Detecting Evasion Attack at High Speed without Reassembly Presented by C.W. Hon K.K. To 26/Mar/2007
1 Detecting Evasion Attack at High Speed without Reassembly Presented by C.W. Hon K.K. To 26/Mar/2007
External attack Internet DMZONE Enterprise switch DNS WEBMAIL Internal servers Clients
2 External attack DNS WEB MAIL DMZONE Enterprise switch Internal servers Clients
Internal attack Internet DMZONE Enterprise switch DNS WEBMAIL IPS IPS Internal servers Clients
3 Internal attack DNS WEB MAIL DMZONE Enterprise switch Internal servers Clients
IDS/PS integration Internet DMZONE Enterprise switch DNS WEBMAIL IPS IPS Internal servers Clients
4 IDS/IPS integration DNS WEB MAIL DMZONE Enterprise switch Internal servers Clients
DS/IPS IDS- Reactive approach Ps- Proactive approach iPS differs from idS in that it takes a proactive approach to attacks-eg blocking the packets concerned -rather than a reactive approach e.g. triggering human intervention
5 IDS/IPS IDS – Reactive approach IPS – Proactive approach IPS differs from IDS in that it takes a proactive approach to attacks - e.g. blocking the packets concerned - rather than a reactive approach - e.g. triggering human intervention
IDS/IPS IPS can be describe as a subset of ids where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule Q Minimum false positive is required
6 IDS/IPS • IPS can be describe as a subset of IDS where a subset of rules are enabled with the corresponding action to drop any packet that matches this rule. ☼ Minimum false positive is required
Signature based IDS/PS An idS/ps consists of a database of rules Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action
7 Signature based IDS/IPS • An IDS/IPS consists of a database of rules. • Each rule specifies a predicate on packet headers, optionally contains a content string, and has an associated action
Reassembly Both ids and iPs are required to reassembly TCP flows and IP fragments Ensures that a content string in a rule that is fragment across packets can be detected
8 Reassembly • Both IDS and IPS are required to reassembly TCP flows and IP fragments. • Ensures that a content string in a rule that is fragment across packets can be detected
Normalization IPS is required to normalize TCP flows Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker
9 Normalization • IPS is required to normalize TCP flows. • Normalization seeks to normalize the data sent in a flow to avoid inconsistencies that can be exploited by an attacker
What is normalization IP v4 Header 0,1,2;34567|89,012,34,5|6,78910,12,3|4,5,617,6,90 Version Head len TOS/Diffserv/ECN Total Length iP ldert f ier D DFMF Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address Options Padding 10
10 What is Normalization IP v4 Header