MPTCP IDS EVASION MITIGATION ZEESHAN AFZAL STEFAN LINDSKOG

  • Slides: 24
Download presentation
MPTCP IDS EVASION & MITIGATION ZEESHAN AFZAL & STEFAN LINDSKOG KARLSTAD UNIVERSITY, SWEDEN

MPTCP IDS EVASION & MITIGATION ZEESHAN AFZAL & STEFAN LINDSKOG KARLSTAD UNIVERSITY, SWEDEN

OUTLINE • BACKGROUND • QUESTIONS • METHODOLOGY • RESULTS • SOLUTION • FUTURE 2

OUTLINE • BACKGROUND • QUESTIONS • METHODOLOGY • RESULTS • SOLUTION • FUTURE 2

MPTCP IN THE MEDIA 3

MPTCP IN THE MEDIA 3

MULTIPATH TCP - LITTLE PROTOCOL REVIEW • ALLOWS TCP TO UTILIZE MULTIPLE PATHS •

MULTIPATH TCP - LITTLE PROTOCOL REVIEW • ALLOWS TCP TO UTILIZE MULTIPLE PATHS • HIGHER – THROUGHPUT& AVAILABILITY • BACKWARD COMPATIBLE • CONSISTS OF ≥ 1 TCP CONNECTIONS (SUBFLOWS) https: //en. wikipedia. org/wiki/Chicago_Transit_Authority#/media/File: CTA_loop_junction. jpg 4

STANDARD VS MULTIPATH TCP STACK STANDARD TCP MULTIPATH TCP Application MPTCP Application TCP Subflow

STANDARD VS MULTIPATH TCP STACK STANDARD TCP MULTIPATH TCP Application MPTCP Application TCP Subflow (TCP) IP IP IP 5

MPTCP HANDSHAKES SYN + MP_C APABLE CAPABLE SYN + ACK + MP_C APABLE SYN

MPTCP HANDSHAKES SYN + MP_C APABLE CAPABLE SYN + ACK + MP_C APABLE SYN + MP_JOIN SYN + ACK + MP_JO IN Client Server 6

FLEXIBLE PACKET SCHEDULING Data[0] Data[1] Data[3] Data[2] Data Client Data Server 7

FLEXIBLE PACKET SCHEDULING Data[0] Data[1] Data[3] Data[2] Data Client Data Server 7

MIDDLEBOXES • SECURITY MIDDLEBOXES ARE TUNED FOR TCP • SIGNATURE-BASED MIDDLEBOXES FILTER TRAFFIC USING

MIDDLEBOXES • SECURITY MIDDLEBOXES ARE TUNED FOR TCP • SIGNATURE-BASED MIDDLEBOXES FILTER TRAFFIC USING RULES • MANY ASSUMPTIONS BEHIND THIS PROCESS MAY NOT HOLD FOR MPTCP • OPERATORS INCREASINGLY SEE MPTCP AS DANGEROUS 8

SO WHAT HAS CHANGED? TCP • DATA ARRIVES ALONG THE SAME PATH MPTCP •

SO WHAT HAS CHANGED? TCP • DATA ARRIVES ALONG THE SAME PATH MPTCP • CROSS-PATH DATA FRAGMENTATION • CLOSE BAD CONNECTIONS • HIGHER CONNECTION RESILIENCE • TAKE DECISIONS ON TRAFFIC • REVERSE CONNECTIONS DIRECTION • CONNECTION USES CONSTANT IP • CHANGING ADDRESSES • PARTIAL TRAFFIC VISIBILITY • SEE ALL TRAFFIC http: //labs. neohapsis. com/2014/07/29/multipath-tcp-blackhat-briefings-teaser/ 9

QUESTIONS • HOW MANY RULES WILL BE AFFECTED BY CROSS-PATH DATA FRAGMENTATION? • HOW

QUESTIONS • HOW MANY RULES WILL BE AFFECTED BY CROSS-PATH DATA FRAGMENTATION? • HOW DO THE CURRENT IDS SOLUTIONS REACT TO IT? • WHAT IS THE SEVERITY OF THE SITUATION? • IS THERE A SOLUTION TO THE PROBLEM? 10

