Towards Secure Multipath TCP Communication
Total Page:16
File Type:pdf, Size:1020Kb
Zeeshan Afzal | Towards Secure Multipath TCP Communication | Zeeshan Afzal | Towards Towards Secure Multipath TCP Communication Multipath TCP (MPTCP) is an extension to standard TCP that is close to being standardized. The design of the protocol is progressing, but most of the focus has so far been on its compatibility. The security aspect is confined to making sure Towards Secure that the MPTCP protocol itself offers the same security level as standard TCP. The topic of this thesis is to investigate the unexpected security implications Multipath TCP Communication raised by using MPTCP in a traditional networking environment. Today, the security middleboxes make use of different assumptions that may not be true anymore with the advent of MPTCP. 2017:12 We investigate how practical it is to evade a security middlebox by fragmenting Zeeshan Afzal and sending traffic across multiple paths using MPTCP. Realistic attack traffic generated from a tool that is also presented in this thesis is used to show that these attacks are feasible. We then go on to propose possible solutions to detect such attacks and implement them in an MPTCP proxy. The proxy aims to extend secure MPTCP performance advantages. We also investigate the MPTCP scenario where security middleboxes can only observe some of the traffic. We propose and implement an algorithm to perform intrusion detection in such situations and achieve a high detection accuracy. ISBN 978-91-7063-763-6 (print) ISBN 978-91-7063-764-3 (pdf) Faculty of Health, Science and Technology ISSN 1403-8099 Computer Science LICENTIATE THESIS | Karlstad University Studies | 2017:12 LICENTIATE THESIS | Karlstad University Studies | 2017:12 Towards Secure Multipath TCP Communication Zeeshan Afzal LICENTIATE THESIS | Karlstad University Studies | 2017:12 Towards Secure Multipath TCP Communication Zeeshan Afzal LICENTIATE THESIS Karlstad University Studies | 2017:12 urn:nbn:se:kau:diva-48172 ISSN 1403-8099 ISBN 978-91-7063-763-6 (print) ISBN 978-91-7063-764-3 (pdf) © The author Distribution: Karlstad University Faculty of Health, Science and Technology Department of Mathematics and Computer Science SE-651 88 Karlstad, Sweden +46 54 700 10 00 Print: Universitetstryckeriet, Karlstad 2017 WWW.KAU.SE Towards Secure Multipath TCP Communication Zeeshan Afzal Department of Mathematics and Computer Science Karlstad University Abstract The evolution in networking coupled with an increasing demand to improve user experience has led to different proposals to extend standard TCP. Multi- path TCP (MPTCP) is one such extension that has the potential to overcome a few inherent limitations in standard TCP. The design and deployment of the protocol is progressing, but most of the focus has so far been on its compati- bility. The security aspect is limited to making sure that the MPTCP protocol itself offers the same security level as standard TCP. The topic of this thesis is to investigate the unexpected security impli- cations raised by using MPTCP in the traditional networking environment. The Internet of today has security middleboxes that perform traffic analy- sis to detect intrusions and attacks. Such middleboxes make use of different assumptions about the traffic, e.g., traffic from a single connection always ar- rives along the same path. This along with many other assumptions may not be true anymore with the advent of MPTCP, as traffic can be fragmented and sent over multiple paths simultaneously. We investigate how practical it is to evade a security middlebox by frag- menting and sending traffic across multiple paths using MPTCP. Realistic at- tack traffic is used to evaluate such attacks against the Snort IDS to show that these attacks are feasible. We then go on to propose possible solutions to de- tect such attacks and implement them in an MPTCP proxy. The proxy aims to extend the MPTCP performance advantages to servers that only support standard TCP, while ensuring that intrusions can be detected as before. We also investigate the potential MPTCP scenario where security middleboxes only have access to some of the traffic. We propose and implement an algo- rithm to perform intrusion detection in such situations and achieve a nearly 90% detection accuracy. Another contribution of this work is a tool that converts IDS rules into synthetic attack traffic. Keywords: network security, TCP, MPTCP, IDS, Snort, edit-distance iii v Acknowledgements I would like to start by thanking the people who have enabled me to be in the position I am today. I will be forever grateful to Magnus Almgren, who I met as a student at Chalmers University of Technology. He took me under his guidance and inspired me to pursue an academic career. Judith Rossebø, who I met at ABB in Oslo during the work for my Master’s thesis, deserves a special