Extensible Architectures for Passive and Active Protocol Interposition

Farnam JahanianDepartment of EECS

University of Michiganhttp://www.eecs.umich.edu/~farnam

(joint work with G.R. Malan, P. Howell, and D. Watson)

Roadmap

Motivation

Windmill extensible probe

Protocol scrubbers

Summary

Context

NetworkInfrastructure

•Network Attacks

•S/H Failures

•Operational Faults

•Windmill Probes

•Netflow Statistics

•Protocol Scrubbers

•Event Aggregation

•Data Mining

•Replication schemes

ActiveResponse

Capabilities

AnalysisEngines

•Routers •Name Servers•Critical Services

AnomalousNetwork Events

Coarse andFine GrainedMeasurement

Tools

•Countermeasures

Survivable Network

Infrastructure

Protocol Interposition Tools

Windmill Measurement Probe:– Passive measurement mechanism for on-line

reconstruction of functional and performance behavior of infrastructure and application-level protocols from low-level network traffic

– Programmable and extensible

Protocol Scrubbers: – New class of active interposition mechanisms for on-line

monitoring and enforcement of network security policies– Transparent protection of networking infrastructure such

as routers and switches

Windmill Overview

An open-architecture programmable tool for passive measurement

Infer performance & functional behavior through eavesdropping & on-line state reconstruction

How does it work?

High-speed Packet Filter: Extracts from a network vantage point’s underlying data flows

Abstract Protocol Modules: Reconstructs higher-level protocols (BGP, RIP, HTTP) from network traffic in real-time

Experiment Engine: Supports dynamically loadable run-time experiments

Windmill Architecture

WindmillPacket Filter

Packet Flows

Exp1Exp2

PacketDispatcher

TCP

Experiment EngineAbstract Protocol Modules

UDP

BGP

IP RIP

HTTP

...

Windmill's Features

Measure overloaded, shrink-wrapped system

Correlate events from different layers

Feedback mechanism for active measurements

Data reduction at the measurement point

Support for 24x7 measurement

Dynamically add/remove concurrent experiments

Windmill Packet Filter (WPF)

Allows one-to-many multiplexing

Avoids problems with ambiguous filters

Dynamically compiled machine language module:

Constructs an intermediate DAG rep. of subscriptions

Compiles this graph to a native machine lang. Module

Installs this module in the probe machine’s kernel

Abstract Protocol Modules

Used to reconstruct target protocol

Inverts protocol stack, drills down

Don't run the whole stack on packet

"Opens the Hood" on underlying protocols

Each module exports its protocol abstraction

Semantics taken from BSD stack

Extensible Experiment Engine

Manages the set of concurrent experiments

Add Remove Execute Modify State

Provides interface for storage and dissemination

Custom loader dynamically links experiments as they are loaded.

Broad Range of Studies Conducted using Windmill

BGP routing protocol congestion collapse - SIGCOMM’98

RIP intra-domain routing protocol - OPENSIG’99

Overloaded web servers (Microsoft vs. Netscape)

Campus network traffic characterization - OPENSIG’99

Detection of NMAP scans - UM tech report

Space science collaboratory application - SIGCOMM’98

MCI Sprint

Border Gateway Protocol (BGP)

Interdomain protocol between Autonomous Systems at exchange points

Routing peers exchange reachability information incrementally using TCP

SIGCOMM’97 paper identified major instability and pathological behavior in BGP routing

BGP Congestion Collapse HypothesisValidated Using Windmill

Congestion causes underlying TCP to backoff

BGP-level timers expire, causing termination

Interaction between BGP and TCP leads to router congestion collapse

High bandwidth utilization BGP Instability

Web Server Experiments

Demonstrates: Measure overloaded, shrink-wrapped system No modification of web servers / end hosts Data reduction at the measurement point Support for 24x7 measurement

Obtain "hard to get" metrics: TCP connections dropped by server HTTP connection establishment latency Server's Aggregate bandwidth

Web Experimental Apparatus

Client

Client

Client

Client

Web Servers

Microsoft Netscape

Windmill

Connections Attempted vs. Established

Key Challenge

Coarse-grained network flow measurement: are becoming more common in enterprise routers & switches from vendors

Fine-grained measurement technologies: provide packet traces and enable protocol state reconstruction (e.g., packet sniffers, Windmill)

Integration of two technologies has numerous applications in enterprise-wide networks:– Traffic characterization– Cache & replica placement– Denial of service & anomaly detection– Backtracing intrusion attacks

Protocol Scrubbers

A transparent interposition mechanism for on-line modification of traffic to comply with network security

policies

Enables protection of critical network infrastructure such as routers, switches and enterprise servers

Ability to remove attacks targeted at distinct layers in the protocol stack

Placed in front of critical infrastructure or eventually built into routers and switches

Applications of Protocol Scrubbers

Intrusion DetectionFirewalls & attack removalAnti-fingerprinting ToolsContent-based filteringLoad-balancing Proxies

...

