Embed Size (px)
Citation preview
Intrusion Detection Issues
Presented by
Deepa Srinivasan
CSE581, Winter 2002, OGI
Papers on this topic
• Insertion, Evasion and Denial of Service: Eluding
Network Intrusion Detection (Jan ‘98)
• Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01)
• IP Fragmentation and fragrouter (Dec ‘00)
• An Achilles’ Heel in Signature-based IDS: Squealing False Positives in SNORT (‘01)
Agenda• Introduction to IDS
– Some popular IDSs
• Problems with IDSs
• Normalizer
• IP Fragmentation & fragrouter
• “Squealing” in SNORT
Introduction to IDS• Intrusion attempt or a threat: potential possibility of a
deliberate unauthorized attempt to access/manipulate information, or render a system unreliable or unusable.
• Types of IDS
– Host-based
– Network IDS
• Example IDSs
– ISS RealSecure, WheelGroup NetRanger, Network Flight Recorder, Snort
Principles of IDSs
Common Intrusion Detection Framework
– Event generators
– Analysis Engines
– Storage Mechanisms
– Countermeasures
Principles of IDSs
Common Intrusion Detection Framework
Principles of IDSs
• Passive monitoring
• Signature Analysis
• Need for reliable ID
– accuracy: false positives and false negatives
– “fail-open”: if an attacker disables the IDS, entire network is still accessible
– forensic value of information
Fundamental problems of IDSs
• Deployed on a different box
• Could be on a different network segment
• Protocol implementation ambiguities
– different protocol stacks have different behavior
• NIDS could see a different stream of packets than host
Fundamental problems of IDSs
• False positives
– incorrectly identify an intrusion when none has occurred
• False negatives
– incorrectly fail to identify an intrusion that has actually occurred
Attacks on IDSs• Insertion
– IDS thinks packets are valid; end system rejects these
• Evasion
– end system accepts packets that IDS rejects
• Denial of Service– resource exhaustion
• Examples
Popular problems/attacks
• TCP/IP Options fields
• TCB Creation/Teardown
• TCP Stream Reassembly
• IP Fragmentation
– overlapping fragments
Specific attacks
• Invalid MAC addresses?
• Invalid headers
– Permissive in receiving, frugal in sending?
– Bad IP checksum will be dropped?
– IP options
• IP TTL ambiguity– Packer received or not?
Specific attacks
• Packet size– Packet too large for downstream link?
• Source-routed packets– Will destination reject such packets?
• Fragment or TCP handshake time-out– Will other parts of fragment/TCB still be at destination?
• Overlapping segments– Rewrite old data or not?
Specific attacks
• Weird TCP options– Destination might be configured to drop
• Old TCP timestamps (PAWS)– Destination might be configured to drop
• TCP RSTs with weird sequence numbers– Is connection reset?
• Addition of interpreted characters (“^H”)– How does OS interpret?
IP Fragmentation
• Allows IP traffic over different network media with different max packet sizes
• IP stacks do not handle reassembly well– can lead to DOS (teardrop, jolt2)
• Fragrouter– NIDS testing tool
– accepts IP packets routed from another system
– fragments these packets according to various schemes
Popular problems/attacks
• Resource Exhaustion
– CPU, Memory, Network Bandwidth
– CPU: Data-structure attack via fragments
– Memory: Space attack via fragments
– Network: Targeted DoS to disrupt TCP reassembly
• Abusing reactive IDS
– attack to generate false positives
– IDS shuts down valid connections, blocks valid traffic etc.
– Results in IDS triggering a DOS
IP Fragmentation
• Allows IP traffic over different network media with different max packet sizes
• IP stacks do not handle reassembly well
– can lead to DOS (teardrop, jolt2)
• Fragrouter
– NIDS testing tool
– accepts IP packets routed from another system
– fragments these packets according to various schemes
Popular problems/attacks
• Resource Exhaustion
– CPU, Memory, Network Bandwidth
• Abusing reactive IDS
– attack to generate false positives
– IDS shuts down valid connections, blocks valid traffic etc.
