Performance Attacks
       on Intrusion Detection Systems

                                                               ...
Intro

           Intrusion Detection Systems
           Open problems and vulnerabilities
           The queueing mode...
Intrusion Detection Systems

        As the Internet grows, the number of
          • vulnerabilities
          • attacks...
Intrusion Detection Systems




p. 4   2007/12/06   Performance Attacks on IDS
IDS Performance
        Measures:
          •   coverage
          •   probability of false alarms
          •   probabil...
IDS Vulnerabilities

        Insertion
          • an IDS accepts packets that an end system rejects
        Evasion
   ...
Model


                                               K=L+1
                                               L

          λ...
Model


          Markov Chain:




p. 8   2007/12/06    Performance Attacks on IDS
Model behavior




                                                 Drop probability as a function
                       ...
Model behavior




        P(K)




                                                  Packet frequency

                  ...
Model behavior




             Drop probability as a function of S, seen for different values of λ



p. 11   2007/12/06 ...
What if I have a 56Kbps?

            Gigabit Ethernet:              ~ 1.6Mpps (frame size: 78B)
            100MB Ether...
Algorithmic complexity attacks

         S. Crosby, D. Wallach: “Denial of Service via
          Algorithmic Complexity A...
Backtracking attacks

         A vulnerable rule:




p. 14    2007/12/06    Performance Attacks on IDS
Backtracking attacks




         every triple (x, y, z) contains:
           • x: the match name
           • y: where t...
Backtracking attacks

         IDS behavior (left: normal, right: under attack)




p. 16    2007/12/06    Performance At...
Tests and evaluations
         Backtracking attacks seem a good way to create
          high service times
         The ...
Test attack
alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 (
msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;...
Test attack
alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 (
msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;...
Test attack
alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 (
msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;...
Results
         Snort 2.8.0 is not affected by the attacks
         Snort 2.4.3 experiences serious slowdowns
         ...
Conclusions

         The incoming packet rate and the service time
          are interchangeable
         The model is ...
That's All, Folks



                                    Thank you!
                         Questions are welcome




p. ...
Upcoming SlideShare
Loading in...5
×

Performance Attacks on Intrusion Detection Systems

1,301

Published on

A presentation of my minor research project at Politecnico di Milano, Dec 2007. It uses a finite queue model to describe IDS performances when subject to a performance attack and shows a practical example with a backtracking algorithmic complexity attack.

Published in: Economy & Finance, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,301
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
83
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Performance Attacks on Intrusion Detection Systems

