Agenda • Network ID Systems – Architecture, Problems Evading/Attacking NIDS – Insertion, Evasion, DoS Attacks • Proposed Solutions – Traf fi c Normalization Priyank Porwal – Active Mapping COMP 290 Network Intrusion Detection Systems • Miscellaneous – Evasion with Unicode – Evasion using Polymorphic Shell Code 4/25/2005 Evading/Attacking NIDS 2 NIDS Architecture NIDS Design Considerations • Logical Target of Attacks Sets of Common Intrusion Detection Framework (CIDF) components – Each component a potential point of vulnerability and hence attacks • E-boxes (Event generators) – E.g. Sniffers, Monitors • Possible Attacks on their • A-boxes (Analysis engines) – “Availability” (total shutdown) – E.g. Signature matchers – “Accuracy” (false positives) • D-boxes (Storage systems) – “Completeness” (false negatives) – E.g. Loggers • C-boxes (Countermeasures) • Need to be Reliable, Robust – E.g. Alarms, Firewalls – Avoid false sense of security 4/25/2005 Evading/Attacking NIDS 3 4/25/2005 Evading/Attacking NIDS 4 Problems with NIDS Problems for NIDS [contd…] • Insuf fi cient Information on the Wire • Passive Network Monitors – Not enough to correctly reconstruct the state of – Inherently “fail-open” complex protocol transactions like at end-systems – Cease to provide protection when subverted • Diversity in Protocol Implementations • Vulnerability to Denial of Service – Packet processing differs across end-systems – Process all fl ows to all protected end-systems – Leads to ambiguous interpretations – Being complex systems require lots of resources – Resource starvation problem is not easily solvable • Unknown Internal Network Conditions – Topology, Router con fi gs, Traf fi c congestion, etc. 4/25/2005 Evading/Attacking NIDS 5 4/25/2005 Evading/Attacking NIDS 6
Attacks against NIDS Insertion • Insertion • NIDS accepts packets that an end-system rejects or doesn’t even receive – Stuf fi ng the analyzer with “invalid” packets – Data gets “inserted” into the NIDS’s packet stream • Evasion Sends 2 V R A pkts, 1 with – Slipping “valid” packets past the analyzer smaller TTL Receives Monitors, Drops 1 pkt • DoS NIDS just 1 pkt processes coz TTL=0 2 pkts – Causing resource starvation • Occurs when NIDS is less strict in processing packets than internal network 4/25/2005 Evading/Attacking NIDS 7 4/25/2005 Evading/Attacking NIDS 8 Insertion Example Evasion • An end-system can accept a packet that an Seq# 2 3 3 5 4 1 6 • Attacker’s Data Stream NIDS rejects Data T T X C A A K – Data gets “slipped” past the NIDS • NIDS’s Stream Sends 2 pkts, Seq# 1 2 3 3 4 5 6 Accepts 3rd packet which overwrites 1 with Source V R A Data Route option A T T X A C K 2nd packet data Interprets “ ATXACK ” Monitors 2 pkts, Receives Ignores SR rejects 1 pkt with NIDS 2 pkts option, routes SR option • End-System’s Stream both packets Seq# 1 2 3 3 4 5 6 Rejects 3rd packet for some reason, • Occurs when NIDS is more strict in Data A T T X A C K or does not receive it processing packets than internal network Interprets “ ATTACK ” 4/25/2005 Evading/Attacking NIDS 9 4/25/2005 Evading/Attacking NIDS 10 Evasion Example Real Insertion/Evasion Attacks Seq# • Mostly leverage on basic network and 2 3 3 5 4 1 6 • Attacker’s Data Stream Data protocol ambiguities at the NIDS T X T C A A K – Ambiguous interpretation of header fi elds – Ambiguous handling of header options • NIDS’s Stream Seq# 1 2 3 3 4 5 6 – Ambiguous fragment/segment reassembly Rejects 3rd packet for some reason Data A T X T A C K Interprets “ ATXACK ” • Ambiguities can cause NIDS to accept/reject • End-System’s Stream packets differently than the end-system Seq# 1 2 3 3 4 5 6 Accepts 3rd packet which Data – NIDS and the end-system get different views of overwrites 2nd packet A T X T A C K the same data stream Interprets “ ATTACK ” 4/25/2005 Evading/Attacking NIDS 11 4/25/2005 Evading/Attacking NIDS 12
