2 3 4 cta_loop_junction.jpg
TRANSCRIPT
MPTCP IDS EVASION & MITIGATION
ZEESHAN AFZAL & STEFAN LINDSKOG
KARLSTAD UNIVERSITY, SWEDEN
2
OUTLINE
• BACKGROUND
• QUESTIONS
• METHODOLOGY
• RESULTS
• SOLUTION
• FUTURE
3
MPTCP IN THE MEDIA
4
MULTIPATH TCP - LITTLE PROTOCOL REVIEW
• ALLOWS TCP TO UTILIZE MULTIPLE PATHS
• HIGHER – THROUGHPUT & AVAILABILITY
• BACKWARD COMPATIBLE
• CONSISTS OF ≥ 1 TCP CONNECTIONS (SUBFLOWS)
https://en.wikipedia.org/wiki/Chicago_Transit_Authority#/media/File:CTA_loop_junction.jpg
5
STANDARD VS MULTIPATH TCP STACK
STANDARD TCP
Application
TCP
MULTIPATH TCP
Application
MPTCPSubflow
(TCP)Subflow
(TCP)IP IPIP
6
MPTCP HANDSHAKES
Client Server
SYN + MP_CAPABLE
SYN + ACK + MP_CAPABLE
ACK + MP_CAPABLE
SYN + MP_JOIN
SYN + ACK + MP_JOIN
ACK + MP_JOIN
7
FLEXIBLE PACKET SCHEDULING
Data[0]
Data[3]
Data[1]
Data[2]
Client Server
DataData
8
MIDDLEBOXES
• SECURITY MIDDLEBOXES ARE TUNED FOR TCP
• SIGNATURE-BASED MIDDLEBOXES FILTER TRAFFIC USING RULES
• MANY ASSUMPTIONS BEHIND THIS PROCESS MAY NOT HOLD FOR MPTCP
• OPERATORS INCREASINGLY SEE MPTCP AS DANGEROUS
9
SO WHAT HAS CHANGED?
• DATA ARRIVES ALONG THE SAME PATH
• CLOSE BAD CONNECTIONS
• TAKE DECISIONS ON TRAFFIC DIRECTION
• CONNECTION USES CONSTANT IP
• SEE ALL TRAFFIC
• CROSS-PATH DATA FRAGMENTATION
• HIGHER CONNECTION RESILIENCE
• REVERSE CONNECTIONS
• CHANGING ADDRESSES
• PARTIAL TRAFFIC VISIBILITY
http://labs.neohapsis.com/2014/07/29/multipath-tcp-blackhat-briefings-teaser/
TCP MPTCP
10
QUESTIONS
• HOW MANY RULES WILL BE AFFECTED BY CROSS-PATH DATA FRAGMENTATION?
• HOW DO THE CURRENT IDS SOLUTIONS REACT TO IT?
• WHAT IS THE SEVERITY OF THE SITUATION?
• IS THERE A SOLUTION TO THE PROBLEM?
11
EXPERIMENTAL METHODOLOGY
• CLIENT & SERVER SIDE
• CLIENT SIDE CONSISTS OF THREE COMPONENTS
• SERVER SIDE CONSISTS OF FOUR COMPONENTS
12
RULE ANALYZER
• READS ALL INPUT RULE FILES
• PROVIDES DISTRIBUTION BY PROTOCOL
• USED TO PERFORM STATISTICAL ANALYSIS
13
RULE PARSER
• A MECHANISM TO TRANSLATE RULES TO PAYLOADS
• PARSES EVERY RULE AND CRAFTS A CONSISTENT PAYLOAD
• SUPPORTS A LARGE VARIETY OF COMMON KEYWORDS
14
MPTCP TOOL/CLIENT
• CORE TOOL RESPONSIBLE FOR GENERATING MPTCP TRAFFIC
• ACTS AS A CLIENT
• IMPLEMENTS AN AD-HOC PACKET SCHEDULER
• PKT_SIZE
• ATTEMPTS TO FRAGMENT DATA EQUALLY ACROSS ALL SUBFLOWS
15
SERVER SIDE
• MPTCP SERVER RECEIVES THE DATA
• SNORT OPERATES ON THE PATH WITH SAME RULES AND WRITES ALERTS TO A LOG FILE
• LOG ANALYZER READS THE LOG FILE AND GENERATES RESULTS
16
EVALUATION OF SNORT
• RULE ANALYZER PROVIDES DISTRIBUTION OF RULES
• TCP RULES FED IN TO THE RULE PARSER
• MPTCP CLIENT CONNECTS TO SERVER & ADDS MORE SUBFLOWS
• SENDS EVERY PAYLOAD BY FRAGMENTING IT AMONG SUBFLOWS
17
RESULTS
• EVERY CATEGORY TESTED 5 TIMES BY VARYING SUBFLOWS
• RESULTS WITH ONE SUBFLOW ARE BASELINE
18
SNORT IS CONFUSED!
• LOWER NUMBER OF DETECTED ALERTS BY SNORT THAN EXPECTED
• SNORT TREATS EVERY SUBFLOW AS AN INDEPENDENT TCP CONNECTION
• TRIES TO MATCH SIGNATURES WITHIN EACH SUBFLOW WITH NO CORRELATION
19
DEFENSE
• PEOPLE
• TECHNOLOGY - INFRASTRUCTURE NEEDS TO BECOME MPTCP AWARE
• FULL TRAFFIC VISIBILITY
• PARTIAL TRAFFIC VISIBILITY
20
SOLUTION - MPTCP LINKER
• CAPTURES PACKETS
• USES MPTCP OPTIONS & TCP FLAGS
• IDENTIFIES SESSIONS AND CORRELATES SUBFLOWS
• KEEPS TRACK OF DATA ON ALL SUBFLOWS OF ALL CONNECTIONS
• RE-ORDERS DATA IN CORRECT ORDER
21
VALIDATION OF SOLUTION
• VALIDATED UNDER SAME ATTACK TRAFFIC
• OFFLINE MODE OF SNORT UTILIZED
• SOLUTION MITIGATES THE ATTACK
• NUMBER OF DETECTED INTRUSIONS REMAIN CONSISTENT IRRESPECTIVE OF NO. OF SUBFLOWS
22
OUTLOOK
• NEW COMMUNICATION TECHNOLOGIES ARE COMING
• NETWORK SECURITY NEEDS TO EVOLVE
• “DETECTING DISTRIBUTED SIGNATURE-BASED INTRUSION: THE CASE OF MULTI-PATH ROUTING ATTACKS’’ BY MA ET AL. IN PROC. OF IEEE INFOCOM. 2015
• MPTCP PROXY SOLUTION UNDER DEVELOPMENT
• PARADIGM SHIFTS MIGHT BE REQUIRED
23
CONCLUDING REMARKS
• INVESTIGATED PRACTICALITY OF IDS EVASION USING MPTCP
• PROPOSED ONE POSSIBLE SOLUTION
• OTHER SECURITY IMPLICATIONS OF MPTCP NEED TO BE INVESTIGATED
THANK YOU. QUESTIONS?