Extensible Architectures for Passive and Active Protocol Interposition

1
Extensible Architectures for Passive and Active
Protocol Interposition

• Farnam Jahanian
• Department of EECS
• University of Michigan
• http//www.eecs.umich.edu/farnam
• (joint work with G.R. Malan, P. Howell, and D.
  Watson)

2
Roadmap

• Motivation
• Windmill extensible probe
• Protocol scrubbers
• Summary

3
Context

• Routers

• Name Servers

• Critical Services

Survivable Network Infrastructure
Network Infrastructure

• Protocol Scrubbers

• Network Attacks

• Replication schemes

• Operational Faults

• Countermeasures

• S/H Failures

Active Response Capabilities
Anomalous Network Events

• Netflow Statistics

• Event Aggregation

Analysis Engines
Coarse and Fine Grained Measurement Tools

• Windmill Probes

• Data Mining

4
Protocol Interposition Tools

• Windmill Measurement Probe
• Passive measurement mechanism for on-line
  reconstruction of functional and performance
  behavior of infrastructure and application-level
  protocols from low-level network traffic
• Programmable and extensible
• Protocol Scrubbers
• New class of active interposition mechanisms for
  on-line monitoring and enforcement of network
  security policies
• Transparent protection of networking
  infrastructure such as routers and switches

5
Windmill Overview

• An open-architecture programmable tool for
  passive measurement
• Infer performance functional behavior through
  eavesdropping on-line state reconstruction
• How does it work?
• High-speed Packet Filter Extracts from a network
  vantage points underlying data flows
• Abstract Protocol Modules Reconstructs
  higher-level protocols (BGP, RIP, HTTP) from
  network traffic in real-time
• Experiment Engine Supports dynamically loadable
  run-time experiments

6
Windmill Architecture
Experiment Engine
Abstract Protocol Modules
TCP
BGP
IP
Exp2
Exp1
RIP
UDP
...
Packet Dispatcher
HTTP
Windmill Packet Filter
Packet Flows
7

• Windmill's Features

• Measure overloaded, shrink-wrapped system
• Correlate events from different layers
• Feedback mechanism for active measurements
• Data reduction at the measurement point
• Support for 24x7 measurement
• Dynamically add/remove concurrent experiments

8

• Windmill Packet Filter (WPF)

• Allows one-to-many multiplexing
• Avoids problems with ambiguous filters
• Dynamically compiled machine language module
• Constructs an intermediate DAG rep. of
  subscriptions
• Compiles this graph to a native machine lang.
  Module
• Installs this module in the probe machines kernel

9

• Abstract Protocol Modules

• Used to reconstruct target protocol
• Inverts protocol stack, drills down
• Don't run the whole stack on packet
• "Opens the Hood" on underlying protocols
• Each module exports its protocol abstraction
• Semantics taken from BSD stack

10

• Extensible Experiment Engine

• Manages the set of concurrent experiments
• Add
• Remove
• Execute
• Modify State
• Provides interface for storage and dissemination
• Custom loader dynamically links experiments as
  they are loaded.

11

• Broad Range of Studies Conducted using Windmill

• BGP routing protocol congestion collapse -
  SIGCOMM98
• RIP intra-domain routing protocol - OPENSIG99
• Overloaded web servers (Microsoft vs. Netscape)
• Campus network traffic characterization -
  OPENSIG99
• Detection of NMAP scans - UM tech report
• Space science collaboratory application -
  SIGCOMM98

12
Border Gateway Protocol (BGP)
Sprint
MCI

• Interdomain protocol between Autonomous Systems
  at exchange points
• Routing peers exchange reachability information
  incrementally using TCP
• SIGCOMM97 paper identified major instability and
  pathological behavior in BGP routing

13
BGP Congestion Collapse HypothesisValidated
Using Windmill

• Congestion causes underlying TCP to backoff
• BGP-level timers expire, causing termination
• Interaction between BGP and TCP leads to router
  congestion collapse
• High bandwidth utilization ? BGP Instability

14

• Web Server Experiments

• Demonstrates
• Measure overloaded, shrink-wrapped system
• No modification of web servers / end hosts
• Data reduction at the measurement point
• Support for 24x7 measurement
• Obtain "hard to get" metrics
• TCP connections dropped by server
• HTTP connection establishment latency
• Server's Aggregate bandwidth

