Extensible Architectures for Passive and Active Protocol Interposition

Farnam Jahanian Department of EECS University of Michigan http://www.eecs.umich.edu/~farnam (joint work with G.R. Malan, P. Howell, and D. Watson)

Roadmap



Motivation



Windmill extensible probe



Protocol scrubbers



Summary

Context

•Routers •Name Servers •Critical Services •Protocol Scrubbers •Replication schemes •Countermeasures

Active Response Capabilities Network Infrastructure

•Network Attacks •Operational Faults

Anomalous

•S/H Failures

Network Events

•Event Aggregation •Data Mining

Analysis Engines Coarse and Fine Grained Measurement Tools

•Netflow Statistics •Windmill Probes

Survivable Network Infrastructure

Protocol Interposition Tools



Windmill Measurement Probe:

– Passive measurement mechanism for on-line reconstruction of functional and performance behavior of infrastructure and application-level protocols from low-level network traffic – Programmable and extensible 

Protocol Scrubbers:

– New class of active interposition mechanisms for on-line monitoring and enforcement of network security policies – T ransparent protection of networking infrastructure such as routers and switches

Windmill Overview



An open-architecture programmable tool for passive measurement



Infer performance & functional behavior through eavesdropping & on-line state reconstruction How does it work?



High-speed Packet Filter:

Extracts from a network vantage point’s underlying data flows 

Abstract Protocol Modules:

Reconstructs higher-level protocols ( BGP, RIP, HTTP ) from network traffic in real-time 

Experiment Engine:

Supports dynamically loadable run-time experiments

Windmill Architecture

Abstract Protocol Modules IP BGP TCP UDP RIP ...

HTTP Experiment Engine Exp2 Exp1 Packet Dispatcher Packet Flows Windmill Packet Filter

Windmill's Features



Measure overloaded, shrink-wrapped system



Correlate events from different layers



Feedback mechanism for active measurements



Data reduction at the measurement point



Support for 24x7 measurement



Dynamically add/remove concurrent experiments

Windmill Packet Filter (WPF)



Allows one-to-many multiplexing



Avoids problems with ambiguous filters



Dynamically compiled machine language module:

 Constructs an intermediate DAG rep. of subscriptions  Compiles this graph to a native machine lang. Module  Installs this module in the probe machine’s kernel

Abstract Protocol Modules



Used to reconstruct target protocol



Inverts protocol stack, drills down



Don't run the whole stack on packet



"Opens the Hood" on underlying protocols



Each module exports its protocol abstraction



Semantics taken from BSD stack

Extensible Experiment Engine



Manages the set of concurrent experiments

   

Add Remove Execute Modify State



Provides interface for storage and dissemination



Custom loader dynamically links experiments as they are loaded.

Broad Range of Studies Conducted using Windmill



BGP routing protocol congestion collapse -

SIGCOMM’98



RIP intra-domain routing protocol -

OPENSIG’99



Overloaded web servers (Microsoft vs. Netscape)



Campus network traffic characterization -

OPENSIG’99



Detection of NMAP scans - UM tech report



Space science collaboratory application -

SIGCOMM’98

Border Gateway Protocol (BGP)

MCI Sprint



Interdomain protocol between Autonomous Systems at exchange points



Routing peers exchange reachability information incrementally using TCP



SIGCOMM’97 paper identified major instability and pathological behavior in BGP routing

BGP Congestion Collapse Hypothesis Validated Using Windmill

 Congestion causes underlying TCP to backoff  BGP-level timers expire, causing termination  Interaction between BGP and TCP leads to router congestion collapse  High bandwidth utilization  BGP Instability

Web Server Experiments



Demonstrates:



Measure overloaded, shrink-wrapped system

 

No modification of web servers / end hosts Data reduction at the measurement point



Support for 24x7 measurement



Obtain "hard to get" metrics:

 

TCP connections dropped by server HTTP connection establishment latency



Server's Aggregate bandwidth

Web Experimental Apparatus

Web Servers Microsoft Netscape Client Client Client Client

Windmill

Connections Attempted vs. Established

800 600 400 200 0 0 Microsoft IIS 2.0

Netscape ES 3.0

300 600

Connection Attempts per second

900

Key Challenge



Coarse-grained network flow measurement:

are becoming more common in enterprise routers & switches from vendors 

Fine-grained measurement technologies:

provide packet traces and enable protocol state reconstruction (e.g., packet sniffers, Windmill) 

