Detecting Evasion Attacks at High Speeds without Reassembly
| View Paper |  | Public Review (by Jon Crowcroft) | |
George Varghese, Cisco Systems / UCSD
J. Andrew Fingerhut, Cisco Systems
Flavio Bonomi, Cisco Systems
Abstract
Ptacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic defense is for the IPS to reassemble TCP and IP packets, and to consistently normalize the output stream. Current IPS standards require keeping state for 1 million connections. Both the state and processing requirements of reassembly and normalization are barriers to scalability for an IPS at speeds higher than 10 Gbps. In this paper, we suggest breaking with this paradigm using an approach we call Split-Detect. We focus on the simplest form of signature, an exact string match, and start by splitting the signature into pieces. By doing so the attacker is either forced to include at least one piece completely in a packet, or to display potentially abnormal behavior (e.g., several small TCP fragments or out-of-order packets) that cause the attacker’s flow to be diverted to a slow path. We prove that under certain assumptions this scheme can detect all byte-string evasions. We also show using real traces that the processing and storage requirements of this scheme can be 10% of that required by a conventional IPS, allowing reasonable cost implementations at 20 Gbps. While the changes required by Split-Detect may be a barrier to adoption, this paper exposes the assumptions that must be changed to avoid normalization and reassembly in the fast path.
Hi,
I have a question on how the scheme proposed in the paper can work with polymorphic worms which may have very short signatures, e.g., a conjunction of short strings (a. k. a. tokens). The attacker can easily break the short tokens into two packets without creating short packets, and thus defeat your detection algorithm.
For example, for Code Red II, we found its inherent signature is a conjunction of the following token strings with frequency: {'.ida?': 1, '%u780': 1, ' HTTP/1.0\r\n': 1, 'GET /': 1, '%u': 2}. The order does not matter. Then the attacker can do the following trick:
“.id” at the end of packet 1
“a?” in the beginning of packet 2, padded with non signature data and then “%u” at the end of packet 2
“780” in the beginning of packet 3, padded with non signature data and then “HTTP/1.0” at the end of packet 3 (BTW, you probably don't have to use “HTTP 1.0” because it is very common”).
“\r\n” in the beginning of packet 4, etc.
You can tell that with short signatures that a polymorphic worm has, they can always break them into small signatures without creating short packets or violating receiver’s atomicity, and then evade your detection. From our study, almost all polymorphic worms or polymorphic engines have such signatures. So it seems that it will become a problem with your scheme. What do you think?
-Yan
http://yalasex.info/