Transcript 012345678
Extensible Architectures for Passive and Active Protocol Interposition Farnam Jahanian Department of EECS University of Michigan http://www.eecs.umich.edu/~farnam (joint work with G.R. Malan, P. Howell, and D. Watson) Roadmap Motivation Windmill extensible probe Protocol scrubbers Summary Context •Routers •Name Servers •Critical Services •Protocol Scrubbers Network Infrastructure •Replication schemes •Countermeasures •Network Attacks •Operational Faults •S/H Failures Active Response Capabilities Anomalous Network Events •Netflow Statistics •Event Aggregation •Data Mining Analysis Engines Coarse and Fine Grained Measurement Tools •Windmill Probes Survivable Network Infrastructure Protocol Interposition Tools Windmill Measurement Probe: – Passive measurement mechanism for on-line reconstruction of functional and performance behavior of infrastructure and application-level protocols from low-level network traffic – Programmable and extensible Protocol Scrubbers: – New class of active interposition mechanisms for on-line monitoring and enforcement of network security policies – Transparent protection of networking infrastructure such as routers and switches Windmill Overview An open-architecture programmable tool for passive measurement Infer performance & functional behavior through eavesdropping & on-line state reconstruction How does it work? High-speed Packet Filter: Extracts from a network vantage point’s underlying data flows Abstract Protocol Modules: Reconstructs higher-level protocols (BGP, RIP, HTTP) from network traffic in real-time Experiment Engine: Supports dynamically loadable run-time experiments Windmill Architecture Abstract Protocol Modules Experiment Engine BGP TCP Exp2 Exp1 RIP IP UDP ... HTTP Packet Flows Packet Dispatcher Windmill Packet Filter Windmill's Features Measure overloaded, shrink-wrapped system Correlate events from different layers Feedback mechanism for active measurements Data reduction at the measurement point Support for 24x7 measurement Dynamically add/remove concurrent experiments Windmill Packet Filter (WPF) Allows one-to-many multiplexing Avoids problems with ambiguous filters Dynamically compiled machine language module: Constructs Compiles Installs an intermediate DAG rep. of subscriptions this graph to a native machine lang. Module this module in the probe machine’s kernel Abstract Protocol Modules Used to reconstruct target protocol Inverts protocol stack, drills down Don't run the whole stack on packet "Opens the Hood" on underlying protocols Each module exports its protocol abstraction Semantics taken from BSD stack Extensible Experiment Engine Manages the set of concurrent experiments Add Remove Execute Modify State Provides interface for storage and dissemination Custom loader dynamically links experiments as they are loaded. Broad Range of Studies Conducted using Windmill BGP routing protocol congestion collapse - SIGCOMM’98 RIP intra-domain routing protocol - OPENSIG’99 Overloaded web servers (Microsoft vs. Netscape) Campus network traffic characterization - OPENSIG’99 Detection of NMAP scans - UM tech report Space science collaboratory application - SIGCOMM’98 Border Gateway Protocol (BGP) MCI Sprint Interdomain protocol between Autonomous Systems at exchange points Routing peers exchange reachability information incrementally using TCP SIGCOMM’97 paper identified major instability and pathological behavior in BGP routing BGP Congestion Collapse Hypothesis Validated Using Windmill Congestion causes underlying TCP to backoff BGP-level timers expire, causing termination Interaction between BGP and TCP leads to router congestion collapse High bandwidth utilization BGP Instability Web Server Experiments Demonstrates: Measure overloaded, shrink-wrapped system No modification of web servers / end hosts Data reduction at the measurement point Support for 24x7 measurement Obtain "hard to get" metrics: TCP connections dropped by server HTTP connection establishment latency Server's Aggregate bandwidth Web Experimental Apparatus Web Servers Microsoft Client Client Client Client Windmill Netscape Connections Attempted vs. Established Connections Established per second 800 Microsoft IIS 2.0 Netscape ES 3.0 600 400 200 0 0 300 600 Connection Attempts per second 900 Key Challenge Coarse-grained network flow measurement: are becoming more common in enterprise routers & switches from vendors Fine-grained