Studio michal rosen presentation with writen explanations hebrew 24.2.13
Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar...
-
Upload
edgar-payne -
Category
Documents
-
view
213 -
download
0
Transcript of Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar...
![Page 1: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/1.jpg)
Active Mapping: Resisting NIDS Evasion Without Altering Traffic
writen by Umesh [email protected]
University of California at Berkeley
presented by
Pei Pei Yan Guo
University of South Carolina
![Page 2: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/2.jpg)
Outline
Network Intrusion Detection System (NIDS) Active Mapping NIDS Implementation Active Mapping Limitation Test results Conclusion
![Page 3: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/3.jpg)
What is NIDS?
NIDS passively monitors network traffic on a link, looking for suspicious activity as defined by its protocol analyzers
A NIDS is essentially a glorified packet sniffer that matches
traffic patterns to pre-defined signatures
IPS
IPS
NIDS
Firewall
Internal Network
![Page 4: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/4.jpg)
IDS
IDS are now standard equipment for large networks second only to firewall
HIDS $50~$1000 per host NIDS $10,000~$30,000 It is estimated to be $443.5 million revenue
for 2002, compare to $350 million in 2001
![Page 5: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/5.jpg)
IDS classification
Figure from http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html
Intrusion Detection Approach
Protected System
StructureData SourceBehaviour
after an attackAnalysis Timing
Intrusion Detection System
Anomaly Detection
SignatureDetection
HIDS NIDS Hybrids
Centra-listed System
Distributed System
Agent System
Aduit Trail
Network Packet
System State Analysis (kernel, services, files)
Active IDS
Passive IDS
On-the-fly processing
Internal-based IDS
![Page 6: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/6.jpg)
Typical NIDS
Cisco Secure IDS (formerly NetRanger) Hogwash Dragon E-Trust IDS
![Page 7: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/7.jpg)
NIDS Pros and Cons
Pros– Monitor a large amount of network traffic– Versatile: detects DoS, “ping of death”, all the traffics to a
target host– Dropping packet will not affect network connection
Cons– Higher amount of traffic will force the NIDS drop the traffic– False Negative, False Positive– Can’t detect attack by back doors of the network– Unable to look at encrypted packets (VPN, SSH)
![Page 8: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/8.jpg)
Detection False
False Positive
False Negative False Positive
False Negative
Correct Alert
![Page 9: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/9.jpg)
Ambiguity of NIDS
NIDS needs to simulate exactly what the network will react to the traffic
Without local network construction information, there exits ambiguity
Example: “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, by T. H. Ptacek and T. N. Newsham
![Page 10: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/10.jpg)
Attacks by Ambiguity
20 Hops
15 Hops 5 Hops
![Page 11: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/11.jpg)
Attempts to Eliminate Ambiguity
Traffic normalizerDrawbacks:
1. performance
2. reliability issue with resource exhaustion
3. changing the semantics of the stream
(e.g. traceroute, path MTU discovery)
![Page 12: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/12.jpg)
Aim of Active Mapping
Aim: 1. to tell which packet will reach recipient
2. to predict the interpretation of the packet by the recipient
Active Mapping makes NIDS context-sensitive
![Page 13: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/13.jpg)
Active Mapping Design Goals
Comparable with runtime performance Mapping should be lightweight Avoid harming the hosts
![Page 14: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/14.jpg)
Active Mapping Mechanism
![Page 15: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/15.jpg)
What Active Mapping Checks
Hop count MTU (Maximum Transmission Unit) TCP RST Acceptance Overlapping and Inconsistent IP Fragments
(different by policies)
![Page 16: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/16.jpg)
“Hop Count” Definition
1. In a data communications network, the number of legs traversed by a packet between its source and destination. Note: Hop count may be used to determine the Time-To-Live for some packets.
2. The number of signal regenerating devices (such as repeaters, bridges, routers, and gateways) through which data must pass to reach their destination.
![Page 17: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/17.jpg)
“MTU” Definition
The Maximum Transmission Unit (MTU) is the largest size of IP datagram which may be transferred using a specific data link connection The MTU value is a design parameter of a LAN and is a mutually agreed value (i.e. both ends of a link agree to use the same specific value) for most WAN links. The size of MTU may vary greatly between different links (e.g. typically from 128 B up to 10 kB).
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/mtu.html
![Page 18: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/18.jpg)
TCP RST Acceptance
Receiver’s WindowPackets
![Page 19: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/19.jpg)
Overlapping and Inconsistent Fragments
BSD, BSD-right, Linux, First, Last/RFC791, etc.
Eg. BSD left-trim and first come occupy the digit
![Page 20: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/20.jpg)
Limitation and Weakness
Active Mapping assumes that all hosts behave in consistent and predictable way
There are at least 3 sources of non-determinisms can be difficult to simulate in NIDS precisely
----- Application Level Parameters----- New Semantics----- Nondeterministic Packet Drops
![Page 21: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/21.jpg)
Application Level Parameters
User can change certain parameters that affect TCP/IP stack. The data of parameters could be delivered as signal or inline
--- Example: TCP “Urgent” pointer, which marks part of the sequences as important and processed without delay
![Page 22: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/22.jpg)
New Semantics
NIDS must understand the semantic of a stream in order to interpret correctly
Unknown TCP options can be ignored
The best NIDS can do is to update regularly
![Page 23: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/23.jpg)
Nondeterministic Packet Drops
Two Ways Packet Drop can happen
---- When routers get saturated or hosts are under heavy traffic
---- Quality of Service guarantees
![Page 24: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/24.jpg)
Timeout
The NIDS must know when a host will timeout an IP fragment or TCP segment.
