active mapping: resisting nids evasion without altering traffic writen by umesh shankar...
TRANSCRIPT
Active Mapping: Resisting NIDS Evasion Without Altering Traffic
writen by Umesh [email protected]
University of California at Berkeley
presented by
Pei Pei Yan Guo
University of South Carolina
Outline
Network Intrusion Detection System (NIDS) Active Mapping NIDS Implementation Active Mapping Limitation Test results Conclusion
What is NIDS?
NIDS passively monitors network traffic on a link, looking for suspicious activity as defined by its protocol analyzers
A NIDS is essentially a glorified packet sniffer that matches
traffic patterns to pre-defined signatures
IPS
IPS
NIDS
Firewall
Internal Network
IDS
IDS are now standard equipment for large networks second only to firewall
HIDS $50~$1000 per host NIDS $10,000~$30,000 It is estimated to be $443.5 million revenue
for 2002, compare to $350 million in 2001
IDS classification
Figure from http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html
Intrusion Detection Approach
Protected System
StructureData SourceBehaviour
after an attackAnalysis Timing
Intrusion Detection System
Anomaly Detection
SignatureDetection
HIDS NIDS Hybrids
Centra-listed System
Distributed System
Agent System
Aduit Trail
Network Packet
System State Analysis (kernel, services, files)
Active IDS
Passive IDS
On-the-fly processing
Internal-based IDS
Typical NIDS
Cisco Secure IDS (formerly NetRanger) Hogwash Dragon E-Trust IDS
NIDS Pros and Cons
Pros– Monitor a large amount of network traffic– Versatile: detects DoS, “ping of death”, all the traffics to a
target host– Dropping packet will not affect network connection
Cons– Higher amount of traffic will force the NIDS drop the traffic– False Negative, False Positive– Can’t detect attack by back doors of the network– Unable to look at encrypted packets (VPN, SSH)
Detection False
False Positive
False Negative False Positive
False Negative
Correct Alert
Ambiguity of NIDS
NIDS needs to simulate exactly what the network will react to the traffic
Without local network construction information, there exits ambiguity
Example: “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, by T. H. Ptacek and T. N. Newsham
Attacks by Ambiguity
20 Hops
15 Hops 5 Hops
Attempts to Eliminate Ambiguity
Traffic normalizerDrawbacks:
1. performance
2. reliability issue with resource exhaustion
3. changing the semantics of the stream
(e.g. traceroute, path MTU discovery)
Aim of Active Mapping
Aim: 1. to tell which packet will reach recipient
2. to predict the interpretation of the packet by the recipient
Active Mapping makes NIDS context-sensitive
Active Mapping Design Goals
Comparable with runtime performance Mapping should be lightweight Avoid harming the hosts
Active Mapping Mechanism
What Active Mapping Checks
Hop count MTU (Maximum Transmission Unit) TCP RST Acceptance Overlapping and Inconsistent IP Fragments
(different by policies)
“Hop Count” Definition
1. In a data communications network, the number of legs traversed by a packet between its source and destination. Note: Hop count may be used to determine the Time-To-Live for some packets.
2. The number of signal regenerating devices (such as repeaters, bridges, routers, and gateways) through which data must pass to reach their destination.
“MTU” Definition
The Maximum Transmission Unit (MTU) is the largest size of IP datagram which may be transferred using a specific data link connection The MTU value is a design parameter of a LAN and is a mutually agreed value (i.e. both ends of a link agree to use the same specific value) for most WAN links. The size of MTU may vary greatly between different links (e.g. typically from 128 B up to 10 kB).
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/mtu.html
TCP RST Acceptance
Receiver’s WindowPackets
Overlapping and Inconsistent Fragments
BSD, BSD-right, Linux, First, Last/RFC791, etc.
Eg. BSD left-trim and first come occupy the digit
Limitation and Weakness
Active Mapping assumes that all hosts behave in consistent and predictable way
There are at least 3 sources of non-determinisms can be difficult to simulate in NIDS precisely
----- Application Level Parameters----- New Semantics----- Nondeterministic Packet Drops
Application Level Parameters
User can change certain parameters that affect TCP/IP stack. The data of parameters could be delivered as signal or inline
--- Example: TCP “Urgent” pointer, which marks part of the sequences as important and processed without delay
New Semantics
NIDS must understand the semantic of a stream in order to interpret correctly
Unknown TCP options can be ignored
The best NIDS can do is to update regularly
Nondeterministic Packet Drops
Two Ways Packet Drop can happen
---- When routers get saturated or hosts are under heavy traffic
---- Quality of Service guarantees
Timeout
The NIDS must know when a host will timeout an IP fragment or TCP segment.