mention for her guidance. I am thankful to my main advisor Stefan Lindskog, who trusted a young Master’s student with no previous research experience and provided valuable feedback and support throughout. I am grateful to Anna Brunstrom, Johan Garcia and all of my other co-authors for their brilliant ideas, helpful critique, and feedback. This thesis is part of a journey that started with my grandfather’s wish for me to secure a doctoral degree. Grandpa, I wish you could be here today to witness how far I have come to fulfill your dream. A special mention goes to my parents and siblings back in Pakistan for their love and support throughout my life. My family in Norway has provided unwavering support and made it easier for me to stay away from home and undertake a research career. Thank you to Noor, Ismail and Hadi for being constant sources of happiness in my life. I offer my gratitude to my fiancée Khadija for being my good luck charm and a blessing in my life. I can not help but mention Liverpool FC here. You have been there with me through both the good and bad times. Thanks for all the memories and lets make many more. You will never walk alone! Finally, I would like to thank all my colleagues at the department for the technical and non-technical discussions. The “innebandy” squad has made me appreciate another sport than football. Thanks for that. The work in this thesis was carried out in the High Quality Networked Services in a Mobile World (HITS) project, funded partly by the Knowledge Foundation of Sweden. Karlstad University, March 14, 2017 Zeeshan Afzal vii List of Appended Papers This thesis is based on the work reported in the following appended papers. I. Zeeshan Afzal and Stefan Lindskog. Multipath TCP IDS Evasion and Mitigation. In Proceedings of the 18th Information Security Conference (ISC), Trondheim, Norway, September 9–11, 2015. II. Zeeshan Afzal, Stefan Lindskog, Anna Brunstrom, and Anders Lidén. Towards Multipath TCP Aware Security Technologies. In Proceedings of the 8th IFIP International Conference on New Technologies Mobility and Security (NTMS), Larnaca, Cyprus, November 21–23, 2016. III. Zeeshan Afzal, Johan Garcia, and Stefan Lindskog. Partial Signature Matching in an MPTCP World using Insert-only Levenshtein Distance. Under Submission. IV. Zeeshan Afzal and Stefan Lindskog. IDS Rule Management Made Easy. In Proceedings of the 4th International Workshop on Systems Safety and Security (IWSSS), Ploiesti, Romania, June 30–02 July, 2016. The papers have been subjected to minor editorial changes. Comments on my Participation For all the papers, I came up with the initial idea and did most of the writing. The work was conducted together with my co-authors. Stefan Lindskog has been most influential for all the papers. • In Paper II, Anders Lidén proposed the different MPTCP proxy scenar- ios and suggested where the proxy should be placed. Anna Brunstrom provided networking and protocol support. • In Paper III, Johan Garcia proposed the insert-only Levenshtein dis- tance algorithm and wrote about it in the paper. Other Publications • Zeeshan Afzal and Stefan Lindskog. Automated Testing of IDS Rules. In Proceedings of the 6th International Workshop on Security Testing (SECTEST), Graz, Austria, April 13, 2015. • Zeeshan Afzal, Stefan Lindskog and Anders Lidén. A Multipath TCP Proxy. In Proceedings of the 11th Swedish National Computer Net- working Workshop (SNCNW), Karlstad, Sweden, May 28–29, 2015. • Zeeshan Afzal, Judith Rossebo, Batool Talha, and Mohammad Chowd- hury. A Wireless Intrusion Detection System for 802.11 Networks. In Proceedings of the IEEE International Conference on Wireless Com- munications, Signal Processing and Networking (WiSPNET), Chen- nai, India, March 23–25, 2016. ix Contents List of Appended Papers vii Introductory Summary 1 1 Introduction 3 2 Background 4 2.1 Network Security . .4 2.2 MPTCP . .5 2.2.1 MPTCP Connection and Subflows . .6 2.2.2 Transfer of Data . .6 2.2.3 Deployment . .7 2.3 Security Implications of MPTCP . .7 2.3.1 Data Fragmentation . .8 2.3.2 Independence from a Fixed Four-tuple . .9 2.3.3 Durable and Reverse Connections . .9 3 Research Objectives and Questions 9 4 Contributions 11 5 Research Methodology 12 6 Summary of Appended Papers 13 7 Concluding Remarks and Outlook 14 Paper I: Multipath TCP IDS Evasion and Mitigation 17 1 Introduction 19 1.1 Motivation and Research Questions . 20 1.2 Contribution . 21 1.3 Paper Structure . 21 2 Related Work 21 3 Background 22 3.1 Multipath Networking . 22 3.1.1 Implementation . 23 3.1.2 Initiating an MPTCP Connection . 23 3.1.3 Addition of a New Subflow . 23 3.1.4 Data Transfer using MPTCP . 24 3.2 Network Security Reflections . 24 x 3.3 Snort . 25 3.3.1 Snort Operation . 25 3.3.2 Rules . 25 4 Experimental Methodology 26 4.1 Client Side . 26 4.1.1 Snort Rules . 26 4.1.2 Rule Analyzer . 26 4.1.3 Rule Parser .