measurement technologies: provide packet traces and enable protocol state reconstruction (e.g., packet sniffers, Windmill) Integration of two technologies has numerous applications in enterprise-wide networks: – Traffic characterization – Cache & replica placement – Denial of service & anomaly detection – Backtracing intrusion attacks Protocol Scrubbers A transparent interposition mechanism for on-line modification of traffic to comply with network security policies Enables protection of critical network infrastructure such as routers, switches and enterprise servers Ability to remove attacks targeted at distinct layers in the protocol stack Placed in front of critical infrastructure or eventually built into routers and switches Applications of Protocol Scrubbers Intrusion Detection Firewalls & attack removal Anti-fingerprinting Tools Content-based filtering Load-balancing Proxies ... TCP/IP Scrubber Infrastructure Scrubber Application-level Scrubber TCP, UDP, IP BGP, RIP, DNS HTTP, FTP TCP/IP Protocol Scrubber TCP/IP Protocol Scrubber Implementation: – converts potentially ambiguous flows into homogenized well-behaved flows – maintains a very small amount of state per flow … lighter than full transport proxy – eliminates insertion and evasion attacks FreeBSD implementation on Pentium. Next on Linux! Performance comparable to IP forwarding and much better than commercial transport-level proxy Example Domain: Network Intrusion Detection Network ID systems watch traffic Look for malicious use and attacks Doesn’t modify flow Notifies security administrator upon detection Attackers counter with crud Ambiguities in Protocol Implementation Examples from [Ptacek and Newsham ‘98]: – IP TTL attack – Packet too large for link without fragmenting – DST configured to drop source routed packets – DST may timeout fragments differently – DST may reassemble fragments differently – DST doesn’t accept packets with certain options – DST may use PAWS and silently discard packets – DST may resolve conflicting segments differently – DST may not check seqno on RST packets Example Attack Packet 1 012345678 ?ood url NIDS Reconstruction: 012345678 ?ood url End Host Reconstruction: 012345678 ?ood url Example Attack Packet 1 Packet 2 012345678 ?ood url. 012345678 go blue!! NIDS Reconstruction: 012345678 ?ood url. good End Host Reconstruction: 012345678 ?ood go blue!! url. TCP/IP Scrubber: Use External Host (Untrusted) Scrubber or Transport Proxy Internal Host (Trusted) How the TCP Scrubber Solves the Previous Example NIDS Reconstruction: 012345678 good url. End Host Reconstruction: 012345678 good url. Scrubber Reconstruction: 012345678 ?ood url good url. Packet 1-U Packet 2-U Packet 2-T 012345678 ?ood url. 012345678 go blue!! 012345678 good url. TCP/IP Scrubber: Micro-benchmarks How does the scrubber affect throughput? – Measured at the TCP level using netperf IP Forwarding 83.84Mbps Scrubbing 82.87 Plug Proxy 82.71 How does the scrubber affect forwarding latency in the kernel? – Measured using Pentium on-chip cycle counter Forwarding Type IP Forwarding Scrub (1 byte) Scrub ( > 1000) Mean 8.00s 13.19 31.85 Std Dev 2.91 3.38 5.72 TCP/IP Scrubber: Macro-benchmarks Macro-benchmarks (answer two questions): How much overhead does the scrubber add? – Increase the number of clients and see how many connections per second we can sustain Does the scrubber treat well-behaved flows adversely? – Inject range of artificial loss into flows to determine gross differences between IP forwarding and scrubbing TCP/IP Scrubber: Requests serviced per second Sustainable Connections With No Loss 2500 2000 1500 IP Forwarding TCP/IP Scrubbing User space proxy 1000 500 0 0 100 200 300 Number of concurrent connections 400 TCP/IP Scrubber: Requests serviced per second Sustainable Connections With Artificial Loss 2500 Transport Scrubbing IP Forwarding 2000 1500 1000 500 0 0 2 4 6 Packet loss (percentage) 8 10 Infrastructure Protocol Scrubbing a lightweight transparent mechanism for preventing network attacks scrubber can masquerade as a set of network services allows protection of infrastructure level protocols Client (such as OSPF and BGP) enabled through a single modification to the socket API; no modification of client or server code Scrubber Set of Servers Final Remarks Passive vs. active protocol interposition Coarse-grained vs. fine-grained measurement Open architectures and programmability Future work