Detecting Evasion Attack at High Speed without Reassembly

Detecting Evasion Attack at High Speed without Reassembly Presented by C.W. Hon K.K. To 26/Mar/2007

1 Detecting Evasion Attack at High Speed without Reassembly Presented by C.W. Hon K.K. To 26/Mar/2007

External attack Internet DMZONE Enterprise switch DNS WEBMAIL Internal servers Clients

2 External attack DNS WEB MAIL DMZONE Enterprise switch Internal servers Clients

Internal attack Internet DMZONE Enterprise switch DNS WEBMAIL IPS IPS Internal servers Clients

3 Internal attack DNS WEB MAIL DMZONE Enterprise switch Internal servers Clients

IDS/PS integration Internet DMZONE Enterprise switch DNS WEBMAIL IPS IPS Internal servers Clients

4 IDS/IPS integration DNS WEB MAIL DMZONE Enterprise switch Internal servers Clients

DS/IPS IDS- Reactive approach Ps- Proactive approach iPS differs from idS in that it takes a proactive approach to attacks-eg blocking the packets concerned -rather than a reactive approach e.g. triggering human intervention

5 IDS/IPS IDS – Reactive approach IPS – Proactive approach IPS differs from IDS in that it takes a proactive approach to attacks - e.g. blocking the packets concerned - rather than a reactive approach - e.g. triggering human intervention

IDS/IPS IPS can be describe as a subset of ids where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule Q Minimum false positive is required

6 IDS/IPS • IPS can be describe as a subset of IDS where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule. ☼ Minimum false positive is required

Signature based IDS/PS An idS/ps consists of a database of rules Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action

7 Signature based IDS/IPS • An IDS/IPS consists of a database of rules. • Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action

Reassembly Both ids and iPs are required to reassembly TCP flows and IP fragments Ensures that a content string in a rule that is fragment across packets can be detected

8 Reassembly • Both IDS and IPS are required to reassembly TCP flows and IP fragments. • Ensures that a content string in a rule that is fragment across packets can be detected

Normalization IPS is required to normalize TCP flows Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker

9 Normalization • IPS is required to normalize TCP flows. • Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker

What is normalization IP v4 Header 0,1,2;34567|89,012,34,5|6,78910,12,3|4,5,617,6,90 Version Head len TOS/Diffserv/ECN Total Length iP ldert f ier D DFMF Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address Options Padding 10

10 What is Normalization IP v4 Header