Ambiguities at NIDS Reasons for Ambiguities • Differences in Protocol Implementations Related Field Ambiguity (Decision problem for NIDS) TTL Will the packet reach the end-system before TTL becomes 0? – Non-conformance to Protocol Standards Length, DF Will all downstream links be able to transmit this big packet – Every OS has a different protocol stack without fragmenting (DF bit set)? IP Option(s) Will the end-system/routers accept packet with this IP option(s)? E.g. (Strict) Source Route option • Con fi gurations TCP option(s) Will the end-system accept packet with this TCP option(s)? – End-system and router con fi gurations Data Will the end-system accept data in SYN packet? ToS Does the packet conform to all internal routers (DiffServ)? • Options IP Frag Offset How will the end-system reassemble overlapping fragments? TCP Seq No. How will the end-system reassemble overlapping segments? – Application/Socket level options 4/25/2005 Evading/Attacking NIDS 13 4/25/2005 Evading/Attacking NIDS 14 IP Fragment Reassembly IP Fragment Reassembly [contd…] • Time-Out • Overlapping Fragments – Different fragment time-out periods between NIDS – How will the end-system handle the overlap? and end-system – Whether to prefer old or new data? – Attacker can wait after sending some fragments – Different OSs handle overlap differently • To let them time-out either at NIDS or at end-system – When should NIDS time-out stored fragments? Operating System IP Fragment Overlap Behavior Windows NT 4.0 Always favors old data • Storing fragments dropped by end-host (Insertion) 4.4 BSD Favors new data for forward overlap • Storing fragments for too long (DoS attacks) Linux Favors new data for forward overlap • Dropping fragments stored by end-host (Evasion) Solaris 2.6 Always favors old data HP-UX 9.01 Favors new data for forward overlap Irix 5.3 Favors new data for forward overlap 4/25/2005 Evading/Attacking NIDS 15 4/25/2005 Evading/Attacking NIDS 16 Transport Layer Ambiguities Transport Layer Ambiguities [contd…] • TCP 3-way Handshake (TCB creation) • TCP Header Fields – Require full handshake? – Allow invalid fl ag combinations? • Misses already active connections – Accept data in SYN packets? – Sync sequence nos. in between? • Attacker can easily desync NIDS • TCP Options • Best to sync on outbound SYN-ACK packets – Accept/reject options in non-SYN packets? • TCP Teardown • Only if sent and accepted in an earlier SYN – When to time-out inactive connections? • MSS (Maximum Segment Size) option in SYN only • No implicit TCP connection time-out – PAWS (Protection Against Wrapped Sequence Nos.) – FIN and RST to terminate the connection • End-systems implementing PAWS expect TS (TimeStamp) • FIN is acknowledged, RST not acknowledged option in all segments 4/25/2005 Evading/Attacking NIDS 17 4/25/2005 Evading/Attacking NIDS 18
TCP Stream Reassembly TCP Segment Reassembly [contd…] • Requires Sequence No. Tracking • Overlapping Segments – How will the end-system handle the overlap? • Requires Congestion-Window Tracking – Whether to prefer old or new data? – Normally data past the window is discarded – Different OSs handle overlap differently – Time lag between NIDS and end-system w.r.t Operating System TCP Segment Overlap Behavior window change events can be a problem Windows NT 4.0 Always favors old data FreeBSD 2.2 Favors new data for forward overlap • Missing Data Linux Favors new data for forward overlap – Due to out-of-order arrival or packet drop? Solaris 2.6 Favors new data for forward overlap HP-UX 9.01 Favors new data for forward overlap – NIDS cannot request retransmission AIX 3.25 Favors new data for forward overlap Irix 5.3 Favors new data for forward overlap 4/25/2005 Evading/Attacking NIDS 19 4/25/2005 Evading/Attacking NIDS 20 Denial of Service Attacks Denial of Service Attacks [contd…] • Basic problem • Memory – NIDS needs to simulate the operation of all – Target state management operations protected end-systems and internal network • TCP 3-way Handshake (TCP Control Block - TCB) • Fragment/Segment reassembly • Scarce Resources • Network Bandwidth – CPU cycles, memory, disk space, bandwidth – Target NIDS’s inability to capture and process packets at line speed • CPU Cycles – Target computationally expensive operations • Reactive Systems • Fragment/Segment reassembly – Trigger alarms ( false positives) • Encryption/Decryption – Prevent valid access by spoofed addresses 4/25/2005 Evading/Attacking NIDS 21 4/25/2005 Evading/Attacking NIDS 22 Tests Test Examples • Targeted several IP/TCP problems • Mimicked PHF web-server attack – GET /cgi-bin/phf? – Possible execution of arbitrary code – Supposed to be detected by all NIDSs tested • RealSecure • NetRanger • SessionWalli3 • Network Flight Recorder (NFR) 4/25/2005 Evading/Attacking NIDS 23 4/25/2005 Evading/Attacking NIDS 24
Recommend
More recommend