A presentation of my minor research project at Politecnico di Milano, Dec 2007. It uses a finite queue model to describe IDS performances when subject to a performance attack and shows a practical example with a backtracking algorithmic complexity attack.
Performance Attacks on Intrusion Detection Systems
1. Performance Attacks
on Intrusion Detection Systems
Davide Eynard
eynard@elet.polimi.it
Dipartimento di Elettronica e Informazione
Politecnico di Milano
2007/12/06
Performance Attacks on Intrusion Detection Systems
2. Intro
Intrusion Detection Systems
Open problems and vulnerabilities
The queueing model
Algorithmic complexity attacks
Tests and evaluations
Conclusions
p. 2 2007/12/06 Performance Attacks on IDS
3. Intrusion Detection Systems
As the Internet grows, the number of
• vulnerabilities
• attacks
• attackers!
increases: what kind of protections can we use for
our systems?
IDS are used to detect unauthorized access
attempts to computers or local networks
They work as alarms in apartments
• they do not prevent attackers to break in the system...
• but they allow administrators to know when an attack is
taking place
p. 3 2007/12/06 Performance Attacks on IDS
5. IDS Performance
Measures:
• coverage
• probability of false alarms
• probability of detection
• resistance to attacks directed at the IDS
• ability to handle high bandwidth traffic
• ability to correlate events
• ability to detect new attacks
• ability to identify an attack
• ...
Traffic generation:
• background
• attacks
p. 5 2007/12/06 Performance Attacks on IDS
6. IDS Vulnerabilities
Insertion
• an IDS accepts packets that an end system rejects
Evasion
• an IDS rejects packets accepted by the end system
Denial of Service
• compromises the availability of the IDS, either
consuming its resources or targeting at bugs in
software
• fail-closed vs fail-open systems
p. 6 2007/12/06 Performance Attacks on IDS
7. Model
K=L+1
L
λ λa X
...
λr
S = 1/μ
Queue size: K Service time: S
Incoming packet rate: λ pkt/sec Throughput: X
λa accepted
λr rejected
p. 7 2007/12/06 Performance Attacks on IDS
8. Model
Markov Chain:
p. 8 2007/12/06 Performance Attacks on IDS
9. Model behavior
Drop probability as a function
of λ/μ, plotted with four
different queue sizes
p. 9 2007/12/06 Performance Attacks on IDS
10. Model behavior
P(K)
Packet frequency
Service time
p. 10 2007/12/06 Performance Attacks on IDS
11. Model behavior
Drop probability as a function of S, seen for different values of λ
p. 11 2007/12/06 Performance Attacks on IDS
12. What if I have a 56Kbps?
Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B)
100MB Ethernet: ~ 148Kpps (frame size: 84B)
10MB Ethernet: ~ 14.8Kpps
2MB ADSL: ~ 3Kpps
56Kbps modem: ~ 80 pps
p. 12 2007/12/06 Performance Attacks on IDS
13. Algorithmic complexity attacks
S. Crosby, D. Wallach: “Denial of Service via
Algorithmic Complexity Attacks”, 2003
They exploit algorithmic deficiencies in many
common applications' data structures
• ie. both hash tables and binary trees can degenerate to
linked list with carefully chosen input
One particular case: backtracking algorithmic
complexity attacks
p. 13 2007/12/06 Performance Attacks on IDS
14. Backtracking attacks
A vulnerable rule:
p. 14 2007/12/06 Performance Attacks on IDS
15. Backtracking attacks
every triple (x, y, z) contains:
• x: the match name
• y: where the parsing started
• z: where the next parsing will start
p. 15 2007/12/06 Performance Attacks on IDS
16. Backtracking attacks
IDS behavior (left: normal, right: under attack)
p. 16 2007/12/06 Performance Attacks on IDS
17. Tests and evaluations
Backtracking attacks seem a good way to create
high service times
The plan:
• install Snort on a test machine
• generate background traffic on the network
• attack Snort with backtracking attacks
• see/measure its behavior
Test machine
• 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14
• Snort 2.4.3 and 2.8.0
Attacker machine
• 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14
• blabla tool to replay the DARPA 1999 dataset
• a perl script to generate attack packets
p. 17 2007/12/06 Performance Attacks on IDS
21. Results
Snort 2.8.0 is not affected by the attacks
Snort 2.4.3 experiences serious slowdowns
• normal service time: ~100μsec
• normal attack: 500~1000μsec
• backtracking attack: 1500000μsec
With such service time, just few packets are able
to make the queue fill up and the IDS drop
packets => other attacks are undetected!
Results comparable with paper: real behavior
seems worse than in the model
p. 21 2007/12/06 Performance Attacks on IDS
22. Conclusions
The incoming packet rate and the service time
are interchangeable
The model is useful not just to plan attacks
• it explains why backtracking attacks work
• it allows to study an IDS as a black box
Limits
• test suffers the classical problems of IDS evaluations
• bursts not taken into account
Possible future work
• take bursts into account
• multiclass model
p. 22 2007/12/06 Performance Attacks on IDS
23. That's All, Folks
Thank you!
Questions are welcome
p. 23 2007/12/06 Performance Attacks on IDS