article

Detecting evasion attacks at high speeds without reassembly

Authors:

George Varghese,

J. Andrew Fingerhut,

Flavio BonomiAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 36, Issue 4

Pages 327 - 338

https://doi.org/10.1145/1151659.1159951

Published: 11 August 2006 Publication History

Abstract

Ptacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic defense is for the IPS to reassemble TCP and IP packets,and to consistently normalize the output stream. Current IPS standards require keeping state for 1 million connections. Both the state and processing requirements of reassembly and normalization are barriers to scalability for an IPS at speeds higher than 10 Gbps.In this paper, we suggest breaking with this paradigm using an approach we call Split-Detect. We focus on the simplest form of signature, an exact string match, and start by splitting the signature into pieces. By doing so the attacker is either forced to include at least one piece completely in a packet, or to display potentially abnormal behavior (e.g., several small TCP fragments or out-of-order packets) that cause the attacker's flow to be diverted to a slow path. We prove that under certain assumptions this scheme can detect all byte-string evasions. We also show using real traces that the processing and storage requirements of this scheme can be 10% of that required by a conventional IPS, allowing reasonable cost implementations at 20 Gbps. While the changes required by Split-Detect may be a barrier to adoption, this paper exposes the assumptions that must be changed to avoid normalization and reassembly in the fast path.

References

[1]

Alfred V. Aho and Margaret J. Corasick. "Efficient string matching: An aid to bibliographic search." Communications of the ACM 18(6):333--340, June 1975.

Digital Library

[2]

N. Alon, Y. Matias, and M. Szegedy. "The space complexity of approximating the frequency moments". Proceedings 28th ACM Symp. on Theory of Computing pages 20--29, May 1996.

Digital Library

[3]

G. Appenzeller, I. Keslassy, and N. McKeown "Sizing Router Buffers". Proceedings of ACM SIGCOMM 2004.

Digital Library

[4]

D. Clark, "The Structuring of Systems Using Upcalls". Proceedings of the 10th ACM Symposium on Operating Systems Principles pp. 171--180, December 1-4 1985.

Digital Library

[5]

S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, "Deep packet inspection using parallel Bloom filters. Hot Interconnects Aug. 2003.

[6]

S. Dharmapurikar, V. Paxson, "Robust TCP stream reassembly in the presence of adversaries". Proceedings of the 14th USENIXSecurity Symposium Baltimore, 2005.

Digital Library

[7]

"The Future of the Internet". Red Herring April 10th, 2006.

[8]

M. Handley, C. Kreibich, and V. Paxson. "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics". Proc. USENIX Security Symposium May 2001.

Digital Library

[9]

K. Levchenko, R. Paturi, and G. Varghese. "On the Difficulty of Scalably Detecting Network Attacks". Proc. of the Eleventh ACM Conference on Computer and Communication Security October 2004.

Digital Library

[10]

Nikto, http://www.cirt.net/code/nikto.shtml

[11]

NSS Group.Intrusion Prevention Systems (IPS)Group Test (Edition 3), NSS Group, August 2005, http://www.nss.co.uk

[12]

V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time". Computer Networks 31(23-24), pp. 2435--2463, 14 Dec 1999

Digital Library

[13]

V. Paxson and M. Handley, "Defending Against NIDS Evasion using Traffic Normalizers". Second International Workshop on the Recent Advances in Intrusion Detection September 1999.

[14]

T. Ptacek and T. Newsham. "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", Secure Networks, Inc., Jan. 1998.

[15]

M. Roesch, "Snort-Lightweight Intrusion Detection for Networks", LISA 99

Digital Library

[16]

C. Shannon, D. Moore, k. claffy, "Characteristics of Fragmented IP Traffic on Internet Links", Workshop on Passive and Active Measurement 2001.