– Results in IDS triggering a DOS
Methodology
• Black-box testing
• PHF attack
– exploits a CGI script - phf to gain access to web servers
• Software Used
– CASL
– FreeBSD 2.2
– netcat
– tcpdump
Results IDS
Problem
RealSecure NetRanger(requiresspecialhardware)
SessionWall3
NFR (networkmonitoring engine)
IPFragmentationReassembly
Not handled Nothandled
Not handled Handles IP Frag –fails at TCP stream
TCPreassembly
Problems withduplicate packets
N/A
TCP SYN/RST Easily desynchronized N/A Acceptedpacketsrejected byend system
Desynchronizes onspurious SYNpackets
Insertionattacks
Vulnerable to all Vulnerableto TCPchecksum;handles IPchcksum
Not easy tobreak
Vulnerable to all
Discussion
Questions?
Network Intrusion Detection:
Traffic Normalization & End-End Protocol Semantics
"Transport and Application Protocol Scrubbing"
• Recap of previous paper
– IDSs are vulnerable to attacks
– fundamental problems:
• IDS sees different streams than target host
• protocol implementation ambiguities
Introduction
• Paper introduces concept of “normalizer”
• Approach & implementation
• Performance
Normalizer
Normalizer• Sits directly in path of traffic into a site
• Patch up or normalize the packet stream
• Result: same traffic and unambiguous behavior for NIDS and host
• Differs from a firewall
• Other approaches
– host-based IDS, details of intranet, bifurcating analysis
Normalization Tradeoffs• Protection
– not meant to but can act as a firewall
• Need to preserve End-End Semantics
• Impacts end-end performance
• Stateholding attack
– create excess state than Normalizer can handle
• Inbound vs Outbound traffic
Other Considerations• Cold Start
– is a “real world” requirement
– what happens to existing connections?
– Initiate state for connections from trusted network
• Attacking the normalizer itself
Systematic Approach
• Walk through packet headers of each protocol
• Identify what is the “correct” normalization
Example Attack • IP Identifier and stealth port scans
Normalization for this
• Solution for patsy
– Scramble ids of incoming and outgoing packets
– Breaks diagnostic protocols
• Solution for victim
– Reliable RSTs
– Normalizer sends “keep-alive” packet to host to determine if connection was actually closed
Implementation
• Code in C - uses libpcap
• user-level application
• attention to completeness, correctness & performance
• Evaluated using trace-driven approach
– NetDuDE
Performance
• Platform: 1.1GHz AMD Athlon, FreeBSD 4.2, 133 MHz SDRAM
• a normalizer implemented in kernel mode (as a click module) could forward traffic at line-speed on bi-directional 100 Mbps link
Discussion
Questions?
An Achilles’ Heel to Signature-Based IDS:Squealing False Positives in Snort (‘01)
• Paper documents attacking Snort using false positives
• Snort : open-source, free, lightweight NIDS
• Squealing
– noise made by pigs during periods of distemperment
• Boy cried wolf too many times
– additionally, boy may not recognize the wolf when it actually appears!
Introduction
Attacking Snort
• Limitation is not in correctly identifying attacks, but in the ability to suppress false positives
• PCP
– Tool for generating false positives
– packet writing and argument parsing
Squeal Attack types• Noise-masked attacks
– diverts attention from a covert attack
• Attack misdirection
– source of attack is spoofed
• Evidence Reputability
• Target Conditioning
• Statistical Poisoning
– when training an IDS
How easy is it?
• Using SOCK_RAW
• LIBNET, Nemesis
• Script-driven tools available (snot, stick, trichinosis)
Proposed Solutions
• Adaption
– changing the signature-matching algorithms rapidly
• State awareness
– make IDS have a “context” which checking packets
Conclusions
• IDSs have been around for more than a decade
• Several fundamental problems identified in IDS
• IDSs themselves are vulnerable to attacks
– and fail-open
• Upcoming paper groups
References
• online.securityfocus.com/ids
• www.snort.org
• www.raid-symposium.org
