Evaluation of Intrusion Detection Systems in Ipv6 Networks

Evaluation of Intrusion Detection Systems in Ipv6 Networks

Evaluation of Intrusion Detection Systems in IPv6 Networks Max Schrotter¨ 1, Thomas Scheffler2 and Bettina Schnor1 1Operating Systems and Distributed Systems, University of Potsdam, Potsdam, Germany 2School of Engineering - Energy and Information, Hochschule fur¨ Technik und Wirtschaft Berlin, Berlin, Germany Keywords: IDS, IDSv6, Benchmark, IPv6. Abstract: This paper introduces a benchmark suite for the evaluation of intrusion detection systems in IPv6 environ- ments. We use this benchmark to evaluate the prominent intrusion detection systems Snort, Zeek and Suricata. Further, an IPv6 Plugin Suite is presented and evaluated which enhances Snort by stateful attack detection. The results of our evaluation demonstrate the current abilities to detect IPv6 link-local attacks. 1 INTRODUCTION This leads to a third approach, that focuses on network monitoring and anomaly detection. Work Relatively early after the finalization of the IPv6 stan- started with (Beck et al., 2007), which introduced the dard, it became apparent, that the automatic host con- host-based tool ndpmon that listens to all NDP mes- figuration mechanism defined in the protocol did not sages in order to detect NDP anomalies and report work well with the proposed IPsec security mech- them. Another suitable approach is based on the ex- anisms and that the Neighbor Discovery Protocol tension of Intrusion Detection Systems (IDS) with ad- (NDP) (Narten et al., 2007) suffered from similar se- equate protocol support for the detection of specific curity problems as the Address Resolution Protocol IPv6-attacks. The authors of (Schutte¨ et al., 2012) (ARP) in IPv4 (Arkko et al., 2002). developed an IPv6 Plugin Suite for the well known IDS Snort 2. This approach benefits from the already The root cause of these issues lies in the early au- implemented packet capturing, decoding, configura- thentication problem (Nikander, 2002), which is com- tion, logging mechanisms, and log analysis tools of mon to all Layer 2 protocols without strong node the IDS framework. A new preprocessor module and authentication (most importantly Ethernet). There- several new IPv6-specific rule options make the def- fore, most mitigation techniques such as port-based inition of IPv6-specific attack signatures possible. In Network Access Control (IEEE 802.1X), IP Secu- this paper, we present our findings on implementing a rity (IPSec) and SEcure Neighbor Discovery (SEND) similar Plugin Suite that supports the new version of propose cryptographic host authentication. However, the IDS Snort 3.0 (see Section 4.1) and comparing its this either requires some form of pre-configuration of credentials and keying material or resource intensive detection results with other popular intrusion detec- computations, which is not a practical solution within tion systems (see Section 6). For the comparison, we IDSv6 most networks. Another approach advocates the fil- propose an benchmark suite consisting of IPv6 tering of IPv6 messages on Layer 2 devices as speci- specific network attacks (see Section 3). fied by the IPv6 Router Advertisement Guard (Levy- Abegnoli et al., 2011) which requires hardware sup- port in the switches as well as configuration effort. 2 RELATED WORK The network research community is aware of the security issues of IPv6 and the Neighbor Discovery In 2015, Jon Mark Allen published a report which Protocol (NDP) (Hogg and Vyncke, 2009; Nikander examined the IPv6 support by the intrusion detec- et al., 2004) and the IETF has re-worked some of the tion systems Snort, Suricata, and Bro (Zeek) (Allen, standards in recent years to limit the attack surface 2015). One of his observation was the unsatisfying of the protocols (Gont, 2013). However, countermea- tool support at that time - such as not displaying the sures not always exist, since some of these problems corresponding IPv6 address in case of Snort when are protocol inherent. viewing an alert from an IPv6 stack. Different to our 408 Schrötter, M., Scheffler, T. and Schnor, B. Evaluation of Intrusion Detection Systems in IPv6 Networks. DOI: 10.5220/0007840104080416 In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (ICETE 2019), pages 408-416 ISBN: 978-989-758-378-0 Copyright c 2019 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved Evaluation of Intrusion Detection Systems in IPv6 Networks approach, Allen investigated web application attacks sure the effectiveness of attack detection and defense in IPv6 traffic, but no IPv6 specific attacks. All three mechanisms but this method has several drawbacks. IDS systems were tested with the same network cap- Software versions change also for attack tools and tures of a web application vulnerability scan: one over may implement subtile changes that can lead to vary- IPv4, and one over IPv6. While the three IDS systems ing detection results. Necessary network setups de- behaved different in their number of alerts, each IDS pend on additional devices and their configuration, are reported a comparable amount of alerts for the IPv4 time consuming to create and may be difficult to repli- and IPv6 traffic as one would expect. cate exactly. Attributing changes in detection results Salih et al. present a tool which detects and clas- to specific root causes becomes difficult, even if the sifies covered channels in IPv6 networks (Salih et al., same tools are used for different measurements. 