impacts end-end performance
  • Stateholding attack
  • create excess state than Normalizer can handle
  • Inbound vs Outbound traffic

28
Other Considerations
  • Cold Start
  • is a real world requirement
  • what happens to existing connections?
  • Initiate state for connections from trusted
    network
  • Attacking the normalizer itself

29
Systematic Approach
  • Walk through packet headers of each protocol
  • Identify what is the correct normalization

30
Example Attack
  • IP Identifier and stealth port scans

31
Normalization for this
  • Solution for patsy
  • Scramble ids of incoming and outgoing packets
  • Breaks diagnostic protocols
  • Solution for victim
  • Reliable RSTs
  • Normalizer sends keep-alive packet to host to
    determine if connection was actually closed

32
Implementation
  • Code in C - uses libpcap
  • user-level application
  • attention to completeness, correctness
    performance
  • Evaluated using trace-driven approach
  • NetDuDE

33
Performance
  • Platform 1.1GHz AMD Athlon, FreeBSD 4.2, 133 MHz
    SDRAM
  • a normalizer implemented in kernel mode (as a
    click module) could forward traffic at line-speed
    on bi-directional 100 Mbps link

34
Discussion
  • Questions?

35
An Achilles Heel to Signature-Based
IDSSquealing False Positives in Snort (01)
36
Introduction
  • Paper documents attacking Snort using false
    positives
  • Snort open-source, free, lightweight NIDS
  • Squealing
  • noise made by pigs during periods of
    distemperment
  • Boy cried wolf too many times
  • additionally, boy may not recognize the wolf when
    it actually appears!

37
Attacking Snort
  • Limitation is not in correctly identifying
    attacks, but in the ability to suppress false
    positives
  • PCP
  • Tool for generating false positives
  • packet writing and argument parsing

38
Squeal Attack types
  • Noise-masked attacks
  • diverts attention from a covert attack
  • Attack misdirection
  • source of attack is spoofed
  • Evidence Reputability
  • Target Conditioning
  • Statistical Poisoning
  • when training an IDS

39
How easy is it?
  • Using SOCK_RAW
  • LIBNET, Nemesis
  • Script-driven tools available (snot, stick,
    trichinosis)

40
Proposed Solutions
  • Adaption
  • changing the signature-matching algorithms
    rapidly
  • State awareness
  • make IDS have a context which checking packets

41
Conclusions
  • IDSs have been around for more than a decade
  • Several fundamental problems identified in IDS
  • IDSs themselves are vulnerable to attacks
  • and fail-open
  • Upcoming paper groups

42
References
  • online.securityfocus.com/ids
  • www.snort.org
  • www.raid-symposium.org
Write a Comment
User Comments (0)
About PowerShow.com