EXPERIMENTAL METHODOLOGY • CLIENT & SERVER SIDE • CLIENT SIDE CONSISTS OF THREE COMPONENTS

EXPERIMENTAL METHODOLOGY • CLIENT & SERVER SIDE • CLIENT SIDE CONSISTS OF THREE COMPONENTS • SERVER SIDE CONSISTS OF FOUR COMPONENTS 11

RULE ANALYZER • READS ALL INPUT RULE FILES • PROVIDES DISTRIBUTION BY PROTOCOL •

RULE ANALYZER • READS ALL INPUT RULE FILES • PROVIDES DISTRIBUTION BY PROTOCOL • USED TO PERFORM STATISTICAL ANALYSIS 12

RULE PARSER • A MECHANISM TO TRANSLATE RULES TO PAYLOADS • PARSES EVERY RULE

RULE PARSER • A MECHANISM TO TRANSLATE RULES TO PAYLOADS • PARSES EVERY RULE AND CRAFTS A CONSISTENT PAYLOAD • SUPPORTS A LARGE VARIETY OF COMMON KEYWORDS 13

MPTCP TOOL/CLIENT • 14

MPTCP TOOL/CLIENT • 14

SERVER SIDE • MPTCP SERVER RECEIVES THE DATA • SNORT OPERATES ON THE PATH

SERVER SIDE • MPTCP SERVER RECEIVES THE DATA • SNORT OPERATES ON THE PATH WITH SAME RULES AND WRITES ALERTS TO A LOG FILE • LOG ANALYZER READS THE LOG FILE AND GENERATES RESULTS 15

EVALUATION OF SNORT • RULE ANALYZER PROVIDES DISTRIBUTION OF RULES • TCP RULES FED

EVALUATION OF SNORT • RULE ANALYZER PROVIDES DISTRIBUTION OF RULES • TCP RULES FED IN TO THE RULE PARSER • MPTCP CLIENT CONNECTS TO SERVER & ADDS MORE SUBFLOWS • SENDS EVERY PAYLOAD BY FRAGMENTING IT AMONG SUBFLOWS 16

RESULTS • EVERY CATEGORY TESTED 5 TIMES BY VARYING SUBFLOWS • RESULTS WITH ONE

RESULTS • EVERY CATEGORY TESTED 5 TIMES BY VARYING SUBFLOWS • RESULTS WITH ONE SUBFLOW ARE BASELINE 17

SNORT IS CONFUSED! • LOWER NUMBER OF DETECTED ALERTS BY SNORT THAN EXPECTED •

SNORT IS CONFUSED! • LOWER NUMBER OF DETECTED ALERTS BY SNORT THAN EXPECTED • SNORT TREATS EVERY SUBFLOW AS AN INDEPENDENT TCP CONNECTION • TRIES TO MATCH SIGNATURES WITHIN EACH SUBFLOW WITH NO CORRELATION 18

DEFENSE • PEOPLE • TECHNOLOGY - INFRASTRUCTURE NEEDS TO BECOME MPTCP AWARE • FULL

DEFENSE • PEOPLE • TECHNOLOGY - INFRASTRUCTURE NEEDS TO BECOME MPTCP AWARE • FULL TRAFFIC VISIBILITY • PARTIAL TRAFFIC VISIBILITY 19

SOLUTION - MPTCP LINKER • CAPTURES PACKETS • USES MPTCP OPTIONS &TCP FLAGS •

SOLUTION - MPTCP LINKER • CAPTURES PACKETS • USES MPTCP OPTIONS &TCP FLAGS • IDENTIFIES SESSIONS AND CORRELATES SUBFLOWS • KEEPS TRACK OF DATA ON ALL SUBFLOWS OF ALL CONNECTIONS • RE-ORDERS DATA IN CORRECT ORDER 20

VALIDATION OF SOLUTION • VALIDATED UNDER SAME ATTACK TRAFFIC • OFFLINE MODE OF SNORT

VALIDATION OF SOLUTION • VALIDATED UNDER SAME ATTACK TRAFFIC • OFFLINE MODE OF SNORT UTILIZED • SOLUTION MITIGATES THE ATTACK • NUMBER OF DETECTED INTRUSIONS REMAIN CONSISTENT IRRESPECTIVE OF NO. OF SUBFLOWS 21

