Transcript document
Intrusion Detection Issues
Presented by
Deepa Srinivasan
CSE581, Winter 2002, OGI
Papers on this topic
• Insertion, Evasion and Denial of Service: Eluding
Network Intrusion Detection (Jan ‘98)
• Network Intrusion Detection: Evasion, Traffic
Normalization and End - End semantics (‘01)
• IP Fragmentation and fragrouter (Dec ‘00)
• An Achilles’ Heel in Signature-based IDS:
Squealing False Positives in SNORT (‘01)
Agenda
• Introduction to IDS
– Some popular IDSs
• Problems with IDSs
• Normalizer
• IP Fragmentation & fragrouter
• “Squealing” in SNORT
Introduction to IDS
• Intrusion attempt or a threat: potential
possibility of a deliberate unauthorized attempt
to access/manipulate information, or render a
system unreliable or unusable.
• Types of IDS
– Host-based
– Network IDS
• Example IDSs
– ISS RealSecure, WheelGroup NetRanger, Network
Flight Recorder, Snort
Principles of IDSs
Common Intrusion Detection Framework
– Event generators
– Analysis Engines
– Storage Mechanisms
– Countermeasures
Principles of IDSs
Common Intrusion Detection Framework
Principles of IDSs
• Passive monitoring
• Signature Analysis
• Need for reliable ID
– accuracy: false positives and false negatives
– “fail-open”: if an attacker disables the IDS, entire
network is still accessible
– forensic value of information
Fundamental problems of IDSs
• Deployed on a different box
• Could be on a different network segment
• Protocol implementation ambiguities
– different protocol stacks have different
behavior
• NIDS could see a different stream of
packets than host
Fundamental problems of IDSs
• False positives
– incorrectly identify an intrusion when none
has occurred
• False negatives
– incorrectly fail to identify an intrusion that has
actually occurred
Attacks on IDSs
• Insertion
– IDS thinks packets are valid; end system
rejects these
• Evasion
– end system accepts packets that IDS rejects
• Denial of Service
– resource exhaustion
• Examples
Popular problems/attacks
• TCP/IP Options fields
• TCB Creation/Teardown
• TCP Stream Reassembly
• IP Fragmentation
– overlapping fragments
Specific attacks
• Invalid MAC addresses?
• Invalid headers
– Permissive in receiving, frugal in sending?
– Bad IP checksum will be dropped?
– IP options
• IP TTL ambiguity
– Packer received or not?
Specific attacks
• Packet size
– Packet too large for downstream link?
• Source-routed packets
– Will destination reject such packets?
• Fragment or TCP handshake time-out
– Will other parts of fragment/TCB still be at
destination?
• Overlapping segments
– Rewrite old data or not?
Specific attacks
• Weird TCP options
– Destination might be configured to drop
• Old TCP timestamps (PAWS)
– Destination might be configured to drop
• TCP RSTs with weird sequence numbers
– Is connection reset?
• Addition of interpreted characters (“^H”)
– How does OS interpret?
IP Fragmentation
• Allows IP traffic over different network media
with different max packet sizes
• IP stacks do not handle reassembly well
– can lead to DOS (teardrop, jolt2)
• Fragrouter
– NIDS testing tool
– accepts IP packets routed from another system
– fragments these packets according to various
schemes
Popular problems/attacks
• Resource Exhaustion
– CPU, Memory, Network Bandwidth
– CPU: Data-structure attack via fragments
– Memory: Space attack via fragments
– Network: Targeted DoS to disrupt TCP reassembly
• Abusing reactive IDS
– attack to generate false positives
– IDS shuts down valid connections, blocks valid traffic etc.
– Results in IDS triggering a DOS
IP Fragmentation
• Allows IP traffic over different network media
with different max packet sizes
• IP stacks do not handle reassembly well
– can lead to DOS (teardrop, jolt2)
• Fragrouter
– NIDS testing tool
– accepts IP packets routed from another system
– fragments these packets according to various
schemes
Popular problems/attacks
• Resource Exhaustion
– CPU, Memory, Network Bandwidth
• Abusing reactive IDS
– attack to generate false positives
– IDS shuts down valid connections, blocks valid traffic
etc.
