Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13
Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint App B is classified as App A Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13
Design Evasion techniques SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14
Design Evasion techniques • Observation: • Each packet is searched independently for matching contents SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14
Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14
Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14
Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 App A is unclassified SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14
Design Evasion techniques SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15
Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15
Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15
Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15
Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 App B is unclassified ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15
Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 16
Implementation Server liberate App Proxy Replay Server 17
Implementation • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17
Implementation Phase 1 • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17
Implementation • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Phase 2 Server Server Phase 2 liberate liberate App App Phase 2 Proxy Proxy Phase 1 Phase 1 Replay Server Replay Server 17
Implementation Phase 1 Phase 2 • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Server liberate App Phase 2 Proxy Phase 2 Phase 1 Server liberate App Phase 2 Proxy Phase 1 Replay Server Replay Server 17
Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 18
Evaluation Testbed and in the wild liberate Client Server 19
Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server 19
Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19
Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19
Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19
Evaluation Results 20
Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21
Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21
Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21
Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21
Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification 22
Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22
Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22
Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow 22
Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • All types of techniques were e ff ective in testbed 22
Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification 23
Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow 23
Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified 23
Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification 23
Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23
Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23
Recommend
More recommend