  1. 1. Performance Attacks on Intrusion Detection Systems Davide Eynard eynard@elet.polimi.it Dipartimento di Elettronica e Informazione Politecnico di Milano 2007/12/06 Performance Attacks on Intrusion Detection Systems
  2. 2. Intro  Intrusion Detection Systems  Open problems and vulnerabilities  The queueing model  Algorithmic complexity attacks  Tests and evaluations  Conclusions p. 2 2007/12/06 Performance Attacks on IDS
  3. 3. Intrusion Detection Systems  As the Internet grows, the number of • vulnerabilities • attacks • attackers!  increases: what kind of protections can we use for our systems?  IDS are used to detect unauthorized access attempts to computers or local networks  They work as alarms in apartments • they do not prevent attackers to break in the system... • but they allow administrators to know when an attack is taking place p. 3 2007/12/06 Performance Attacks on IDS
  4. 4. Intrusion Detection Systems p. 4 2007/12/06 Performance Attacks on IDS
  5. 5. IDS Performance  Measures: • coverage • probability of false alarms • probability of detection • resistance to attacks directed at the IDS • ability to handle high bandwidth traffic • ability to correlate events • ability to detect new attacks • ability to identify an attack • ...  Traffic generation: • background • attacks p. 5 2007/12/06 Performance Attacks on IDS
  6. 6. IDS Vulnerabilities  Insertion • an IDS accepts packets that an end system rejects  Evasion • an IDS rejects packets accepted by the end system  Denial of Service • compromises the availability of the IDS, either consuming its resources or targeting at bugs in software • fail-closed vs fail-open systems p. 6 2007/12/06 Performance Attacks on IDS
  7. 7. Model K=L+1 L λ λa X ... λr S = 1/μ Queue size: K Service time: S Incoming packet rate: λ pkt/sec Throughput: X λa accepted λr rejected p. 7 2007/12/06 Performance Attacks on IDS
  8. 8. Model Markov Chain: p. 8 2007/12/06 Performance Attacks on IDS
  9. 9. Model behavior Drop probability as a function of λ/μ, plotted with four different queue sizes p. 9 2007/12/06 Performance Attacks on IDS
  10. 10. Model behavior P(K) Packet frequency Service time p. 10 2007/12/06 Performance Attacks on IDS
  11. 11. Model behavior Drop probability as a function of S, seen for different values of λ p. 11 2007/12/06 Performance Attacks on IDS
  12. 12. What if I have a 56Kbps?  Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B)  100MB Ethernet: ~ 148Kpps (frame size: 84B)  10MB Ethernet: ~ 14.8Kpps  2MB ADSL: ~ 3Kpps  56Kbps modem: ~ 80 pps p. 12 2007/12/06 Performance Attacks on IDS
  13. 13. Algorithmic complexity attacks  S. Crosby, D. Wallach: “Denial of Service via Algorithmic Complexity Attacks”, 2003  They exploit algorithmic deficiencies in many common applications' data structures • ie. both hash tables and binary trees can degenerate to linked list with carefully chosen input  One particular case: backtracking algorithmic complexity attacks p. 13 2007/12/06 Performance Attacks on IDS
  14. 14. Backtracking attacks  A vulnerable rule: p. 14 2007/12/06 Performance Attacks on IDS
  15. 15. Backtracking attacks  every triple (x, y, z) contains: • x: the match name • y: where the parsing started • z: where the next parsing will start p. 15 2007/12/06 Performance Attacks on IDS
  16. 16. Backtracking attacks  IDS behavior (left: normal, right: under attack) p. 16 2007/12/06 Performance Attacks on IDS
  17. 17. Tests and evaluations  Backtracking attacks seem a good way to create high service times  The plan: • install Snort on a test machine • generate background traffic on the network • attack Snort with backtracking attacks • see/measure its behavior  Test machine • 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14 • Snort 2.4.3 and 2.8.0  Attacker machine • 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14 • blabla tool to replay the DARPA 1999 dataset • a perl script to generate attack packets p. 17 2007/12/06 Performance Attacks on IDS
  18. 18. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) p. 18 2007/12/06 Performance Attacks on IDS
  19. 19. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” p. 19 2007/12/06 Performance Attacks on IDS
  20. 20. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” Attack example: ... Content­Type: audio/x­wav; filename=filename=filename=filename= Content­Type: audio/x­wav; filename=filename=filename=filename= ... p. 20 2007/12/06 Performance Attacks on IDS
  21. 21. Results  Snort 2.8.0 is not affected by the attacks  Snort 2.4.3 experiences serious slowdowns • normal service time: ~100μsec • normal attack: 500~1000μsec • backtracking attack: 1500000μsec  With such service time, just few packets are able to make the queue fill up and the IDS drop packets => other attacks are undetected!  Results comparable with paper: real behavior seems worse than in the model p. 21 2007/12/06 Performance Attacks on IDS
  22. 22. Conclusions  The incoming packet rate and the service time are interchangeable  The model is useful not just to plan attacks • it explains why backtracking attacks work • it allows to study an IDS as a black box  Limits • test suffers the classical problems of IDS evaluations • bursts not taken into account  Possible future work • take bursts into account • multiclass model p. 22 2007/12/06 Performance Attacks on IDS
  23. 23. That's All, Folks Thank you! Questions are welcome p. 23 2007/12/06 Performance Attacks on IDS
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×