[17]

Dug Song, 2002, Fragroute, http://www.monkey.org/dugsong/fragroute/

Cited By

Xing JMorrison AChen ADelimitrou CPorts D(2019)NetWardenProceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing10.5555/3357034.3357037(2-2)Online publication date: 8-Jul-2019
https://dl.acm.org/doi/10.5555/3357034.3357037
Li FWang XPan TYang J(2017)A Case Study of IPv6 Network Performance: Packet Delay, Loss, and ReorderingMathematical Problems in Engineering10.1155/2017/30564752017:1Online publication date: 17-Oct-2017
https://doi.org/10.1155/2017/3056475
Särelä MKyöstilä TKiravuo TManner J(2017)Evaluating intrusion prevention systems with evasionsInternational Journal of Communication Systems10.1002/dac.333930:16Online publication date: 22-Jun-2017
https://doi.org/10.1002/dac.3339
Show More Cited By

Index Terms

Detecting evasion attacks at high speeds without reassembly
1. Networks
  1. Network components
    1. Intermediate nodes
      1. Routers

Recommendations

Detecting evasion attacks at high speeds without reassembly
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications

Ptacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic ...
Mimicry attacks on host-based intrusion detection systems
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

We examine several host-based anomaly detection systems and study their security against evasion attacks. First, we introduce the notion of a mimicry attack, which allows a sophisticated attacker to cloak their intrusion to avoid detection by the IDS. ...
Protection methods against IP packet attacks
CITC5 '04: Proceedings of the 5th conference on Information technology education

Attackers most frequently use TCP and UDP vulnerabilities in various probing and spoofing attacks. TECP and UDP are the most common data fields in Internet IP packets, but unfortunately these segments contain known vulnerabilities. There are, however, ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 36, Issue 4

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications

October 2006

445 pages

ISSN:0146-4833

DOI:10.1145/1151659

Issue’s Table of Contents

SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
September 2006
458 pages
ISBN:1595933085
DOI:10.1145/1159913
General Chair:
Luigi Rizzo
Università di Pisa, Italy
,
Program Chairs:
Tom Anderson
University of Washington, USA
,
Nick McKeown
Stanford University, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 August 2006

Published in SIGCOMM-CCR Volume 36, Issue 4

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
1,146
Total Downloads

Downloads (Last 12 months)52
Downloads (Last 6 weeks)11

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xing JMorrison AChen ADelimitrou CPorts D(2019)NetWardenProceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing10.5555/3357034.3357037(2-2)Online publication date: 8-Jul-2019
https://dl.acm.org/doi/10.5555/3357034.3357037
Li FWang XPan TYang J(2017)A Case Study of IPv6 Network Performance: Packet Delay, Loss, and ReorderingMathematical Problems in Engineering10.1155/2017/30564752017:1Online publication date: 17-Oct-2017
https://doi.org/10.1155/2017/3056475
Särelä MKyöstilä TKiravuo TManner J(2017)Evaluating intrusion prevention systems with evasionsInternational Journal of Communication Systems10.1002/dac.333930:16Online publication date: 22-Jun-2017
https://doi.org/10.1002/dac.3339
Ismail IMarsono MKhammas BNor S(2015)Incorporating known malware signatures to classify new malware variants in network trafficNetworks10.1002/nem.191325:6(471-489)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1002/nem.1913
Bremler-Barr AHay DKoral Y(2014)CompactDFA: Scalable pattern matching using longest prefix match solutionsIEEE/ACM Transactions on Networking10.1109/TNET.2013.225311922:2(415-428)Online publication date: 1-Apr-2014
https://dl.acm.org/doi/10.1109/TNET.2013.2253119
Adeyemi IRazak SAzhan N(2013)A Review of Current Research in Network Forensic AnalysisInternational Journal of Digital Crime and Forensics10.4018/jdcf.20130101015:1(1-26)Online publication date: 1-Jan-2013
https://doi.org/10.4018/jdcf.2013010101
Cheng TLin YLai YLin P(2012)Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention SystemsIEEE Communications Surveys & Tutorials10.1109/SURV.2011.092311.0008214:4(1011-1020)Online publication date: Dec-2013
https://doi.org/10.1109/SURV.2011.092311.00082
Chen XGe KChen ZLi J(2011)AC-Suffix-TreeProceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems10.1109/ANCS.2011.14(36-44)Online publication date: 3-Oct-2011
https://dl.acm.org/doi/10.1109/ANCS.2011.14
Marsono M(2011)Packet-level open-digest fingerprinting for spam detection on middleboxesInternational Journal of Network Management10.1002/nem.78022:1(12-26)Online publication date: 20-Apr-2011
https://dl.acm.org/doi/10.1002/nem.780
Lam VMitzenmacher MVarghese G(2010)CarouselProceedings of the 7th USENIX conference on Networked systems design and implementation10.5555/1855711.1855735(24-24)Online publication date: 28-Apr-2010
https://dl.acm.org/doi/10.5555/1855711.1855735
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents