Transcript שקופית 1
Department of Communication Systems Engineering
Ben Gurion University of the Negev
Be’er-Sheva, Israel
MultiPath Distribution of
Unicast IP Stream
Yonatan Itah & Royi Klein
Suprvised by:
Dr. Eyal Felstaine
Dr. Niv Gilboa
MultiPath Distribution of Unicast IP Stream
1
Background
IDS – Intrusion Detection Systems try to block
malicious traffic
IDS Inspects a whole stream and Checks if the
content is malicious
MultiPath Distribution of Unicast IP Stream
2
Background Cont.
Victim
Private Network
Internet
IDS
IDS
Attacker
MultiPath Distribution of Unicast IP Stream
3
Project Motivation
Evade Network Intrusion Detection Systems by
hiding some of the IP Session usually passed
through them under the single route session.
MultiPath Distribution of Unicast IP Stream
4
Multi-path a Unicast IP Stream
Victim
Private Network
O
D
T
R
Y
S
E
Internet
IDS
IDS
DE S T ROY
zombie
Attacker
zombie
zombie
MultiPath Distribution of Unicast IP Stream
5
Attacker A
Victim A
R8
IDS 1
Access A
R 10
Access C
R7
IDS 2
R9
IDS 3
R6
R 11
Attacker B
R5
R4
Access B
Attacker C
Victim B
MultiPath Distribution of Unicast IP Stream
6
Project Goal
Send Unicast IP stream through several
routes in order to hide the whole stream
from any one of the Netwotk Intrusion
Detection Systems in the IP network.
MultiPath Distribution of Unicast IP Stream
7
Possible Implementation Approaches
•Change the TCP/IP stack
•Source Routing
•IP Header manipulations:
Base
Zombie
Victim
•Not Transparent to Zombies
•Requires Processing at Zombie
•Zombie cannot change header to correct IPSec
header
MultiPath Distribution of Unicast IP Stream
8
Our Implementation Approache
• Tunnel the packets to the zombies and
decapsulate it:
Base
Zombie
MultiPath Distribution of Unicast IP Stream
Victim
9
Attack Scenario
FTP Client
FTP put malicious file
ftp.zahav.net.il
Attacker
Distribute packets to Zombies
Zombie
FTP Client
put malicious file
Distribute
Packets
Zombie
Attacker
Zombie
MultiPath Distribution of Unicast IP Stream
Relay packet
Victim
10
Demonstration
MultiPath Distribution of Unicast IP Stream
11
Demonstration Cont.
MultiPath Distribution of Unicast IP Stream
12
Attacker Base Control
MultiPath Distribution of Unicast IP Stream
Implementation
NDIS:
Our Application
UserMode
Ndisapi.dll
Kernel Mode
TCP/IP Stack
NDIS
NDIS Hook Driver
Network Adapters
Gives Access to each packet allowing us to change it and
pass it to the Network
MultiPath Distribution of Unicast IP Stream
14
Implementaion – Attacker
Dest:
Zombie
Network
MultiPath Distribution of Unicast IP Stream
15
Implementaion – Zombie
Dest:
Zombie
Network
MultiPath Distribution of Unicast IP Stream
16
Techniques Evading Network IDS
•String matching manipulation
•Session splicing
•Fragmentation Attacks
•TTL based attacks
•Denial of service
MultiPath Distribution of Unicast
IP Stream
17
Highlights
New Innovative Technology: Not using any former IP Options
header to control the route of the packets.
High Performances: Network Processor alike software
architecture such as Parsing, Classifying, and Modifying each
packet results in high throughput.
Application Independency: Framework doesn’t depend on any
application and can be attached to any network interface.
Transparency: The distributed packets are transparent both to
the destination host and to the routers.
Layer 4 Awareness: Can work with any Transport Layer above the
IP layer.
MultiPath Distribution of Unicast IP Stream
18
Question?
MultiPath Distribution of Unicast IP Stream
19