extensible architectures for passive and active protocol interposition farnam jahanian department of...
Post on 18-Dec-2015
222 views
TRANSCRIPT
Extensible Architectures for Passive and Active Protocol Interposition
Farnam JahanianDepartment of EECS
University of Michiganhttp://www.eecs.umich.edu/~farnam
(joint work with G.R. Malan, P. Howell, and D. Watson)
Roadmap
Motivation
Windmill extensible probe
Protocol scrubbers
Summary
Context
NetworkInfrastructure
•Network Attacks
•S/H Failures
•Operational Faults
•Windmill Probes
•Netflow Statistics
•Protocol Scrubbers
•Event Aggregation
•Data Mining
•Replication schemes
ActiveResponse
Capabilities
AnalysisEngines
•Routers •Name Servers•Critical Services
AnomalousNetwork Events
Coarse andFine GrainedMeasurement
Tools
•Countermeasures
Survivable Network
Infrastructure
Protocol Interposition Tools
Windmill Measurement Probe:– Passive measurement mechanism for on-line
reconstruction of functional and performance behavior of infrastructure and application-level protocols from low-level network traffic
– Programmable and extensible
Protocol Scrubbers: – New class of active interposition mechanisms for on-line
monitoring and enforcement of network security policies– Transparent protection of networking infrastructure such
as routers and switches
Windmill Overview
An open-architecture programmable tool for passive measurement
Infer performance & functional behavior through eavesdropping & on-line state reconstruction
How does it work?
High-speed Packet Filter: Extracts from a network vantage point’s underlying data flows
Abstract Protocol Modules: Reconstructs higher-level protocols (BGP, RIP, HTTP) from network traffic in real-time
Experiment Engine: Supports dynamically loadable run-time experiments
Windmill Architecture
WindmillPacket Filter
Packet Flows
Exp1Exp2
PacketDispatcher
TCP
Experiment EngineAbstract Protocol Modules
UDP
BGP
IP RIP
HTTP
...
Windmill's Features
Measure overloaded, shrink-wrapped system
Correlate events from different layers
Feedback mechanism for active measurements
Data reduction at the measurement point
Support for 24x7 measurement
Dynamically add/remove concurrent experiments
Windmill Packet Filter (WPF)
Allows one-to-many multiplexing
Avoids problems with ambiguous filters
Dynamically compiled machine language module:
Constructs an intermediate DAG rep. of subscriptions
Compiles this graph to a native machine lang. Module
Installs this module in the probe machine’s kernel
Abstract Protocol Modules
Used to reconstruct target protocol
Inverts protocol stack, drills down
Don't run the whole stack on packet
"Opens the Hood" on underlying protocols
Each module exports its protocol abstraction
Semantics taken from BSD stack
Extensible Experiment Engine
Manages the set of concurrent experiments
Add Remove Execute Modify State
Provides interface for storage and dissemination
Custom loader dynamically links experiments as they are loaded.
Broad Range of Studies Conducted using Windmill
BGP routing protocol congestion collapse - SIGCOMM’98
RIP intra-domain routing protocol - OPENSIG’99
Overloaded web servers (Microsoft vs. Netscape)
Campus network traffic characterization - OPENSIG’99
Detection of NMAP scans - UM tech report
Space science collaboratory application - SIGCOMM’98
MCI Sprint
Border Gateway Protocol (BGP)
Interdomain protocol between Autonomous Systems at exchange points
Routing peers exchange reachability information incrementally using TCP
SIGCOMM’97 paper identified major instability and pathological behavior in BGP routing
BGP Congestion Collapse HypothesisValidated Using Windmill
Congestion causes underlying TCP to backoff
BGP-level timers expire, causing termination
Interaction between BGP and TCP leads to router congestion collapse
High bandwidth utilization BGP Instability
Web Server Experiments
Demonstrates: Measure overloaded, shrink-wrapped system No modification of web servers / end hosts Data reduction at the measurement point Support for 24x7 measurement
Obtain "hard to get" metrics: TCP connections dropped by server HTTP connection establishment latency Server's Aggregate bandwidth
Web Experimental Apparatus
Client
Client
Client
Client
Web Servers
Microsoft Netscape
Windmill
Connections Attempted vs. Established
Key Challenge
Coarse-grained network flow measurement: are becoming more common in enterprise routers & switches from vendors
Fine-grained measurement technologies: provide packet traces and enable protocol state reconstruction (e.g., packet sniffers, Windmill)
Integration of two technologies has numerous applications in enterprise-wide networks:– Traffic characterization– Cache & replica placement– Denial of service & anomaly detection– Backtracing intrusion attacks
Protocol Scrubbers
A transparent interposition mechanism for on-line modification of traffic to comply with network security
policies
Enables protection of critical network infrastructure such as routers, switches and enterprise servers
Ability to remove attacks targeted at distinct layers in the protocol stack
Placed in front of critical infrastructure or eventually built into routers and switches
Applications of Protocol Scrubbers
Intrusion DetectionFirewalls & attack removalAnti-fingerprinting ToolsContent-based filteringLoad-balancing Proxies
...
