Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Performance Attacks on Intrusion Detection Systems

1,929 views

Published on

A presentation of my minor research project at Politecnico di Milano, Dec 2007. It uses a finite queue model to describe IDS performances when subject to a performance attack and shows a practical example with a backtracking algorithmic complexity attack.

Published in: Economy & Finance, Technology
  • Be the first to comment

Performance Attacks on Intrusion Detection Systems

  1. 1. Performance Attacks on Intrusion Detection Systems Davide Eynard eynard@elet.polimi.it Dipartimento di Elettronica e Informazione Politecnico di Milano 2007/12/06 Performance Attacks on Intrusion Detection Systems
  2. 2. Intro  Intrusion Detection Systems  Open problems and vulnerabilities  The queueing model  Algorithmic complexity attacks  Tests and evaluations  Conclusions p. 2 2007/12/06 Performance Attacks on IDS
  3. 3. Intrusion Detection Systems  As the Internet grows, the number of • vulnerabilities • attacks • attackers!  increases: what kind of protections can we use for our systems?  IDS are used to detect unauthorized access attempts to computers or local networks  They work as alarms in apartments • they do not prevent attackers to break in the system... • but they allow administrators to know when an attack is taking place p. 3 2007/12/06 Performance Attacks on IDS
  4. 4. Intrusion Detection Systems p. 4 2007/12/06 Performance Attacks on IDS
  5. 5. IDS Performance  Measures: • coverage • probability of false alarms • probability of detection • resistance to attacks directed at the IDS • ability to handle high bandwidth traffic • ability to correlate events • ability to detect new attacks • ability to identify an attack • ...  Traffic generation: • background • attacks p. 5 2007/12/06 Performance Attacks on IDS
  6. 6. IDS Vulnerabilities  Insertion • an IDS accepts packets that an end system rejects  Evasion • an IDS rejects packets accepted by the end system  Denial of Service • compromises the availability of the IDS, either consuming its resources or targeting at bugs in software • fail-closed vs fail-open systems p. 6 2007/12/06 Performance Attacks on IDS
  7. 7. Model K=L+1 L λ λa X ... λr S = 1/μ Queue size: K Service time: S Incoming packet rate: λ pkt/sec Throughput: X λa accepted λr rejected p. 7 2007/12/06 Performance Attacks on IDS
  8. 8. Model Markov Chain: p. 8 2007/12/06 Performance Attacks on IDS
  9. 9. Model behavior Drop probability as a function of λ/μ, plotted with four different queue sizes p. 9 2007/12/06 Performance Attacks on IDS
  10. 10. Model behavior P(K) Packet frequency Service time p. 10 2007/12/06 Performance Attacks on IDS
  11. 11. Model behavior Drop probability as a function of S, seen for different values of λ p. 11 2007/12/06 Performance Attacks on IDS
  12. 12. What if I have a 56Kbps?  Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B)  100MB Ethernet: ~ 148Kpps (frame size: 84B)  10MB Ethernet: ~ 14.8Kpps  2MB ADSL: ~ 3Kpps  56Kbps modem: ~ 80 pps p. 12 2007/12/06 Performance Attacks on IDS
  13. 13. Algorithmic complexity attacks  S. Crosby, D. Wallach: “Denial of Service via Algorithmic Complexity Attacks”, 2003  They exploit algorithmic deficiencies in many common applications' data structures • ie. both hash tables and binary trees can degenerate to linked list with carefully chosen input  One particular case: backtracking algorithmic complexity attacks p. 13 2007/12/06 Performance Attacks on IDS
  14. 14. Backtracking attacks  A vulnerable rule: p. 14 2007/12/06 Performance Attacks on IDS
  15. 15. Backtracking attacks  every triple (x, y, z) contains: • x: the match name • y: where the parsing started • z: where the next parsing will start p. 15 2007/12/06 Performance Attacks on IDS
  16. 16. Backtracking attacks  IDS behavior (left: normal, right: under attack) p. 16 2007/12/06 Performance Attacks on IDS
  17. 17. Tests and evaluations  Backtracking attacks seem a good way to create high service times  The plan: • install Snort on a test machine • generate background traffic on the network • attack Snort with backtracking attacks • see/measure its behavior  Test machine • 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14 • Snort 2.4.3 and 2.8.0  Attacker machine • 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14 • blabla tool to replay the DARPA 1999 dataset • a perl script to generate attack packets p. 17 2007/12/06 Performance Attacks on IDS
  18. 18. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) p. 18 2007/12/06 Performance Attacks on IDS
  19. 19. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” p. 19 2007/12/06 Performance Attacks on IDS
  20. 20. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” Attack example: ... Content­Type: audio/x­wav; filename=filename=filename=filename= Content­Type: audio/x­wav; filename=filename=filename=filename= ... p. 20 2007/12/06 Performance Attacks on IDS
  21. 21. Results  Snort 2.8.0 is not affected by the attacks  Snort 2.4.3 experiences serious slowdowns • normal service time: ~100μsec • normal attack: 500~1000μsec • backtracking attack: 1500000μsec  With such service time, just few packets are able to make the queue fill up and the IDS drop packets => other attacks are undetected!  Results comparable with paper: real behavior seems worse than in the model p. 21 2007/12/06 Performance Attacks on IDS
  22. 22. Conclusions  The incoming packet rate and the service time are interchangeable  The model is useful not just to plan attacks • it explains why backtracking attacks work • it allows to study an IDS as a black box  Limits • test suffers the classical problems of IDS evaluations • bursts not taken into account  Possible future work • take bursts into account • multiclass model p. 22 2007/12/06 Performance Attacks on IDS
  23. 23. That's All, Folks Thank you! Questions are welcome p. 23 2007/12/06 Performance Attacks on IDS

×