Active Mapping: Resisting NIDS Evasion Without Altering Traffic

writen by Umesh Shankarushankar@cs.berkeley.edu

University of California at Berkeley

presented by

Pei Pei Yan Guo

University of South Carolina

Outline

Network Intrusion Detection System (NIDS) Active Mapping NIDS Implementation Active Mapping Limitation Test results Conclusion

What is NIDS?

NIDS passively monitors network traffic on a link, looking for suspicious activity as defined by its protocol analyzers

A NIDS is essentially a glorified packet sniffer that matches

traffic patterns to pre-defined signatures

IPS

IPS

NIDS

Firewall

Internal Network

IDS

IDS are now standard equipment for large networks second only to firewall

HIDS $50~$1000 per host NIDS $10,000~$30,000 It is estimated to be $443.5 million revenue

for 2002, compare to $350 million in 2001

IDS classification

Figure from http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html

Intrusion Detection Approach

Protected System

StructureData SourceBehaviour

after an attackAnalysis Timing

Intrusion Detection System

Anomaly Detection

SignatureDetection

HIDS NIDS Hybrids

Centra-listed System

Distributed System

Agent System

Aduit Trail

Network Packet

System State Analysis (kernel, services, files)

Active IDS

Passive IDS

On-the-fly processing

Internal-based IDS

Typical NIDS

Cisco Secure IDS (formerly NetRanger) Hogwash Dragon E-Trust IDS

NIDS Pros and Cons

Pros– Monitor a large amount of network traffic– Versatile: detects DoS, “ping of death”, all the traffics to a

target host– Dropping packet will not affect network connection

Cons– Higher amount of traffic will force the NIDS drop the traffic– False Negative, False Positive– Can’t detect attack by back doors of the network– Unable to look at encrypted packets (VPN, SSH)

Detection False

False Positive

False Negative False Positive

False Negative

Correct Alert

Ambiguity of NIDS

NIDS needs to simulate exactly what the network will react to the traffic

Without local network construction information, there exits ambiguity

Example: “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, by T. H. Ptacek and T. N. Newsham

Attacks by Ambiguity

20 Hops

15 Hops 5 Hops

Attempts to Eliminate Ambiguity

Traffic normalizerDrawbacks:

1. performance

2. reliability issue with resource exhaustion

3. changing the semantics of the stream

(e.g. traceroute, path MTU discovery)

Aim of Active Mapping

Aim: 1. to tell which packet will reach recipient

2. to predict the interpretation of the packet by the recipient

Active Mapping makes NIDS context-sensitive

Active Mapping Design Goals

Comparable with runtime performance Mapping should be lightweight Avoid harming the hosts

Active Mapping Mechanism

What Active Mapping Checks

Hop count MTU (Maximum Transmission Unit) TCP RST Acceptance Overlapping and Inconsistent IP Fragments

(different by policies)

“Hop Count” Definition

1. In a data communications network, the number of legs traversed by a packet between its source and destination. Note: Hop count may be used to determine the Time-To-Live for some packets.

2. The number of signal regenerating devices (such as repeaters, bridges, routers, and gateways) through which data must pass to reach their destination.

“MTU” Definition

The Maximum Transmission Unit (MTU) is the largest size of IP datagram which may be transferred using a specific data link connection The MTU value is a design parameter of a LAN and is a mutually agreed value (i.e. both ends of a link agree to use the same specific value) for most WAN links. The size of MTU may vary greatly between different links (e.g. typically from 128 B up to 10 kB).

http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/mtu.html

TCP RST Acceptance

Receiver’s WindowPackets

Overlapping and Inconsistent Fragments

BSD, BSD-right, Linux, First, Last/RFC791, etc.

Eg. BSD left-trim and first come occupy the digit

Limitation and Weakness

Active Mapping assumes that all hosts behave in consistent and predictable way

There are at least 3 sources of non-determinisms can be difficult to simulate in NIDS precisely

----- Application Level Parameters----- New Semantics----- Nondeterministic Packet Drops

Application Level Parameters

User can change certain parameters that affect TCP/IP stack. The data of parameters could be delivered as signal or inline

--- Example: TCP “Urgent” pointer, which marks part of the sequences as important and processed without delay

New Semantics

NIDS must understand the semantic of a stream in order to interpret correctly

Unknown TCP options can be ignored

The best NIDS can do is to update regularly

Nondeterministic Packet Drops

Two Ways Packet Drop can happen

---- When routers get saturated or hosts are under heavy traffic

---- Quality of Service guarantees

Timeout

The NIDS must know when a host will timeout an IP fragment or TCP segment.