Attacker can later retransmit the fragment or segment with different data
NIDS will not know which is accepted, even it knows which will be accepted
It is difficult to obtain precise timeout value with active mapping
![Page 25: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/25.jpg)
Dealing with packet drops
Partial reconstruction of host state
--- If acknowledgement of TCP Segment of response to UPD or ICMP request
--- then the request is accepted using only packets preceded the response
--- if no response, then packets are dropped
![Page 26: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/26.jpg)
Continued
If NIDS can send “keep alive” packet(out of sequence) in real time, it can elicit an ACK that show current sequence number
NIDS can get timeouts information from ICMP message. Not all hosts send this. And this may leak information to attackers, need to be only seen by NIDS. (Mapping?)
![Page 27: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/27.jpg)
Practical Consideration
Those concerns are not implemented in the prototype
NAT DHCP TCP Wrapper Attacks on the Active Mapper
![Page 28: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/28.jpg)
NAT-Network Address Translator
Problems: NIDS can’t see private addresses, if NAT is running inside the monitored site. It is also difficult to detect if NAT is being used
Solution: Could map each port as though it belonged to a separate machine
![Page 29: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/29.jpg)
DHCP
Problems: DHCP server leases out addresses when clients request them, and leases expire periodically. If Integration with DHCP server is not possible, determining MAC is nontrivial
Solution: The Mapper could be triggered upon seeing DHCP requests
![Page 30: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/30.jpg)
TCP Wrappers
Problems: Some hosts use TCP Wrappers to restrict access to services to a set of hosts determined by an Access Control List
Solution: Mapper Must have access
![Page 31: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/31.jpg)
Attacks on the Active Mapper
Problems: Attacker may try to attack mapping machine. There is greater concern for direct internal attacks
Solution: Deny all outside request to the mapper, limit only the administrative machines to have access
![Page 32: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/32.jpg)
Prototype Implementation
Implemented in about 2,000 lines of Perl. Ported to Unix and FreeBSD It requires TCP/IP firewall capability. Modify the Bro NIDS to use Active Mapping
profile. A few hundred lines of C++ were needed
![Page 33: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/33.jpg)
Testing and Results
Observed Active Mapping Profiles
Out of 4,800+ hosts, 173 were giving out inconsistent result. All of 29 of them are printers, routers. Most of the 29 are unknown operating systems, 36 of the 173 hosts have incomplete trials. Only 10 machines yield conflicting results
![Page 34: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/34.jpg)
Stability of Results
This test is to see if the profile stayed consistent 5 month later
In first mapping 4882 hosts provided nontrivial, consistent results
In second mapping, 4733 hosts did. 1122 were in first set, but not second, of those 880
were in DHCP blocks 973 were in second set but on in the first, 669 where
in DHCP blocks
![Page 35: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/35.jpg)
![Page 36: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/36.jpg)
Mapping Time
Mapping a single host requires 37 sec Mapping 16 hosts took 10.1 seconds/host Mapping 64 hosts took 5.7 seconds/host Mapping 101 hosts took 5.3 seconds/host 5 seconds/host for large scale mapping 7 hours for a subnet with 4800 hosts
![Page 37: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/37.jpg)
Mapping Traffic
![Page 38: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/38.jpg)
NIDS Integration Tests
This is to test that AM will indeed produced correct interpretation
First, a synthetic test with ambiguous traffic. Second, a comparison of the original and AM
modified NIDS on real-world traces
![Page 39: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/39.jpg)
Synthetic Tests
HTTP attack traffic were generated to 8 hosts with evasion measures added using ‘fragroute’
![Page 40: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/40.jpg)
NIDS’ Performance
Two trace of 500 connections were used to the 8 hosts
In first, no connection was modified by fragroute
In second, connections to 2 of the machines were modified by fragroute. And AM was enabled. NIDS was actually 15% faster, since it can discard data
![Page 41: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/41.jpg)
Real World Tests
Two tests were performed First one was of a non-HTTP traffic gathered during
1 hour at a busy site(100.2M data, 1.2M packets, 273K connections
Second was a 2 hour HTTP traffic. (137MB, 197k packets, 6379 connections)
Both tests yield same result. Execution time are same, memory usage was 200k higher with AM
![Page 42: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/42.jpg)
When To Scan?
Daily scan – a full class C subnet can be scanned in about 20min. What happens with large network?
Remapping can be triggered by any inconsistency between the stored policy and an observed one
On-the-fly mapping is not possible, since many tests take seconds
![Page 43: Active Mapping: Resisting NIDS Evasion Without Altering Traffic writen by Umesh Shankar ushankar@cs.berkeley.edu University of California at Berkeley presented.](https://reader036.fdocuments.net/reader036/viewer/2022070411/56649f3e5503460f94c5f431/html5/thumbnails/43.jpg)
Conclusion
Active Mapping can reduce the ambiguity of NIDS interpretation
It is better than Normalization
there are still many limitations and consideration, it is still hard to make it a robust commercial product, but it is surely a positive step toward building an ambiguity free NIDS