Active Mapping: Resisting NIDS Evasion Without Altering Traffic Umesh Shankar∗ [email protected] University of California at Berkeley Vern Paxson [email protected],ee.lbl.gov ICSI Center for Internet Research and Lawrence Berkeley National Laboratory Abstract Site A critical problem faced by a Network Intrusion De- ISP1 tection System (NIDS) is that of ambiguity. The NIDS : : cannot always determine what traffic reaches a given Firewall : : host nor how that host will interpret the traffic, and at- tackers may exploit this ambiguity to avoid detection or cause misleading alarms. We present a lightweight so- ISP2 lution, Active Mapping, which eliminates TCP/IP-based ambiguity in a NIDS' analysis with minimal runtime cost. Active Mapping efficiently builds profiles of the Alert network topology and the TCP/IP policies of hosts on the network; a NIDS may then use the host profiles to NIDS disambiguate the interpretation of the network traffic on a per-host basis. Active Mapping avoids the semantic Figure 1. A diagram of a typical site's network and performance problems of traffic normalization, in with a NIDS which traffic streams are modified to remove ambigui- ties. We have developed a prototype implementation of Active Mapping and modified a NIDS to use the Active Mapping-generated profile database in our tests. We found wide variation across operating systems' TCP/IP terpret them exactly as the target host does. The problem stack policies in real-world tests (about 6,700 hosts), un- is therefore equivalent to NIDS being able to perform a derscoring the need for this sort of disambiguation. complete and precise simulation of the network and the host machines; in this paper we restrict our discussion to the NIDS' ability to simulate the network and transport layers. The dominant obstacle to achieving this goal is 1 Introduction ambiguity: the wide variety of network topologies and TCP/IP-stack policies makes it impossible for the NIDS A Network Intrusion Detection System (NIDS) pas- to know the correct interpretation of traffic without ad- sively monitors network traffic on a link, looking for sus- ditional context. picious activity as defined by its protocol analyzers (see The result is a divergence between how a host inter- Figure 1). prets a sequence of packets and how the NIDS believes In order to correctly analyze a stream of traffic, the the sequence has been interpreted. The NIDS can be NIDS must first determine which packets reach the tar- tricked by an attacker into believing that no attack oc- get host it is monitoring and then, for those that do, in- curred or may be confused by a multitude of possible ∗ Research supported in part by an NDSEG fellowship and an interpretations, some of which are attacks and some of equipment donation from Intel. which are not. The evasions are not just theoretically possible: Ptacek and Newsham [PN98] describe a num- and Path MTU discovery. ber of specific methods for exploiting this sort of am- By contrast, a NIDS armed with a profile database biguity at the TCP/IP layer. Furthermore, toolkits have can resolve ambiguities in a traffic stream it observes been developed which automate their use [So02, Mc98]. without having to intercept or modify the stream, which Thus, it is of considerable practical concern that we find has major operational and semantic advantages. We a way to resolve TCP/IP-based ambiguities. stress that making contextual information available to In this paper we explore a novel approach to elimi- the NIDS is the only way to do correct disambiguation nating TCP/IP ambiguity, called Active Mapping. The of a stream without modifying it, so employing some- key idea is to acquire sufficient knowledge about the in- thing like Active Mapping is essential. tranet being monitored that, using it, the NIDS can tell Next, let us consider an example evasion. Figure 2 which of those packets will arrive at their purported re- details an evasion based on uncertainty about the num- cipient, and, if so, how they will be interpreted. Active ber of hops between the NIDS and a target host. If an Mapping does this by building up a profile database of attacker manipulates the TTL field of packets to con- the key properties of the hosts being monitored and the fuse the NIDS, it can not know which of many possible topology that connects them. Profiles are constructed by packet sequences was actually received and accepted by sending specially crafted packets to each host and inter- the host. On the other hand, if the NIDS has information preting the responses to determine path properties and about the network path to the host, then it can elimi- TCP/IP policies (see Section 3 and the Appendix for de- nate the ambiguity. It is just this information that Active tails). Mapping gathers and supplies to the