Attacker can later retransmit the fragment or segment with different data
NIDS will not know which is accepted, even it knows which will be accepted
It is difficult to obtain precise timeout value with active mapping
Dealing with packet drops
Partial reconstruction of host state
--- If acknowledgement of TCP Segment of response to UPD or ICMP request
--- then the request is accepted using only packets preceded the response
--- if no response, then packets are dropped
Continued
If NIDS can send “keep alive” packet(out of sequence) in real time, it can elicit an ACK that show current sequence number
NIDS can get timeouts information from ICMP message. Not all hosts send this. And this may leak information to attackers, need to be only seen by NIDS. (Mapping?)
Practical Consideration
Those concerns are not implemented in the prototype
NAT DHCP TCP Wrapper Attacks on the Active Mapper
NAT-Network Address Translator
Problems: NIDS can’t see private addresses, if NAT is running inside the monitored site. It is also difficult to detect if NAT is being used
Solution: Could map each port as though it belonged to a separate machine
DHCP
Problems: DHCP server leases out addresses when clients request them, and leases expire periodically. If Integration with DHCP server is not possible, determining MAC is nontrivial
Solution: The Mapper could be triggered upon seeing DHCP requests
TCP Wrappers
Problems: Some hosts use TCP Wrappers to restrict access to services to a set of hosts determined by an Access Control List
Solution: Mapper Must have access
Attacks on the Active Mapper
Problems: Attacker may try to attack mapping machine. There is greater concern for direct internal attacks
Solution: Deny all outside request to the mapper, limit only the administrative machines to have access
Prototype Implementation
Implemented in about 2,000 lines of Perl. Ported to Unix and FreeBSD It requires TCP/IP firewall capability. Modify the Bro NIDS to use Active Mapping
profile. A few hundred lines of C++ were needed
Testing and Results
Observed Active Mapping Profiles
Out of 4,800+ hosts, 173 were giving out inconsistent result. All of 29 of them are printers, routers. Most of the 29 are unknown operating systems, 36 of the 173 hosts have incomplete trials. Only 10 machines yield conflicting results
Stability of Results
This test is to see if the profile stayed consistent 5 month later
In first mapping 4882 hosts provided nontrivial, consistent results
In second mapping, 4733 hosts did. 1122 were in first set, but not second, of those 880
were in DHCP blocks 973 were in second set but on in the first, 669 where
in DHCP blocks
Mapping Time
Mapping a single host requires 37 sec Mapping 16 hosts took 10.1 seconds/host Mapping 64 hosts took 5.7 seconds/host Mapping 101 hosts took 5.3 seconds/host 5 seconds/host for large scale mapping 7 hours for a subnet with 4800 hosts
Mapping Traffic
NIDS Integration Tests
This is to test that AM will indeed produced correct interpretation
First, a synthetic test with ambiguous traffic. Second, a comparison of the original and AM
modified NIDS on real-world traces
Synthetic Tests
HTTP attack traffic were generated to 8 hosts with evasion measures added using ‘fragroute’
NIDS’ Performance
Two trace of 500 connections were used to the 8 hosts
In first, no connection was modified by fragroute
In second, connections to 2 of the machines were modified by fragroute. And AM was enabled. NIDS was actually 15% faster, since it can discard data
Real World Tests
Two tests were performed First one was of a non-HTTP traffic gathered during
1 hour at a busy site(100.2M data, 1.2M packets, 273K connections
Second was a 2 hour HTTP traffic. (137MB, 197k packets, 6379 connections)
Both tests yield same result. Execution time are same, memory usage was 200k higher with AM
When To Scan?
Daily scan – a full class C subnet can be scanned in about 20min. What happens with large network?
Remapping can be triggered by any inconsistency between the stored policy and an observed one
On-the-fly mapping is not possible, since many tests take seconds
Conclusion
Active Mapping can reduce the ambiguity of NIDS interpretation
It is better than Normalization
there are still many limitations and consideration, it is still hard to make it a robust commercial product, but it is surely a positive step toward building an ambiguity free NIDS