Integration of two technologies has numerous applications in enterprise-wide networks:

– Traffic characterization – Cache & replica placement – Denial of service & anomaly detection – Backtracing intrusion attacks

Protocol Scrubbers

A transparent interposition mechanism for on-line modification of traffic to comply with network security policies Enables protection of critical network infrastructure such as routers, switches and enterprise servers Ability to remove attacks targeted at distinct layers in the protocol stack Placed in front of critical infrastructure or eventually built into routers and switches

Applications of Protocol Scrubbers

Intrusion Detection Firewalls & attack removal Anti-fingerprinting Tools Content-based filtering Load-balancing Proxies ...

TCP/IP Scrubber TCP, UDP, IP Infrastructure Scrubber BGP, RIP, DNS Application-level Scrubber HTTP, FTP

TCP/IP Protocol Scrubber



TCP/IP Protocol Scrubber Implementation:

–

converts potentially ambiguous flows into

–

homogenized well-behaved flows maintains a very small amount of state per flow … lighter than full transport proxy

–

eliminates insertion and evasion attacks



FreeBSD implementation on Pentium. Next on Linux!



Performance comparable to IP forwarding and much better than commercial transport-level proxy

Example Domain: Network Intrusion Detection



Network ID systems watch traffic



Look for malicious use and attacks



Doesn’t modify flow



Notifies security administrator upon detection



Attackers counter with

crud

Ambiguities in Protocol Implementation



Examples from [Ptacek and Newsham ‘98]:

– –

IP TTL attack Packet too large for link without fragmenting

– – – –

DST configured to drop source routed packets DST may timeout fragments differently DST may reassemble fragments differently DST doesn’t accept packets with certain options

– – –

DST may use PAWS and silently discard packets DST may resolve conflicting segments differently DST may not check seqno on RST packets

Example Attack

Packet 1

012345678 ?ood url

Reconstruction:

012345678 ?ood url

Reconstruction:

012345678 ?ood url

Example Attack

Packet 1

012345678 ?ood url.

Packet 2

012345678 go blue!!

Reconstruction:

012345678

Reconstruction:

012345678

TCP/IP Scrubber: Use

External Host (Untrusted) Scrubber or Transport Proxy Internal Host (Trusted)

How the TCP Scrubber Solves the Previous Example

Scrubber Reconstruction:

012345678

Packet 1-U

012345678 ?ood url.

Reconstruction:

012345678 good url.

Packet 2-U

012345678 go blue!!

Reconstruction:

012345678 good url.

Packet 2-T

012345678 good url.

TCP/IP Scrubber: Micro-benchmarks



How does the scrubber affect throughput?

– Measured at the TCP level using netperf IP Forwarding Scrubbing 83.84Mbps

82.87

Plug Proxy 82.71



How does the scrubber affect forwarding latency in the kernel?

– Measured using Pentium on-chip cycle counter Forwarding Type IP Forwarding Scrub (1 byte) Scrub ( > 1000) Mean 8.00

 s 13.19

31.85

Std Dev 2.91

3.38

5.72

TCP/IP Scrubber: Macro-benchmarks

Macro-benchmarks (answer two questions):



How much overhead does the scrubber add?

–

Increase the number of clients and see how many connections per second we can sustain



Does the scrubber treat well-behaved flows adversely?

–

Inject range of artificial loss into flows to determine gross differences between IP forwarding and scrubbing

TCP/IP Scrubber: Sustainable Connections With No Loss 2500 2000 1500 1000 500 0 0

IP Forwarding TCP/IP Scrubbing User space proxy

100 200 300

Number of concurrent connections

400

TCP/IP Scrubber: Sustainable Connections With Artificial Loss 2500 2000

Transport Scrubbing IP Forwarding

1500 1000 500 0 0 2 4 6

Packet loss (percentage)

8 10

Infrastructure Protocol Scrubbing

 a lightweight transparent mechanism for preventing network attacks  scrubber can masquerade as a set of network services  allows protection of infrastructure level protocols

Client

(such as OSPF and BGP)  enabled through a single modification to the socket API; no modification of client or server code

Scrubber Set of Servers

Final Remarks



Passive vs. active protocol interposition



Coarse-grained vs. fine-grained measurement



Open architectures and programmability



Future work