NIDS. With it, the Using Active Mapping profiles makes a NIDS NIDS can ignore packets that will not reach the host, en- context-sensitive. Some measure of context- abling correct analysis. It may be tempting to try to si- sensitivity—awareness of the hosts the monitor is multaneously analyze all possible interpretations of the trying to protect—is necessary; writing more detailed packet stream; however, the space of possible network analyzers is of no use when we don't know how to topologies and TCP/IP policies is so large as to make disambiguate the traffic we are analyzing. No amount of the problem intractable (see Figure 2 and the Appendix careful coding in the NIDS can remove context-related for examples). ambiguity. Thus, something like our approach— We have implemented a prototype of Active Mapping gathering host- and network-specific information and and run it on a network of about 6,700 hosts. Our tests using it in the NIDS—is inevitable if we are to make showed that the increased precision in analysis does not inroads against the problem of ambiguity in a passive come with any significant performance cost at runtime monitor. The information-gathering may be done in for the NIDS. The increased memory cost was minimal other ways, e.g., passively, but the principle remains the as well. We present results to this effect in Section 5. same. The organization of this paper is as follows. In Sec- tion 2, we discuss a model of operation of the map- Previous work proposes to eliminate ambiguity in per. In Section 3, we discuss the abilities and limita- NIDS analysis by using a traffic normalizer [HKP01]. tions of Active Mapping, examining selected tests in de- The normalizer, which sits in the forwarding path before tail. The mapper's implementation is described in Sec- the NIDS, rewrites incoming traffic into well-formed tion 4; the results of mapping real-world networks and streams that presumably admit only one interpretation NIDS integration tests are presented in Section 5 along on all reasonable TCP/IP implementations. Thus the with a discussion of performance and findings. We give NIDS, with a single policy set, can unambiguously ana- an overview of related work in Section 6, including the lyze the traffic for intrusion attempts on any of the hosts potentially symbiotic relationship between Active Map- of the protected network. ping and normalization, and conclude with a summary Though it succeeds in reducing ambiguity, a normal- of our findings in Section 7. In the Appendix, we make izer, like any active (traffic-altering) element, has a num- an effort to cover the complete spectrum of TCP/IP map- ber of drawbacks. One is performance: the normalizer pings. must be able to reconstruct every TCP stream in real- time. Another is robustness: since the normalizer is in the forwarding path of every packet, it must be ex- 2 Design tremely reliable even in the face of resource exhaustion; it also must be resistant to stateholding and CPU attacks 2.1 Assumptions on itself. Normalization also potentially changes the semantics of a stream. As detailed in [HKP01], these In order to perform mapping efficiently, we make cer- changes can break some mechanisms, like traceroute tain assumptions about the nature of the network being 2 Figure 2. Evading a NIDS by manipulating the TTL field [HKP01]. The NIDS is 15 hops from the sender, but the receiver is 20 hops from the sender. Packets with an initial TTL greater than 15 but less than 20 will be seen by the NIDS but will be dropped before reaching the receiver. Since the retransmitted segments are inconsistent, the NIDS does not know the correct interpretation. monitored: 2.2 Design Goals We have been guided by a number of design princi- • Network topology is relatively stable. We discuss ples in constructing our system: how often mapping may be performed (based on the prototype mapper's performance) in Sections • Comparable runtime performance. The use of 5.3 and 5.6. Active Mapping profiles should not appreciably slow down the NIDS nor significantly increase its • The attacker is outside the network; if there is col- memory requirements. lusion with a user on the inside, there is little any • Mapping should be lightweight. The bandwidth system can do. Malicious insiders working alone consumed by mapping packets should be small are assumed to be unable to change or drop partic- enough not to disrupt ordinary traffic on the net- ular packets. This latter assumption is more likely work nor disrupt the operation of the host being to be true for switched networks. mapped. The process of mapping should also be completed in a modest amount of wall-clock time. • There is a firewall that can be used for sim- • While no intention- ple packet-level filtering, especially address-based Avoid harming the hosts.