Submitted by Deepa Srinivasan

CSE581, Winter2002

OGI School of Science and Engineering

Oregon Health and Science University

The topics covered in this paper group are:

• The attacks that network intrusion detection systems (NIDS) are susceptible to.
• Normalization: an attempt to resolve of these issues
• The impact of IP fragmentation for NIDS
• SNORT (freely available NIDS) is highly susceptible to attacks causing it to generate false positives

Network instrusion detection systems(NIDS) are software systems that passively monitor the traffic on a network and perform signature analysis on packets to detect instrusion attempts. Given the role that NIDS play and the fact that they fail open, it is critical that they are implemented reliably.

The fundamental problem facing NIDS is that they are typically deployed on an independent host in the network [1]. An attacker can exploit this fact and manipulate the packet streams such that the NIDS sees a different stream of packets than those seen by a target host on the network. Insertion and Evasion attacks on a NIDS take advantage of this fact and generate packets that are rejected either by one of the NIDS or the target host. This leads to false positives and false negatives reported by the NIDS. These attacks exploit protocol ambiguities, for eg. TCP or IP options in the packet header fields. Denial of service attacks can be caused by resource exhaustion on the NIDS or by causing a reactive NIDS to generate false positives and leading it to shut down valid connections in the network. [1] is a significant paper that demonstrates the wide range of fundamental vulnerabilities in NIDSs, lists a large number of packet drop points in the FreeBSD 2.2 protocol stack and records the behavior of various operating systems to protocol ambiguities. It also presents a black-box testing of available NIDS and validates these kinds of attacks. It found that all the NIDS tested were vulnerable to most of the attacks.

IP fragmentation is a popular cause of network attacks since most IP stacks do not handle fragmentation/reassembly properly. [2] describes the fragrouter tool that can be used to test the effectiveness of a NIDS against these attacks by generating a variety of IP fragmentation packets.

[3] presents the concept of normalization of network traffic. The idea is to place a "normalizer" directly in the path of traffic into a site and normalize (or patch up) the packet stream to remove any protocol ambiguities. Thus, both the NIDS and the end system see the same traffic and there is unambiguous behavior between the two. This was one of the fundamental problems described in [1]. One important consideration is that the normalization of the packet stream should be done in such a way that it should not modify the end-end semantics of the protocol. However, the normalizer itself can be the target of an attack (eg. stateholding attack), but can be made to "fail-close" as compared to a NIDS that "fails-open" under the same attack. [3] also explores the real world considerations for a normalizer including cold start and monitoring of existing connections. [3] is significant in that it presents a systematic approach in describing the ambiguities and normalizations for the IP packet header fields.

[4] describes a tool (PCP) that can be used to cause the freely available IDS Snort to report a large number of false positives – defined as squeal attacks. (This tool is not released to public because of the potential dangers of its misuse). It describes the significant exploitations of this type of attack:

• Noise-masked attacks: Diverts attention from a covert attack
• Attack misdirection: source of attack is spoofed
• Evidence Reputability: the large number of false positives repudiates the evidence
• Target Conditioning: Previously identified false positives may cause an administrator to configure the NIDS to stop monitoring the attack; after this, an attacker may create a real attack that will not be detected.
• Statistical Poisoning: this has impacts especially when training an IDS

[4] also states that it is becoming increasingly easy to cause false positives in IDSs because of the number of tools available for this. The possibility of such tools becoming available publicly has caused warnings from the federal agencies.

The stealth port scan attack using the IP identifier was explained during this presentation. The class discussion involved understanding the mechanism of this attack and the resolution by using a normalizer.

[1] T. Ptacek, T. Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

[2] B. Sanford, "IP Fragmentation and Fragrouter"

[3] M. Handley, V. Paxson, C. Kreibich, Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics"

[4] S. Patton, W. Yurcik, D. Doss, "An Achilles' Heel in Signature-Based IDS: Squealing False Positives in Snort"