Sciweavers

SIGCOMM
2006
ACM

Detecting evasion attacks at high speeds without reassembly

14 years 6 months ago
Detecting evasion attacks at high speeds without reassembly
Ptacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic defense is for the IPS to reassemble TCP and IP packets, and to consistently normalize the output stream. Current IPS standards require keeping state for 1 million connections. Both the state and processing requirements of reassembly and normalization are barriers to scalability for an IPS at speeds higher than 10 Gbps. In this paper, we suggest breaking with this paradigm using an approach we call Split-Detect. We focus on the simplest form of signature, an exact string match, and start by splitting the signature into pieces. By doing so the attacker is either forced to include at least one piece completely in a packet, or to display potentially abnormal behavior (e.g., several small TCP fragments or out-of-order packets) that cause the at...
George Varghese, J. Andrew Fingerhut, Flavio Bonom
Added 14 Jun 2010
Updated 14 Jun 2010
Type Conference
Year 2006
Where SIGCOMM
Authors George Varghese, J. Andrew Fingerhut, Flavio Bonomi
Comments (0)