2015). Sources of covert channels are header fields The problem of comparatively benchmarking dif- which are not set properly. Salih et al. identify ferent Intrusion Detection Systems is not new. Hav- the following header fields as potential covert chan- ing a common benchmark dataset eases comparison nels: Traffic Class, Flow Label, Payload Length, Next between different systems and makes trial runs easily Header, Hop Limit, and Source Address. They pro- reproducible. Between 1998 and 2000, Lincoln Lab- pose a Machine Learning approach to detect covert oratory of MIT released several datasets for the eval- channel implementing an enhanced feature selection uation of IDS, the so called DARPA datasets2. The algorithm supporting Naive Bayesian classifier. The datasets were aimed to represent real-world traffic results of the conducted experiments show a high de- mixes interspaced with attack traffic. Right after re- tection performance of about 96 %. While this is a lease, these datasets drew immediate criticism regard- promising result, it is questionable whether these at- ing the modelling and generation of the attack and tacks should be detected by an intrusion detection sys- background traffic (McHugh, 2000), however, they tem, since the misuse of IPv6 header fields may al- are still used to the present day, simply because no ready be prohibited by a packet filter. other common benchmarks exist. In order to prove that IPv6 attacks are real and When we started developing the IPv6 Plugin Suite exploitable, Marc Heuse implemented different link- for Snort, we were looking for a quick way to ver- local attacks in “The Hacker’s Choice” (THC) toolkit ify our development efforts. In order to automatize (Heuse, nd). The toolkit implements several denial- attack detection testing and to minimize administra- of-service and fragmentation attacks as well as a tive overhead, we created the IDSv6 benchmark suite, covert channel attack where a destination option that now consists of several pcap files derived from header is misused. The toolkit is easy to use also for real attack tools created in the network setup depicted non-security experts, constantly updated and runs on by Figure 1. This collection of pcap files can be ap- Linux. We use the THC toolkit as the base of our plied quickly and consistently in order to test detec- IDSv6 benchmark (see Section 3). tion rates and functionality of intrusion detection sys- Fernando Gont developed the SI6 Networks’ IPv6 tems. The IDS present in the figure plays no active toolkit1. Like the THC toolkit, the SI6 implements part during capturing of the attack traffic. It simply is link-local attacks special to IPv6, but it is highly con- a placeholder to indicate from what position within figurable and may be used for protocol analysis as the network traffic patterns will be observed if the well as attack purposes. The tools need to be param- benchmark pcap files are used. IDS usually support eterized correctly in order to be effective and usually direct input from capture files. If this is not possi- require more protocol knowledge and configuration ble, tools like tcpreplay3 could be used to reproduce overhead than the THC toolkit. Contrary to the THC previously captured network events. toolkit the SI6 implementation runs also on BSD-type Table 1 lists all the different attacks that are UNIXes such as FreeBSD and MacOS. included in the suite. With the exception of dos mld chiron, all attacks were created by the THC toolkit in Version v3.5-dev. We choose the THC toolkit because of its maturity and ease of use, which 3 THE IDSV6 BENCHMARK makes it likely to be used during real network attacks. The Chiron tool can be found on Github4. We used One question that is going to be asked by researchers Version 1.0 of this tool. and practitioners alike is: ”How effective is a partic- The IDSv6 benchmark is focused on attacks that ular IDS in detecting network attacks”? It is possi- ble to use the THC toolkit and SI6 directly to mea- 2https://www.ll.mit.edu/r-d/datasets 3https://tcpreplay.appneta.com 1https://www.si6networks.com/tools/ipv6toolkit/ 4https://github.com/aatlasis/Chiron 409 SECRYPT 2019 - 16th International Conference on Security and Cryptography available5. 4 INTRUSION DETECTION SYSTEMS This section gives a short overview of the evaluated intrusion detection systems. All three systems are open source, free to use and have done their home- work and support the necessary decoding of IPv6 packets for the upper layer protocol analysis and at- tack detection.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    9 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us