TCP/IP Scrubber

Infrastructure Scrubber

Application-level Scrubber

BGP, RIP, DNSTCP, UDP, IP HTTP, FTP

TCP/IP Protocol Scrubber

TCP/IP Protocol Scrubber Implementation: – converts potentially ambiguous flows into homogenized

well-behaved flows– maintains a very small amount of state per flow … lighter

than full transport proxy– eliminates insertion and evasion attacks

FreeBSD implementation on Pentium. Next on Linux!

Performance comparable to IP forwarding and much better than commercial transport-level proxy

Example Domain: Network Intrusion Detection

Network ID systems watch traffic

Look for malicious use and attacks

Doesn’t modify flow

Notifies security administrator upon detection

Attackers counter with crud

Ambiguities in Protocol Implementation

Examples from [Ptacek and Newsham ‘98]:– IP TTL attack– Packet too large for link without fragmenting– DST configured to drop source routed packets– DST may timeout fragments differently– DST may reassemble fragments differently– DST doesn’t accept packets with certain options– DST may use PAWS and silently discard packets– DST may resolve conflicting segments differently– DST may not check seqno on RST packets

End HostReconstruction:012345678

NIDSReconstruction:012345678

Example Attack

012345678?ood url

Packet 1

NIDSReconstruction:012345678?ood url

End HostReconstruction:012345678?ood url

NIDSReconstruction:012345678?ood url.

End HostReconstruction:012345678?ood url.

End HostReconstruction:012345678go blue!!

NIDSReconstruction:012345678good url.

Example Attack

012345678?ood url.

Packet 1

012345678go blue!!

Packet 2

TCP/IP Scrubber: Use

External Host(Untrusted)

Internal Host(Trusted)

Scrubber orTransport Proxy

ScrubberReconstruction:012345678

ScrubberReconstruction:012345678?ood url.

ScrubberReconstruction:012345678good url

How the TCP Scrubber Solves the Previous Example

012345678?ood url.

Packet 1-U

NIDSReconstruction:012345678

End HostReconstruction:012345678

012345678go blue!!

Packet 2-U

NIDSReconstruction:012345678good url.

End HostReconstruction:012345678good url.

012345678good url.

Packet 2-T

TCP/IP Scrubber: Micro-benchmarks

How does the scrubber affect throughput?– Measured at the TCP level using netperf

How does the scrubber affect forwarding latency in the kernel?– Measured using Pentium on-chip cycle counter

Forwarding Type Mean Std DevIP Forwarding 8.00μs 2 .9 1Scrub (1 byte) 1 3 .1 9 3 .3 8

Scrub ( > 1 0 0 0 ) 3 1 .8 5 5 .7 2

IP Forwarding Scrubbing Plug Proxy83.84Mbps 82.87 82.71

TCP/IP Scrubber: Macro-benchmarks

Macro-benchmarks (answer two questions):

How much overhead does the scrubber add? – Increase the number of clients and see how

many connections per second we can sustain

Does the scrubber treat well-behaved flows adversely?– Inject range of artificial loss into flows to

determine gross differences between IP forwarding and scrubbing

TCP/IP Scrubber: Sustainable Connections With No Loss

0 100 200 300 400

Number of concurrent connections

0

500

1000

1500

2000

2500

Req

uest

s se

rvic

ed

per

seco

nd

IP ForwardingTCP/IP ScrubbingUser space proxy

TCP/IP Scrubber:Sustainable Connections With Artificial Loss

0 2 4 6 8 10

Packet loss (percentage)

0

500

1000

1500

2000

2500

Req

uest

s se

rvic

ed

per

seco

nd

Transport Scrubbing

IP Forwarding

Infrastructure Protocol Scrubbing

a lightweight transparent mechanism for preventing network attacks

scrubber can masquerade as a set of network services

allows protection of infrastructure level protocols (such as OSPF and BGP)

enabled through a single modification to the socket API; no modification of client or server code

Scrubber

Client

Set of Servers

Final Remarks

Passive vs. active protocol interposition

Coarse-grained vs. fine-grained measurement

Open architectures and programmability

Future work