Transcript What is NIDS?

Active Mapping: Resisting NIDS Evasion
Without Altering Traffic
writen by Umesh Shankar
[email protected]
University of California at Berkeley
presented by
Pei Pei
Yan Guo
University of South Carolina
Outline





Network Intrusion Detection System (NIDS)
Active Mapping NIDS Implementation
Active Mapping Limitation
Test results
Conclusion
What is NIDS?
IPS
Internal Network
Firewall
NIDS passively monitors
network traffic on a link,
looking for suspicious activity
as defined by its protocol
analyzers
IPS
NIDS
A NIDS is essentially a glorified packet sniffer that matches
traffic patterns to pre-defined signatures
IDS




IDS are now standard equipment for large
networks second only to firewall
HIDS $50~$1000 per host
NIDS $10,000~$30,000
It is estimated to be $443.5 million revenue
for 2002, compare to $350 million in 2001
IDS classification
Intrusion Detection System
Intrusion
Detection
Approach
Protected
System
HIDS
Anomaly
Detection
Signature
Detection
NIDS
Data Source
Hybrids
Centra-listed
System
Structure
Aduit
Trail
Distributed
System
Behaviour
after an attack
System State
Network
Analysis (kernel,
Packet
services, files)
Active
IDS
Agent System

Figure from http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html
Analysis
Timing
On-the-fly
processing
Passive
IDS
Internalbased IDS
Typical NIDS




Cisco Secure IDS (formerly NetRanger)
Hogwash
Dragon
E-Trust IDS
NIDS Pros and Cons

Pros
–
–
–

Monitor a large amount of network traffic
Versatile: detects DoS, “ping of death”, all the traffics to a
target host
Dropping packet will not affect network connection
Cons
–
–
–
–
Higher amount of traffic will force the NIDS drop the traffic
False Negative, False Positive
Can’t detect attack by back doors of the network
Unable to look at encrypted packets (VPN, SSH)
Detection False

False Positive

False Negative
False
Positive
Correct
Alert
False
Negative
Ambiguity of NIDS

NIDS needs to simulate exactly what the network will
react to the traffic

Without local network construction information, there
exits ambiguity

Example: “Insertion, Evasion and Denial of Service: Eluding Network Intrusion
Detection”, by T. H. Ptacek and T. N. Newsham
Attacks by Ambiguity
15 Hops
5 Hops
20 Hops
Attempts to Eliminate Ambiguity

Traffic normalizer
Drawbacks:
1. performance
2. reliability issue with resource exhaustion
3. changing the semantics of the stream
(e.g. traceroute, path MTU discovery)
Aim of Active Mapping

Aim:
1. to tell which packet will reach recipient
2. to predict the interpretation of the packet
by the recipient

Active Mapping makes NIDS contextsensitive
Active Mapping Design Goals



Comparable with runtime performance
Mapping should be lightweight
Avoid harming the hosts
Active Mapping Mechanism
What Active Mapping Checks




Hop count
MTU (Maximum Transmission Unit)
TCP RST Acceptance
Overlapping and Inconsistent IP Fragments
(different by policies)
“Hop Count” Definition


1. In a data communications network, the
number of legs traversed by a packet
between its source and destination. Note:
Hop count may be used to determine the
Time-To-Live for some packets.
2. The number of signal regenerating devices
(such as repeaters, bridges, routers, and
gateways) through which data must pass to
reach their destination.
“MTU” Definition

The Maximum Transmission Unit (MTU) is the largest size of IP
datagram which may be transferred using a specific data link
connection The MTU value is a design parameter of a LAN and is a
mutually agreed value (i.e. both ends of a link agree to use the same
specific value) for most WAN links. The size of MTU may vary greatly
between different links (e.g. typically from 128 B up to 10 kB).
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/mtu.html
TCP RST Acceptance
Packets
Receiver’s Window
Overlapping and Inconsistent
Fragments
BSD, BSD-right, Linux, First, Last/RFC791, etc.
Eg. BSD left-trim and first come occupy the digit
Limitation and Weakness
Active Mapping assumes that all hosts
behave in consistent and predictable way
 There are at least 3 sources of nondeterminisms can be difficult to simulate in
NIDS precisely
----- Application Level Parameters
----- New Semantics
----- Nondeterministic Packet Drops

Application Level Parameters

User can change certain parameters that
affect TCP/IP stack. The data of parameters
could be delivered as signal or inline
--- Example: TCP “Urgent” pointer, which marks
part of the sequences as important and
processed without delay
New Semantics

