A presentation of my minor research project at Politecnico di Milano, Dec 2007. It uses a finite queue model to describe IDS performances when subject to a performance attack and shows a practical example with a backtracking algorithmic complexity attack.
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
Performance Attacks on Intrusion Detection Systems
1. Performance Attacks
on Intrusion Detection Systems
Davide Eynard
eynard@elet.polimi.it
Dipartimento di Elettronica e Informazione
Politecnico di Milano
2007/12/06
Performance Attacks on Intrusion Detection Systems
2. Intro
Intrusion Detection Systems
Open problems and vulnerabilities
The queueing model
Algorithmic complexity attacks
Tests and evaluations
Conclusions
p. 2 2007/12/06 Performance Attacks on IDS
3. Intrusion Detection Systems
As the Internet grows, the number of
• vulnerabilities
• attacks
• attackers!
increases: what kind of protections can we use for
our systems?
IDS are used to detect unauthorized access
attempts to computers or local networks
They work as alarms in apartments
• they do not prevent attackers to break in the system...
• but they allow administrators to know when an attack is
taking place
p. 3 2007/12/06 Performance Attacks on IDS
5. IDS Performance
Measures:
• coverage
• probability of false alarms
• probability of detection
• resistance to attacks directed at the IDS
• ability to handle high bandwidth traffic
• ability to correlate events
• ability to detect new attacks
• ability to identify an attack
• ...
Traffic generation:
• background
• attacks
p. 5 2007/12/06 Performance Attacks on IDS
6. IDS Vulnerabilities
Insertion
• an IDS accepts packets that an end system rejects
Evasion
• an IDS rejects packets accepted by the end system
Denial of Service
• compromises the availability of the IDS, either
consuming its resources or targeting at bugs in
software
• fail-closed vs fail-open systems
p. 6 2007/12/06 Performance Attacks on IDS
7. Model
K=L+1
L
λ λa X
...
λr
S = 1/μ
Queue size: K Service time: S
Incoming packet rate: λ pkt/sec Throughput: X
λa accepted
λr rejected
p. 7 2007/12/06 Performance Attacks on IDS
8. Model
Markov Chain:
p. 8 2007/12/06 Performance Attacks on IDS
9. Model behavior
Drop probability as a function
of λ/μ, plotted with four
different queue sizes
p. 9 2007/12/06 Performance Attacks on IDS
10. Model behavior
P(K)
Packet frequency
Service time
p. 10 2007/12/06 Performance Attacks on IDS
11. Model behavior
Drop probability as a function of S, seen for different values of λ
p. 11 2007/12/06 Performance Attacks on IDS
12. What if I have a 56Kbps?
Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B)
100MB Ethernet: ~ 148Kpps (frame size: 84B)
10MB Ethernet: ~ 14.8Kpps
2MB ADSL: ~ 3Kpps
56Kbps modem: ~ 80 pps
p. 12 2007/12/06 Performance Attacks on IDS
13. Algorithmic complexity attacks
S. Crosby, D. Wallach: “Denial of Service via
Algorithmic Complexity Attacks”, 2003
They exploit algorithmic deficiencies in many
common applications' data structures
• ie. both hash tables and binary trees can degenerate to
linked list with carefully chosen input
One particular case: backtracking algorithmic
complexity attacks
p. 13 2007/12/06 Performance Attacks on IDS
14. Backtracking attacks
A vulnerable rule:
p. 14 2007/12/06 Performance Attacks on IDS
15. Backtracking attacks
every triple (x, y, z) contains:
• x: the match name
• y: where the parsing started
• z: where the next parsing will start
p. 15 2007/12/06 Performance Attacks on IDS
16. Backtracking attacks
IDS behavior (left: normal, right: under attack)
p. 16 2007/12/06 Performance Attacks on IDS
17. Tests and evaluations
Backtracking attacks seem a good way to create
high service times
The plan:
• install Snort on a test machine
• generate background traffic on the network
• attack Snort with backtracking attacks
• see/measure its behavior
Test machine
• 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14
• Snort 2.4.3 and 2.8.0
Attacker machine
• 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14
• blabla tool to replay the DARPA 1999 dataset
• a perl script to generate attack packets
p. 17 2007/12/06 Performance Attacks on IDS
21. Results
Snort 2.8.0 is not affected by the attacks
Snort 2.4.3 experiences serious slowdowns
• normal service time: ~100μsec
• normal attack: 500~1000μsec
• backtracking attack: 1500000μsec
With such service time, just few packets are able
to make the queue fill up and the IDS drop
packets => other attacks are undetected!
Results comparable with paper: real behavior
seems worse than in the model
p. 21 2007/12/06 Performance Attacks on IDS
22. Conclusions
The incoming packet rate and the service time
are interchangeable
The model is useful not just to plan attacks
• it explains why backtracking attacks work
• it allows to study an IDS as a black box
Limits
• test suffers the classical problems of IDS evaluations
• bursts not taken into account
Possible future work
• take bursts into account
• multiclass model
p. 22 2007/12/06 Performance Attacks on IDS
23. That's All, Folks
Thank you!
Questions are welcome
p. 23 2007/12/06 Performance Attacks on IDS