performance attacks on intrusion detection systems

Performance Attacks on Intrusion Detection Systems

2007/12/06

Performance Attacks on Intrusion Detection Systems

Davide Eynardeynard@elet.polimi.it

Dipartimento di Elettronica e InformazionePolitecnico di Milano

Performance Attacks on IDSp. 2 2007/12/06

Intro

Intrusion Detection Systems Open problems and vulnerabilities The queueing model Algorithmic complexity attacks Tests and evaluations Conclusions

Performance Attacks on IDSp. 3 2007/12/06

Intrusion Detection Systems

As the Internet grows, the number of• vulnerabilities• attacks• attackers!

increases: what kind of protections can we use for our systems?

IDS are used to detect unauthorized access attempts to computers or local networks

They work as alarms in apartments• they do not prevent attackers to break in the system...• but they allow administrators to know when an attack is

taking place

Performance Attacks on IDSp. 4 2007/12/06

Intrusion Detection Systems

Performance Attacks on IDSp. 5 2007/12/06

IDS Performance

Measures:• coverage• probability of false alarms• probability of detection• resistance to attacks directed at the IDS• ability to handle high bandwidth traffic• ability to correlate events• ability to detect new attacks• ability to identify an attack• ...

Traffic generation:• background• attacks

Performance Attacks on IDSp. 6 2007/12/06

IDS Vulnerabilities

Insertion• an IDS accepts packets that an end system rejects

Evasion• an IDS rejects packets accepted by the end system

Denial of Service• compromises the availability of the IDS, either

consuming its resources or targeting at bugs in software

• fail-closed vs fail-open systems

Performance Attacks on IDSp. 7 2007/12/06

Model

...

L K = L + 1

X

S = 1/μ

λ λa

λr

Queue size: K

Incoming packet rate: λ pkt/secλa acceptedλr rejected

Service time: S

Throughput: X

Performance Attacks on IDSp. 8 2007/12/06

Model

Markov Chain:

Performance Attacks on IDSp. 9 2007/12/06

Model behavior

Drop probability as a functionof λ/μ, plotted with four different queue sizes

Performance Attacks on IDSp. 10 2007/12/06

Model behavior

Service time

Packet frequency

P(K)

Performance Attacks on IDSp. 11 2007/12/06

Model behavior

Drop probability as a function of S, seen for different values of λ

Performance Attacks on IDSp. 12 2007/12/06

What if I have a 56Kbps?

Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B) 100MB Ethernet: ~ 148Kpps (frame size: 84B) 10MB Ethernet: ~ 14.8Kpps 2MB ADSL: ~ 3Kpps 56Kbps modem: ~ 80 pps

Performance Attacks on IDSp. 13 2007/12/06

Algorithmic complexity attacks

S. Crosby, D. Wallach: “Denial of Service via Algorithmic Complexity Attacks”, 2003

They exploit algorithmic deficiencies in many common applications' data structures• ie. both hash tables and binary trees can degenerate to

linked list with carefully chosen input One particular case: backtracking algorithmic

complexity attacks

Performance Attacks on IDSp. 14 2007/12/06

Backtracking attacks

A vulnerable rule:

Performance Attacks on IDSp. 15 2007/12/06

Backtracking attacks

every triple (x, y, z) contains:• x: the match name• y: where the parsing started• z: where the next parsing will start

Performance Attacks on IDSp. 16 2007/12/06

Backtracking attacks

IDS behavior (left: normal, right: under attack)

Performance Attacks on IDSp. 17 2007/12/06

Tests and evaluations

Backtracking attacks seem a good way to create high service times

The plan:• install Snort on a test machine• generate background traffic on the network• attack Snort with backtracking attacks• see/measure its behavior

Test machine• 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14• Snort 2.4.3 and 2.8.0

Attacker machine• 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14• blabla tool to replay the DARPA 1999 dataset• a perl script to generate attack packets

Performance Attacks on IDSp. 18 2007/12/06

Test attack

alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 (msg:"SMTP spoofed MIME­Type auto­execution attempt"; flow:to_server,established; content:"Content­Type|3A|"; nocase;content:"audio/"; nocase; pcre:"/Content­Type\x3A\s+audio\/(x­wav|mpeg|x­midi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,2001­0154; classtype:attempted­admin; sid:3682; rev:2;)

Performance Attacks on IDSp. 19 2007/12/06

Test attack

alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 (msg:"SMTP spoofed MIME­Type auto­execution attempt"; flow:to_server,established; content:"Content­Type|3A|"; nocase;content:"audio/"; nocase; pcre:"/Content­Type\x3A\s+audio\/(x­wav|mpeg|x­midi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,2001­0154; classtype:attempted­admin; sid:3682; rev:2;)

Match example:

 Content­Type: audio/x­wav;               filename=”virus.scr”

Performance Attacks on IDSp. 20 2007/12/06

Test attack

alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 (msg:"SMTP spoofed MIME­Type auto­execution attempt"; flow:to_server,established; content:"Content­Type|3A|"; nocase;content:"audio/"; nocase; pcre:"/Content­Type\x3A\s+audio\/(x­wav|mpeg|x­midi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,2001­0154; classtype:attempted­admin; sid:3682; rev:2;)

Match example:

 Content­Type: audio/x­wav;               filename=”virus.scr”

Attack example:

...Content­Type: audio/x­wav; filename=filename=filename=filename=Content­Type: audio/x­wav; filename=filename=filename=filename=...

Performance Attacks on IDSp. 21 2007/12/06

Results

Snort 2.8.0 is not affected by the attacks Snort 2.4.3 experiences serious slowdowns

• normal service time: ~100μsec• normal attack: 500~1000μsec• backtracking attack: 1500000μsec

With such service time, just few packets are able to make the queue fill up and the IDS drop packets => other attacks are undetected!

Results comparable with paper: real behavior seems worse than in the model

Performance Attacks on IDSp. 22 2007/12/06

Conclusions

The incoming packet rate and the service time are interchangeable

The model is useful not just to plan attacks• it explains why backtracking attacks work• it allows to study an IDS as a black box

Limits• test suffers the classical problems of IDS evaluations• bursts not taken into account

Possible future work• take bursts into account• multiclass model

Performance Attacks on IDSp. 23 2007/12/06

That's All, Folks

Thank you!

Questions are welcome