NIDS must understand the semantic of a
stream in order to interpret correctly

Unknown TCP options can be ignored

The best NIDS can do is to update regularly
Nondeterministic Packet Drops

Two Ways Packet Drop can happen
---- When routers get saturated or hosts are
under heavy traffic
---- Quality of Service guarantees
Timeout




The NIDS must know when a host will
timeout an IP fragment or TCP segment.
Attacker can later retransmit the fragment or
segment with different data
NIDS will not know which is accepted, even it
knows which will be accepted
It is difficult to obtain precise timeout value
with active mapping
Dealing with packet drops
Partial reconstruction of host state
--- If acknowledgement of TCP Segment of
response to UPD or ICMP request
--- then the request is accepted using only
packets preceded the response
--- if no response, then packets are dropped

Continued

If NIDS can send “keep alive” packet(out of
sequence) in real time, it can elicit an ACK
that show current sequence number

NIDS can get timeouts information from
ICMP message. Not all hosts send this. And
this may leak information to attackers, need
to be only seen by NIDS. (Mapping?)
Practical Consideration
Those concerns are not implemented in the
prototype
 NAT
 DHCP
 TCP Wrapper
 Attacks on the Active Mapper
NAT-Network Address Translator

Problems: NIDS can’t see private addresses,
if NAT is running inside the monitored site. It
is also difficult to detect if NAT is being used

Solution: Could map each port as though it
belonged to a separate machine
DHCP

Problems: DHCP server leases out
addresses when clients request them, and
leases expire periodically. If Integration with
DHCP server is not possible, determining
MAC is nontrivial

Solution: The Mapper could be triggered
upon seeing DHCP requests
TCP Wrappers

Problems: Some hosts use TCP Wrappers to
restrict access to services to a set of hosts
determined by an Access Control List

Solution: Mapper Must have access
Attacks on the Active Mapper

Problems: Attacker may try to attack mapping
machine. There is greater concern for direct
internal attacks

Solution: Deny all outside request to the
mapper, limit only the administrative
machines to have access
Prototype Implementation




Implemented in about 2,000 lines of Perl.
Ported to Unix and FreeBSD
It requires TCP/IP firewall capability.
Modify the Bro NIDS to use Active Mapping
profile. A few hundred lines of C++ were
needed
Testing and Results

Observed Active Mapping Profiles
Out of 4,800+ hosts, 173 were giving out
inconsistent result. All of 29 of them are
printers, routers. Most of the 29 are
unknown operating systems, 36 of the 173
hosts have incomplete trials. Only 10
machines yield conflicting results
Stability of Results





This test is to see if the profile stayed consistent 5
month later
In first mapping 4882 hosts provided nontrivial,
consistent results
In second mapping, 4733 hosts did.
1122 were in first set, but not second, of those 880
were in DHCP blocks
973 were in second set but on in the first, 669 where
in DHCP blocks
Mapping Time






Mapping a single host requires 37 sec
Mapping 16 hosts took 10.1 seconds/host
Mapping 64 hosts took 5.7 seconds/host
Mapping 101 hosts took 5.3 seconds/host
5 seconds/host for large scale mapping
7 hours for a subnet with 4800 hosts
Mapping Traffic
NIDS Integration Tests



This is to test that AM will indeed produced
correct interpretation
First, a synthetic test with ambiguous traffic.
Second, a comparison of the original and AM
modified NIDS on real-world traces
Synthetic Tests

HTTP attack traffic were generated to 8 hosts
with evasion measures added using
‘fragroute’
NIDS’ Performance



Two trace of 500 connections were used to
the 8 hosts
In first, no connection was modified by
fragroute
In second, connections to 2 of the machines
were modified by fragroute. And AM was
enabled. NIDS was actually 15% faster,
since it can discard data
Real World Tests




Two tests were performed
First one was of a non-HTTP traffic gathered during
1 hour at a busy site(100.2M data, 1.2M packets,
273K connections
Second was a 2 hour HTTP traffic. (137MB, 197k
packets, 6379 connections)
Both tests yield same result. Execution time are
same, memory usage was 200k higher with AM
When To Scan?



Daily scan – a full class C subnet can be
scanned in about 20min. What happens with
large network?
Remapping can be triggered by any
inconsistency between the stored policy and
an observed one
On-the-fly mapping is not possible, since
many tests take seconds
Conclusion

Active Mapping can reduce the ambiguity of NIDS
interpretation

It is better than Normalization

there are still many limitations and consideration, it is
still hard to make it a robust commercial product, but
it is surely a positive step toward building an
ambiguity free NIDS