OUTLOOK • NEW COMMUNICATION TECHNOLOGIES ARE COMING • NETWORK SECURITY NEEDS TO EVOLVE •

OUTLOOK • NEW COMMUNICATION TECHNOLOGIES ARE COMING • NETWORK SECURITY NEEDS TO EVOLVE • “DETECTING DISTRIBUTED SIGNATURE-BASED INTRUSION: THE CASE OF MULTI-PATH ROUTING ATTACKS’’ BY MA ET AL. IN PROC. OF IEEE INFOCOM. 2015 • MPTCP PROXY SOLUTION UNDER DEVELOPMENT • PARADIGM SHIFTS MIGHT BE REQUIRED 22

CONCLUDING REMARKS • INVESTIGATED PRACTICALITY OF IDS EVASION USING MPTCP • PROPOSED ONE POSSIBLE

CONCLUDING REMARKS • INVESTIGATED PRACTICALITY OF IDS EVASION USING MPTCP • PROPOSED ONE POSSIBLE SOLUTION • OTHER SECURITY IMPLICATIONS OF MPTCP NEED TO BE INVESTIGATED 23

THANK YOU. QUESTIONS?

THANK YOU. QUESTIONS?

IETF94 MPTCP WG MPTCP Implementation Use cases forIETF94 MPTCP WG MPTCP Implementation Use cases for
IETF93 MPTCP WG MPTCP Implementation Use cases forIETF93 MPTCP WG MPTCP Implementation Use cases for
IDS INTRANET DATABASE SYSTEM WHAT IS IDS IDSIDS INTRANET DATABASE SYSTEM WHAT IS IDS IDS
IDS Sensor Placement IDS Sensor Placement IDS placementIDS Sensor Placement IDS Sensor Placement IDS placement
IDS n n n NetworkBased IDS HostBased IDSIDS n n n NetworkBased IDS HostBased IDS
Hazard Mitigation Grants Topics General Common Mitigation MitigationHazard Mitigation Grants Topics General Common Mitigation Mitigation
Anette Blomstrand Caroline Dameron Lindskog Frida Johansson ochAnette Blomstrand Caroline Dameron Lindskog Frida Johansson och
Utvrdering av thisiskorpen Att Petra Lindskog Copyright NepaUtvrdering av thisiskorpen Att Petra Lindskog Copyright Nepa
Statistical based IDS background introduction Statistical IDS backgroundStatistical based IDS background introduction Statistical IDS background
Statistical based IDS background introduction Statistical IDS backgroundStatistical based IDS background introduction Statistical IDS background
Intrusion Detection Systems IDS IDS Intrusion Detection SystemIntrusion Detection Systems IDS IDS Intrusion Detection System
Statistical based IDS background introduction Statistical IDS backgroundStatistical based IDS background introduction Statistical IDS background
Intrusion Detection Systems IDS What is an IDSIntrusion Detection Systems IDS What is an IDS
Welcome IDS Project Members IDS Community VUG DISCUSSIONWelcome IDS Project Members IDS Community VUG DISCUSSION
CSCI 530 Lab Intrusion Detection Systems IDS IDSCSCI 530 Lab Intrusion Detection Systems IDS IDS
IDS V LIBERECKM KRAJI Pedstaven IDS a novinkyIDS V LIBERECKM KRAJI Pedstaven IDS a novinky
IDS and IPS IDS vs IPS Which isIDS and IPS IDS vs IPS Which is
Statistical based IDS background introduction Statistical IDS backgroundStatistical based IDS background introduction Statistical IDS background
Checking for Duplicate Com IDs Duplicate Com IDsChecking for Duplicate Com IDs Duplicate Com IDs
IDS IN CLOUD COMPUTING IDS Department of ComputerIDS IN CLOUD COMPUTING IDS Department of Computer
IDS IPS IDS Cooperative A General Cooperative IntrusionIDS IPS IDS Cooperative A General Cooperative Intrusion
Perforce ARIS Development Stefan Mller IDS Scheer AGPerforce ARIS Development Stefan Mller IDS Scheer AG
Computer Architecture and Organization CS507 Muhammad Zeeshan HaiderComputer Architecture and Organization CS507 Muhammad Zeeshan Haider