15

• Web Experimental Apparatus

Web Servers
Windmill
16
Connections Attempted vs. Established
17
Key Challenge

• Coarse-grained network flow measurement are
  becoming more common in enterprise routers
  switches from vendors
• Fine-grained measurement technologies provide
  packet traces and enable protocol state
  reconstruction (e.g., packet sniffers, Windmill)
• Integration of two technologies has numerous
  applications in enterprise-wide networks
• Traffic characterization
• Cache replica placement
• Denial of service anomaly detection
• Backtracing intrusion attacks

18
Protocol Scrubbers

• A transparent interposition mechanism for on-line
  modification of traffic to comply with network
  security policies
• Enables protection of critical network
  infrastructure such as routers, switches and
  enterprise servers
• Ability to remove attacks targeted at distinct
  layers in the protocol stack
• Placed in front of critical infrastructure or
  eventually built into routers and switches

19
Applications of Protocol Scrubbers

• Intrusion Detection
• Firewalls attack removal
• Anti-fingerprinting Tools
• Content-based filtering
• Load-balancing Proxies
• ...

TCP/IP Scrubber
Application-level Scrubber
Infrastructure Scrubber
BGP, RIP, DNS
TCP, UDP, IP
HTTP, FTP
20
TCP/IP Protocol Scrubber

• TCP/IP Protocol Scrubber Implementation
• converts potentially ambiguous flows into
  homogenized well-behaved flows
• maintains a very small amount of state per flow
  lighter than full transport proxy
• eliminates insertion and evasion attacks
• FreeBSD implementation on Pentium. Next on
  Linux!
• Performance comparable to IP forwarding and much
  better than commercial transport-level proxy

21
Example Domain Network Intrusion Detection

• Network ID systems watch traffic
• Look for malicious use and attacks
• Doesnt modify flow
• Notifies security administrator upon detection
• Attackers counter with crud

22
Ambiguities in Protocol Implementation

• Examples from Ptacek and Newsham 98
• IP TTL attack
• Packet too large for link without fragmenting
• DST configured to drop source routed packets
• DST may timeout fragments differently
• DST may reassemble fragments differently
• DST doesnt accept packets with certain options
• DST may use PAWS and silently discard packets
• DST may resolve conflicting segments differently
• DST may not check seqno on RST packets

23
Example Attack
End Host Reconstruction 012345678
NIDS Reconstruction 012345678
NIDS Reconstruction 012345678 ?ood url
End Host Reconstruction 012345678 ?ood url
24
Example Attack
End Host Reconstruction 012345678 go blue!!
NIDS Reconstruction 012345678 good url.
25
TCP/IP Scrubber Use
External Host (Untrusted)
Internal Host (Trusted)
Scrubber or Transport Proxy
26
How the TCP Scrubber Solves the Previous Example
NIDS Reconstruction 012345678
End Host Reconstruction 012345678
NIDS Reconstruction 012345678 good url.
End Host Reconstruction 012345678 good url.
Scrubber Reconstruction 012345678
Scrubber Reconstruction 012345678 ?ood url.
Scrubber Reconstruction 012345678 good url
27
TCP/IP Scrubber Micro-benchmarks

• How does the scrubber affect throughput?
• Measured at the TCP level using netperf

• How does the scrubber affect forwarding latency
  in the kernel?
• Measured using Pentium on-chip cycle counter

28
TCP/IP Scrubber Macro-benchmarks

• Macro-benchmarks (answer two questions)
• How much overhead does the scrubber add?
• Increase the number of clients and see how many
  connections per second we can sustain
• Does the scrubber treat well-behaved flows
  adversely?
• Inject range of artificial loss into flows to
  determine gross differences between IP forwarding
  and scrubbing

29
TCP/IP Scrubber Sustainable Connections With No
Loss
2500
2000
Requests serviced per second
1500
IP Forwarding
1000
TCP/IP Scrubbing
User space proxy
500
0
0
100
200
300
400
Number of concurrent connections
30
TCP/IP ScrubberSustainable Connections With
Artificial Loss
2500
Transport Scrubbing
IP Forwarding
2000
1500
Requests serviced per second
1000
500
0
0
2
4
6
8
10
Packet loss (percentage)
31
Infrastructure Protocol Scrubbing

• a lightweight transparent mechanism for
  preventing network attacks
• scrubber can masquerade as a set of network
  services
• allows protection of infrastructure level
  protocols (such as OSPF and BGP)
• enabled through a single modification to the
  socket API no modification of client or server
  code

Scrubber
Client
Set of Servers
32
Final Remarks

• Passive vs. active protocol interposition
• Coarse-grained vs. fine-grained measurement
• Open architectures and programmability
• Future work