liberate n
play

liberate, (n): A library for exposing (tra ffi c-classification) - PowerPoint PPT Presentation

Dec 30, 2022 •369 likes •1.54k views

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi ciently Fangfan Li , Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Cho ff nes, Phillipa Gill, Alan Mislove 1 Traffic management 2

  1. Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

  2. Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint App B is classified as App A Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

  3. Design Evasion techniques SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  4. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  5. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  6. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  7. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 App A is unclassified SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  8. Design Evasion techniques SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  9. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  10. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  11. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  12. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 App B is unclassified ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  13. Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 16

  14. Implementation Server liberate App Proxy Replay Server 17

  15. Implementation • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17

  16. Implementation Phase 1 • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17

  17. Implementation • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Phase 2 Server Server Phase 2 liberate liberate App App Phase 2 Proxy Proxy Phase 1 Phase 1 Replay Server Replay Server 17

  18. Implementation Phase 1 Phase 2 • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Server liberate App Phase 2 Proxy Phase 2 Phase 1 Server liberate App Phase 2 Proxy Phase 1 Replay Server Replay Server 17

  19. Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 18

  20. Evaluation Testbed and in the wild liberate Client Server 19

  21. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server 19

  22. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  23. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  24. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  25. Evaluation Results 20

  26. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  27. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  28. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  29. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  30. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification 22

  31. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22

  32. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22

  33. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow 22

  34. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • All types of techniques were e ff ective in testbed 22

  35. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification 23

  36. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow 23

  37. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified 23

  38. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification 23

  39. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23

  40. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23

Recommend

Liberate Your Data Francois Laborie CMO Head of Partner Engagement November 22 nd 2017 Our

Liberate Your Data Francois Laborie CMO Head of Partner Engagement November 22 nd 2017 Our

Liberate Your Data Francois Laborie CMO Head of Partner Engagement November 22 nd 2017 Our Vision Liberate industrial data to redefine the real world from daily routines to business models. 2 2 The Largest Companies by Market Cap The oil

735 views • 21 slides
Liberate T EX: Progress on Building a New T EX-Language Interpreter Doug McKenna

Liberate T EX: Progress on Building a New T EX-Language Interpreter Doug McKenna

Liberate T EX: Progress on Building a New T EX-Language Interpreter Doug McKenna Mathemaesthetics, Inc. Boulder, Colorado TUG 2014 The T EX Ecosystem Seems Fractured and Forked Theres T EX . . . or -T EX . . . or

410 views • 22 slides
Inspire. Empower. Liberate. Youth Media Action Coalition Taylor Novick-Finder ~ Josue Pasillas

Inspire. Empower. Liberate. Youth Media Action Coalition Taylor Novick-Finder ~ Josue Pasillas

Inspire. Empower. Liberate. Youth Media Action Coalition Taylor Novick-Finder ~ Josue Pasillas ~ Lucas Sandtroen Injustice anywhere is a threat to justice everywhere. - Martin Luther King Jr. Police Injustice Police injustice

202 views • 16 slides
Teaching The African Diaspora in an Independent Boarding School By Scott P. Styles

Teaching The African Diaspora in an Independent Boarding School By Scott P. Styles

Teaching The African Diaspora in an Independent Boarding School By Scott P. Styles Teacher of Humanities, St. Pauls School, Concord, NH, 03301 Relevance Liberate: Africa is rich culturally, intellectually, and historically, and

132 views • 9 slides
Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise 2.0? Enterprise 2.0 is the term for the technologies and business practices that liberate the workforce from the constraints of legacy

378 views • 36 slides
7/25/2009 We already learned that plants make their food during photosynthesis. Cellular

7/25/2009 We already learned that plants make their food during photosynthesis. Cellular

7/25/2009 We already learned that plants make their food during photosynthesis. Cellular Respiration Mitochondria liberate energy for the work that cells do, and chloroplasts capture sunlight energy for photosynthesis. . Animal cells get

55 views • 3 slides
Schema.org in Two Parts: From Use to Extension Part 1: Fit for a Bibliographic Purpose Richard

Schema.org in Two Parts: From Use to Extension Part 1: Fit for a Bibliographic Purpose Richard

DCMI/ASIS&T Joint Webinars Schema.org in Two Parts: From Use to Extension Part 1: Fit for a Bibliographic Purpose Richard Wallis Evangelist and Founder Data Liberate richard.wallis@dataliberate.com @rjw Richard Wallis

2.21k views • 195 slides

More recommend