performance attacks on intrusion detection systems

Performance Attacks on Intrusion Detection Systems

2007/12/06

Performance Attacks on Intrusion Detection Systems

Davide [email protected]

Dipartimento di Elettronica e InformazionePolitecnico di Milano

mailto:[email protected]

Performance Attacks on IDSp. 2 2007/12/06

Intro

Intrusion Detection Systems Open problems and vulnerabilities The queueing model Algorithmic complexity attacks Tests and evaluations Conclusions


Intrusion Detection Systems

As the Internet grows, the number of• vulnerabilities• attacks• attackers!

increases: what kind of protections can we use for our systems?

IDS are used to detect unauthorized access attempts to computers or local networks

They work as alarms in apartments• they do not prevent attackers to break in the system...• but they allow administrators to know when an attack is

taking place


Intrusion Detection Systems


IDS Performance

Measures:• coverage• probability of false alarms• probability of detection• resistance to attacks directed at the IDS• ability to handle high bandwidth traffic• ability to correlate events• ability to detect new attacks• ability to identify an attack• ...

Traffic generation:• background• attacks


IDS Vulnerabilities

Insertion• an IDS accepts packets that an end system rejects

Evasion• an IDS rejects packets accepted by the end system

Denial of Service• compromises the availability of the IDS, either

consuming its resources or targeting at bugs in software

• fail-closed vs fail-open systems


Model

...

L K = L + 1

X

S = 1/μ

λ λa

λr

Queue size: K

Incoming packet rate: λ pkt/secλa acceptedλr rejected

Service time: S

Throughput: X


Model

Markov Chain:


Model behavior

Drop probability as a functionof λ/μ, plotted with four different queue sizes


Model behavior

Service time

Packet frequency

P(K)


Model behavior

Drop probability as a function of S, seen for different values of λ


What if I have a 56Kbps?

Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B) 100MB Ethernet: ~ 148Kpps (frame size: 84B) 10MB Ethernet: ~ 14.8Kpps 2MB ADSL: ~ 3Kpps 56Kbps modem: ~ 80 pps


Algorithmic complexity attacks

S. Crosby, D. Wallach: “Denial of Service via Algorithmic Complexity Attacks”, 2003

They exploit algorithmic deficiencies in many common applications' data structures• ie. both hash tables and binary trees can degenerate to

linked list with carefully chosen input One particular case: backtracking algorithmic

complexity attacks


Backtracking attacks

A vulnerable rule:



every triple (x, y, z) contains:• x: the match name• y: where the parsing started• z: where the next parsing will start



IDS behavior (left: normal, right: under attack)


Tests and evaluations

Backtracking attacks seem a good way to create high service times

The plan:• install Snort on a test machine• generate background traffic on the network• attack Snort with backtracking attacks• see/measure its behavior

Test machine• 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14• Snort 2.4.3 and 2.8.0

Attacker machine• 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14• blabla tool to replay the DARPA 1999 dataset• a perl script to generate attack packets


Test attack

alert tcp $EXTERNAL_NET any > $SMTP_SERVERS 25 (msg:"SMTP spoofed MIMEType autoexecution attempt"; flow:to_server,established; content:"ContentType|3A|"; nocase;content:"audio/"; nocase; pcre:"/ContentType\x3A\s+audio\/(xwav|mpeg|xmidi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,20010154; classtype:attemptedadmin; sid:3682; rev:2;)


Test attack


Match example:

ContentType: audio/xwav; filename=”virus.scr”


Test attack


Match example:

ContentType: audio/xwav; filename=”virus.scr”

Attack example:

...ContentType: audio/xwav; filename=filename=filename=filename=ContentType: audio/xwav; filename=filename=filename=filename=...


Results

Snort 2.8.0 is not affected by the attacks Snort 2.4.3 experiences serious slowdowns

• normal service time: ~100μsec• normal attack: 500~1000μsec• backtracking attack: 1500000μsec

With such service time, just few packets are able to make the queue fill up and the IDS drop packets => other attacks are undetected!

Results comparable with paper: real behavior seems worse than in the model


Conclusions

The incoming packet rate and the service time are interchangeable

The model is useful not just to plan attacks• it explains why backtracking attacks work• it allows to study an IDS as a black box

Limits• test suffers the classical problems of IDS evaluations• bursts not taken into account

Possible future work• take bursts into account• multiclass model


That's All, Folks

Thank you!

Questions are welcome

performance attacks on intrusion detection systems

Economy & Finance

test attack alerttcp external netany

incoming packet rate

algorithmic complexity attacks

intrusion detection systems

filename virus

backtracking attacks

filename quot

1gb ram