Performance Attacks on Intrusion Detection Systems
2007/12/06
Performance Attacks on Intrusion Detection Systems
Davide [email protected]
Dipartimento di Elettronica e InformazionePolitecnico di Milano
Performance Attacks on IDSp. 2 2007/12/06
Intro
Intrusion Detection Systems Open problems and vulnerabilities The queueing model Algorithmic complexity attacks Tests and evaluations Conclusions
Performance Attacks on IDSp. 3 2007/12/06
Intrusion Detection Systems
As the Internet grows, the number of• vulnerabilities• attacks• attackers!
increases: what kind of protections can we use for our systems?
IDS are used to detect unauthorized access attempts to computers or local networks
They work as alarms in apartments• they do not prevent attackers to break in the system...• but they allow administrators to know when an attack is
taking place
Performance Attacks on IDSp. 4 2007/12/06
Intrusion Detection Systems
Performance Attacks on IDSp. 5 2007/12/06
IDS Performance
Measures:• coverage• probability of false alarms• probability of detection• resistance to attacks directed at the IDS• ability to handle high bandwidth traffic• ability to correlate events• ability to detect new attacks• ability to identify an attack• ...
Traffic generation:• background• attacks
Performance Attacks on IDSp. 6 2007/12/06
IDS Vulnerabilities
Insertion• an IDS accepts packets that an end system rejects
Evasion• an IDS rejects packets accepted by the end system
Denial of Service• compromises the availability of the IDS, either
consuming its resources or targeting at bugs in software
• fail-closed vs fail-open systems
Performance Attacks on IDSp. 7 2007/12/06
Model
...
L K = L + 1
X
S = 1/μ
λ λa
λr
Queue size: K
Incoming packet rate: λ pkt/secλa acceptedλr rejected
Service time: S
Throughput: X
Performance Attacks on IDSp. 8 2007/12/06
Model
Markov Chain:
Performance Attacks on IDSp. 9 2007/12/06
Model behavior
Drop probability as a functionof λ/μ, plotted with four different queue sizes
Performance Attacks on IDSp. 10 2007/12/06
Model behavior
Service time
Packet frequency
P(K)
Performance Attacks on IDSp. 11 2007/12/06
Model behavior
Drop probability as a function of S, seen for different values of λ
Performance Attacks on IDSp. 12 2007/12/06
What if I have a 56Kbps?
Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B) 100MB Ethernet: ~ 148Kpps (frame size: 84B) 10MB Ethernet: ~ 14.8Kpps 2MB ADSL: ~ 3Kpps 56Kbps modem: ~ 80 pps
Performance Attacks on IDSp. 13 2007/12/06
Algorithmic complexity attacks
S. Crosby, D. Wallach: “Denial of Service via Algorithmic Complexity Attacks”, 2003
They exploit algorithmic deficiencies in many common applications' data structures• ie. both hash tables and binary trees can degenerate to
linked list with carefully chosen input One particular case: backtracking algorithmic
complexity attacks
Performance Attacks on IDSp. 14 2007/12/06
Backtracking attacks
A vulnerable rule:
Performance Attacks on IDSp. 15 2007/12/06
Backtracking attacks
every triple (x, y, z) contains:• x: the match name• y: where the parsing started• z: where the next parsing will start
Performance Attacks on IDSp. 16 2007/12/06
Backtracking attacks
IDS behavior (left: normal, right: under attack)
Performance Attacks on IDSp. 17 2007/12/06
Tests and evaluations
Backtracking attacks seem a good way to create high service times
The plan:• install Snort on a test machine• generate background traffic on the network• attack Snort with backtracking attacks• see/measure its behavior
Test machine• 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14• Snort 2.4.3 and 2.8.0
Attacker machine• 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14• blabla tool to replay the DARPA 1999 dataset• a perl script to generate attack packets
Performance Attacks on IDSp. 18 2007/12/06
Test attack
alert tcp $EXTERNAL_NET any > $SMTP_SERVERS 25 (msg:"SMTP spoofed MIMEType autoexecution attempt"; flow:to_server,established; content:"ContentType|3A|"; nocase;content:"audio/"; nocase; pcre:"/ContentType\x3A\s+audio\/(xwav|mpeg|xmidi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,20010154; classtype:attemptedadmin; sid:3682; rev:2;)
Performance Attacks on IDSp. 19 2007/12/06
Test attack
alert tcp $EXTERNAL_NET any > $SMTP_SERVERS 25 (msg:"SMTP spoofed MIMEType autoexecution attempt"; flow:to_server,established; content:"ContentType|3A|"; nocase;content:"audio/"; nocase; pcre:"/ContentType\x3A\s+audio\/(xwav|mpeg|xmidi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,20010154; classtype:attemptedadmin; sid:3682; rev:2;)
Match example:
ContentType: audio/xwav; filename=”virus.scr”
Performance Attacks on IDSp. 20 2007/12/06
Test attack
alert tcp $EXTERNAL_NET any > $SMTP_SERVERS 25 (msg:"SMTP spoofed MIMEType autoexecution attempt"; flow:to_server,established; content:"ContentType|3A|"; nocase;content:"audio/"; nocase; pcre:"/ContentType\x3A\s+audio\/(xwav|mpeg|xmidi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,20010154; classtype:attemptedadmin; sid:3682; rev:2;)
Match example:
ContentType: audio/xwav; filename=”virus.scr”
Attack example:
...ContentType: audio/xwav; filename=filename=filename=filename=ContentType: audio/xwav; filename=filename=filename=filename=...
Performance Attacks on IDSp. 21 2007/12/06
Results
Snort 2.8.0 is not affected by the attacks Snort 2.4.3 experiences serious slowdowns
• normal service time: ~100μsec• normal attack: 500~1000μsec• backtracking attack: 1500000μsec
With such service time, just few packets are able to make the queue fill up and the IDS drop packets => other attacks are undetected!
Results comparable with paper: real behavior seems worse than in the model
Performance Attacks on IDSp. 22 2007/12/06
Conclusions
The incoming packet rate and the service time are interchangeable
The model is useful not just to plan attacks• it explains why backtracking attacks work• it allows to study an IDS as a black box
Limits• test suffers the classical problems of IDS evaluations• bursts not taken into account
Possible future work• take bursts into account• multiclass model
Performance Attacks on IDSp. 23 2007/12/06
That's All, Folks
Thank you!
Questions are welcome