liberate n
play

liberate, (n): A library for exposing (tra ffi c-classification) - PowerPoint PPT Presentation

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi ciently Fangfan Li , Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Cho ff nes, Phillipa Gill, Alan Mislove 1 Traffic management 2


  1. Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

  2. Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint App B is classified as App A Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

  3. Design Evasion techniques SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  4. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  5. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  6. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  7. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 App A is unclassified SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  8. Design Evasion techniques SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  9. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  10. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  11. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  12. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 App B is unclassified ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  13. Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 16

  14. Implementation Server liberate App Proxy Replay Server 17

  15. Implementation • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17

  16. Implementation Phase 1 • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17

  17. Implementation • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Phase 2 Server Server Phase 2 liberate liberate App App Phase 2 Proxy Proxy Phase 1 Phase 1 Replay Server Replay Server 17

  18. Implementation Phase 1 Phase 2 • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Server liberate App Phase 2 Proxy Phase 2 Phase 1 Server liberate App Phase 2 Proxy Phase 1 Replay Server Replay Server 17

  19. Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 18

  20. Evaluation Testbed and in the wild liberate Client Server 19

  21. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server 19

  22. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  23. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  24. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  25. Evaluation Results 20

  26. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  27. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  28. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  29. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  30. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification 22

  31. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22

  32. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22

  33. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow 22

  34. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • All types of techniques were e ff ective in testbed 22

  35. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification 23

  36. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow 23

  37. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified 23

  38. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification 23

  39. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23

  40. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23

Recommend


More recommend