– Results in IDS triggering a DOS
Methodology
• Black-box testing
• PHF attack
– exploits a CGI script - phf to gain access to web
servers
• Software Used
– CASL
– FreeBSD 2.2
– netcat
– tcpdump
Results
IDS
RealSecure
Problem
NetRanger
(requires
special
hardware)
Not
handled
IP
Fragmentation
Reassembly
TCP
reassembly
TCP SYN/RST
Not handled
Problems with
duplicate packets
Easily desynchronized
N/A
Insertion
attacks
Vulnerable to all
Vulnerable
to TCP
checksum;
handles IP
chcksum
N/A
Session
Wall3
NFR (network
monitoring engine)
Not handled
Handles IP Frag –
fails at TCP stream
Accepted
packets
rejected by
end system
Not easy to
break
Desynchronizes on
spurious SYN
packets
Vulnerable to all
Discussion
Questions?
Network Intrusion
Detection:
Traffic Normalization & End-End
Protocol Semantics
"Transport and Application
Protocol Scrubbing"
• Recap of previous paper
– IDSs are vulnerable to attacks
– fundamental problems:
• IDS sees different streams than target host
• protocol implementation ambiguities
Introduction
• Paper introduces concept of “normalizer”
• Approach & implementation
• Performance
Normalizer
Normalizer
• Sits directly in path of traffic into a site
• Patch up or normalize the packet stream
• Result: same traffic and unambiguous behavior
for NIDS and host
• Differs from a firewall
• Other approaches
– host-based IDS, details of intranet, bifurcating
analysis
Normalization Tradeoffs
• Protection
– not meant to but can act as a firewall
• Need to preserve End-End Semantics
• Impacts end-end performance
• Stateholding attack
– create excess state than Normalizer can handle
• Inbound vs Outbound traffic
Other Considerations
• Cold Start
– is a “real world” requirement
– what happens to existing connections?
– Initiate state for connections from trusted network
• Attacking the normalizer itself
Systematic Approach
• Walk through packet headers of each protocol
• Identify what is the “correct” normalization
Example Attack
• IP Identifier and stealth port scans
Normalization for this
• Solution for patsy
– Scramble ids of incoming and outgoing packets
– Breaks diagnostic protocols
• Solution for victim
– Reliable RSTs
– Normalizer sends “keep-alive” packet to host to
determine if connection was actually closed
Implementation
• Code in C - uses libpcap
• user-level application
• attention to completeness, correctness &
performance
• Evaluated using trace-driven approach
– NetDuDE
Performance
• Platform: 1.1GHz AMD Athlon, FreeBSD
4.2, 133 MHz SDRAM
• a normalizer implemented in kernel mode
(as a click module) could forward traffic at
line-speed on bi-directional 100 Mbps link
Discussion
Questions?
An Achilles’ Heel to
Signature-Based IDS:
Squealing False Positives in Snort (‘01)
Introduction
• Paper documents attacking Snort using false
positives
• Snort : open-source, free, lightweight NIDS
• Squealing
– noise made by pigs during periods of distemperment
• Boy cried wolf too many times
– additionally, boy may not recognize the wolf when it
actually appears!
Attacking Snort
• Limitation is not in correctly identifying attacks,
but in the ability to suppress false positives
• PCP
– Tool for generating false positives
– packet writing and argument parsing
Squeal Attack types
• Noise-masked attacks
– diverts attention from a covert attack
• Attack misdirection
– source of attack is spoofed
• Evidence Reputability
• Target Conditioning
• Statistical Poisoning
– when training an IDS
How easy is it?
• Using SOCK_RAW
• LIBNET, Nemesis
• Script-driven tools available (snot, stick,
trichinosis)
Proposed Solutions
• Adaption
– changing the signature-matching algorithms rapidly
• State awareness
– make IDS have a “context” which checking packets
Conclusions
• IDSs have been around for more than a decade
• Several fundamental problems identified in IDS
• IDSs themselves are vulnerable to attacks
– and fail-open
• Upcoming paper groups
References
• online.securityfocus.com/ids
• www.snort.org
• www.raid-symposium.org