TCP/IP Scrubber
Infrastructure Scrubber
Application-level Scrubber
BGP, RIP, DNSTCP, UDP, IP HTTP, FTP
TCP/IP Protocol Scrubber
TCP/IP Protocol Scrubber Implementation: – converts potentially ambiguous flows into homogenized
well-behaved flows– maintains a very small amount of state per flow … lighter
than full transport proxy– eliminates insertion and evasion attacks
FreeBSD implementation on Pentium. Next on Linux!
Performance comparable to IP forwarding and much better than commercial transport-level proxy
Example Domain: Network Intrusion Detection
Network ID systems watch traffic
Look for malicious use and attacks
Doesn’t modify flow
Notifies security administrator upon detection
Attackers counter with crud
Ambiguities in Protocol Implementation
Examples from [Ptacek and Newsham ‘98]:– IP TTL attack– Packet too large for link without fragmenting– DST configured to drop source routed packets– DST may timeout fragments differently– DST may reassemble fragments differently– DST doesn’t accept packets with certain options– DST may use PAWS and silently discard packets– DST may resolve conflicting segments differently– DST may not check seqno on RST packets
End HostReconstruction:012345678
NIDSReconstruction:012345678
Example Attack
012345678?ood url
Packet 1
NIDSReconstruction:012345678?ood url
End HostReconstruction:012345678?ood url
NIDSReconstruction:012345678?ood url.
End HostReconstruction:012345678?ood url.
End HostReconstruction:012345678go blue!!
NIDSReconstruction:012345678good url.
Example Attack
012345678?ood url.
Packet 1
012345678go blue!!
Packet 2
TCP/IP Scrubber: Use
External Host(Untrusted)
Internal Host(Trusted)
Scrubber orTransport Proxy
ScrubberReconstruction:012345678
ScrubberReconstruction:012345678?ood url.
ScrubberReconstruction:012345678good url
How the TCP Scrubber Solves the Previous Example
012345678?ood url.
Packet 1-U
NIDSReconstruction:012345678
End HostReconstruction:012345678
012345678go blue!!
Packet 2-U
NIDSReconstruction:012345678good url.
End HostReconstruction:012345678good url.
012345678good url.
Packet 2-T
TCP/IP Scrubber: Micro-benchmarks
How does the scrubber affect throughput?– Measured at the TCP level using netperf
How does the scrubber affect forwarding latency in the kernel?– Measured using Pentium on-chip cycle counter
Forwarding Type Mean Std DevIP Forwarding 8.00μs 2 .9 1Scrub (1 byte) 1 3 .1 9 3 .3 8
Scrub ( > 1 0 0 0 ) 3 1 .8 5 5 .7 2
IP Forwarding Scrubbing Plug Proxy83.84Mbps 82.87 82.71
TCP/IP Scrubber: Macro-benchmarks
Macro-benchmarks (answer two questions):
How much overhead does the scrubber add? – Increase the number of clients and see how
many connections per second we can sustain
Does the scrubber treat well-behaved flows adversely?– Inject range of artificial loss into flows to
determine gross differences between IP forwarding and scrubbing
TCP/IP Scrubber: Sustainable Connections With No Loss
0 100 200 300 400
Number of concurrent connections
0
500
1000
1500
2000
2500
Req
uest
s se
rvic
ed
per
seco
nd
IP ForwardingTCP/IP ScrubbingUser space proxy
TCP/IP Scrubber:Sustainable Connections With Artificial Loss
0 2 4 6 8 10
Packet loss (percentage)
0
500
1000
1500
2000
2500
Req
uest
s se
rvic
ed
per
seco
nd
Transport Scrubbing
IP Forwarding
Infrastructure Protocol Scrubbing
a lightweight transparent mechanism for preventing network attacks
scrubber can masquerade as a set of network services
allows protection of infrastructure level protocols (such as OSPF and BGP)
enabled through a single modification to the socket API; no modification of client or server code
Scrubber
Client
Set of Servers
Final Remarks
Passive vs. active protocol interposition
Coarse-grained vs. fine-grained measurement
Open architectures and programmability
Future work