Attacker can later retransmit the fragment or segment with different data

NIDS will not know which is accepted, even it knows which will be accepted

It is difficult to obtain precise timeout value with active mapping

Dealing with packet drops

Partial reconstruction of host state

--- If acknowledgement of TCP Segment of response to UPD or ICMP request

--- then the request is accepted using only packets preceded the response

--- if no response, then packets are dropped

Continued

If NIDS can send “keep alive” packet(out of sequence) in real time, it can elicit an ACK that show current sequence number

NIDS can get timeouts information from ICMP message. Not all hosts send this. And this may leak information to attackers, need to be only seen by NIDS. (Mapping?)

Practical Consideration

Those concerns are not implemented in the prototype

NAT DHCP TCP Wrapper Attacks on the Active Mapper

NAT-Network Address Translator

Problems: NIDS can’t see private addresses, if NAT is running inside the monitored site. It is also difficult to detect if NAT is being used

Solution: Could map each port as though it belonged to a separate machine

DHCP

Problems: DHCP server leases out addresses when clients request them, and leases expire periodically. If Integration with DHCP server is not possible, determining MAC is nontrivial

Solution: The Mapper could be triggered upon seeing DHCP requests

TCP Wrappers

Problems: Some hosts use TCP Wrappers to restrict access to services to a set of hosts determined by an Access Control List

Solution: Mapper Must have access

Attacks on the Active Mapper

Problems: Attacker may try to attack mapping machine. There is greater concern for direct internal attacks

Solution: Deny all outside request to the mapper, limit only the administrative machines to have access

Prototype Implementation

Implemented in about 2,000 lines of Perl. Ported to Unix and FreeBSD It requires TCP/IP firewall capability. Modify the Bro NIDS to use Active Mapping

profile. A few hundred lines of C++ were needed

Testing and Results

Observed Active Mapping Profiles

Out of 4,800+ hosts, 173 were giving out inconsistent result. All of 29 of them are printers, routers. Most of the 29 are unknown operating systems, 36 of the 173 hosts have incomplete trials. Only 10 machines yield conflicting results

Stability of Results

This test is to see if the profile stayed consistent 5 month later

In first mapping 4882 hosts provided nontrivial, consistent results

In second mapping, 4733 hosts did. 1122 were in first set, but not second, of those 880

were in DHCP blocks 973 were in second set but on in the first, 669 where

in DHCP blocks

Mapping Time

Mapping a single host requires 37 sec Mapping 16 hosts took 10.1 seconds/host Mapping 64 hosts took 5.7 seconds/host Mapping 101 hosts took 5.3 seconds/host 5 seconds/host for large scale mapping 7 hours for a subnet with 4800 hosts

Mapping Traffic

NIDS Integration Tests

This is to test that AM will indeed produced correct interpretation

First, a synthetic test with ambiguous traffic. Second, a comparison of the original and AM

modified NIDS on real-world traces

Synthetic Tests

HTTP attack traffic were generated to 8 hosts with evasion measures added using ‘fragroute’

NIDS’ Performance

Two trace of 500 connections were used to the 8 hosts

In first, no connection was modified by fragroute

In second, connections to 2 of the machines were modified by fragroute. And AM was enabled. NIDS was actually 15% faster, since it can discard data

Real World Tests

Two tests were performed First one was of a non-HTTP traffic gathered during

1 hour at a busy site(100.2M data, 1.2M packets, 273K connections

Second was a 2 hour HTTP traffic. (137MB, 197k packets, 6379 connections)

Both tests yield same result. Execution time are same, memory usage was 200k higher with AM

When To Scan?

Daily scan – a full class C subnet can be scanned in about 20min. What happens with large network?

Remapping can be triggered by any inconsistency between the stored policy and an observed one

On-the-fly mapping is not possible, since many tests take seconds

Conclusion

Active Mapping can reduce the ambiguity of NIDS interpretation

It is better than Normalization

there are still many limitations and consideration, it is still hard to make it a robust commercial product, but it is surely a positive step toward building an ambiguity free NIDS