Stepping Stone Tracing and IDS Evaluation

1
Stepping Stone Tracing and IDS Evaluation

• S. Felix Wu
• Computer Science Department
• University of California, Davis

2
Tracing vs. Anonymity

• Packet-Level Layer-3 Tracing
• iTrace
• Application-Layer Tracing
• Botnet
• Stepping Stone
• Chains of Evil (across inter-domain)

3
Attack Chain
LLNL
NYU
UCDavis
XP
UCSD
Linux
4
Simple Trusted 3rdPty Proxy

• Secure Relay Service

Proxy
Target
Sender
Encryption Decryption
Decryption Mapping Mapping and Encryption
Receive Reply
5
Mix
Mix
Real vs dummy messages!!
6
A Network of Mixers
target
Mix
Mix
Mix
Mix
Mix
Mix
sender
Mix
Mix
Mix
7
Multi-Layer Encryption

• E(PK1, Mix2, E(PK2, Mix3, E(PK3, Target,
  Message))).

ENC-PK-Mix1
ENC-PK-Mix2
ENC-PK-Mix3
Mix2,
Mix3,
Target, Message
8
Reply

• Mix3, E(PK3, Mix2, E(PK2, Mix1, E(PK1,
  Sender))), E(PKSKey, Reply).
• Only the Target can open the senders reply path.
• Only the Sender knows about SKey.

9
Malicious Onion Bombing
LLNL
NYU
UCDavis
XP
UCSD
Mix, Onion R., Babel, Crowd, LPWA E.g., Anonymous
WEB Access
Linux
10
Connection Correlation

• We can not trust the stepping stones
  themselves.
• Given an outgoing connection, whether we can
  find the correlating incoming connection.
• Currently assuming 1-1 channel mapping (no
  multiplexing)

???
11
Stepping Stones with Multiplexing
noise
12
Active Tracing

• Active Tracing
• changing the traffic pattern by selective
  delaying and dropping
• detecting changes on the other observation
  point

an incoming connection
a domain with stepping stones.
a set of outgoing connections
13
Dropping for SSCP-Tracing

• SSCP (Stepping Stone Connection Pairs)
• attacker observes only a few connections
• correlation gateway sees all the connections
• drop enough just for the gateway to distinguish
  the dropped/watermarked connection
• Challenges
• dropping gt delay
• attackers artificial noise

14
Artificial Traffic
Do we have a packet to send?
Scheduler
a pseudo random traffic generation process
15
Limitations

• RAID2004 ?Impossibility Results
• Multiplexing and De-multiplexing

16
SUIT/iTrace
Dynamic Horizontal Separation
Anonymous Communication
IDS
17
TIETraceable Information Exchange
Host-based
Network
Process
Process
I/O
Process
File Sys.
Information Router
18
Information Tracing

• Understand how information is being propagated,
  combined, modified

Tracing Without Modifying OS kernel
or applications
MINOS
Bochs
19
TIE Analysis

• Correlation between network and OS/CA information
• We will know precisely how the connection chains
  are propagated, even if both encrypted/decrypted
  and multiplexed.
• How to redirect a stepping stone into a
  MINOS-based environment?

20
Information Router
Network
Process
Process
I/O
Process
File Sys.
MINOS
TIE Analysis
Information visualization interface
21
DETER/EMIST

• to provide the scientific knowledge required to
  enable the development of solutions to cyber
  security problems of national importance,
  especially at large-scale.
• Through the creation of an experimental
  infrastructure network -- networks, tools,
  methodologies, and supporting processes -- to
  support national-scale experimentation on
  research and advanced development of security
  technologies.

22
Experimental Evaluation

• Simulation/Emulation/Test-bed

23
Emulab/DETER Experimental Network Cluster of N
nearly identical experimental nodes,
interconnected dynamically into arbitrary
topologies using VLAN switch.
Pool of N processors
160
PC
PC
PC
Switch Control Interface
N x 4 _at_1000bT Data ports
Programmable Patch Panel (VLAN switch)
24
(No Transcript)
25
(No Transcript)
26
The Fidelity Issue

• Would ideally like
• Large and realistic topologies
• Diverse, realistic nodes and links.
• Realistic active traffic
• But
• Fidelity is expensive
• Large-scale fidelity may be unnecessary for
  (maybe even contrary to) good science

27
Data Collection

• Classes of data that are interesting, people want
  collected, and seem reasonable to collect
• Netflow
• Packet traces headers and full packet (context
  dependent)
• Critical infrastructure BGP and DNS data
• Topology data
• IDS / firewall logs
• Performance data
• Network management data (i.e., SNMP)
• VoIP (1400 IP-phone network)
• Blackhole Monitor traffic

DHS-Predict
28

• Limitation of conventional trace replay tools
• Not capable of stateful emulation of TCP
  connections
• Inconsistent data/control packets generation
• E.g. generation of ghost packets
• No good for in-line device testing such as NIPS
  testing
• Live security test environments require
• Realistic test traffic and packet contents
• more interactive traffic replay approach

29

• Trace-based traffic replaying
• Easy to implement and mimic system behaviors
• Real traffic, sufficient diversities
• Hard to adjust trace for various test conditions
• Assuming the test condition is the same as the
  time at the trace was recorded
• Analytic-model based traffic generation
• Easy to control/adjust traffic generation models
• Statistically identical to traffic models.
• Hard to support trace contents for security test
  environments

30
Property-Oriented Analysis
31
TCPopera Design Goals

• No ghost packet generation
• Stateful TCP connection replaying
• Traffic model support
• TCP connection parameters
• IP flow parameters, e.g. Dummynet
• Environment transformation
• IP Address Remapping
• ARP emulation (spoofing)
• Inter-connection dependencies
• Flow dependencies over IP, e.g. Stepping Stone
  Connection
• Application-specific inter-connection
  dependencies
• FTP, HTTP, P2P, etc.

32
TCPtransform High-Level Model
New TCPdump file
Original TCPdump file
TCPopera
33
TCPopera Phase 1 Requirements

• Percentage total packet loss.
• Percentage total packet delay
• Percentage data packet loss.
• Percentage ACK packet loss.
• Percentage data packet delay.
• Percentage ACK packet delay.
• Amount of delay
• Packet loss occurring on sending, receiving, or
  both sending and receiving sides.
• Packet delay occurring on sending, receiving, or
  both sending and receiving sides.

tcp_prof
198.206.5.211
34
TCPopera Phase 1 Design

• What do I mean by dependency?

35
TCPopera Phase 1 Design

• Another example

36
TCPopera Architecture
TCP/IP traffic Parameters
Packet Injection Thread
Trace Records
Trace Analysis
Flow Threads
TCP timer Thread
Packet Capturing Thread
Network Configuration
ARP Emulation
IP Flow Preprocessing
Interactive Flow Replaying
37
TCPOpera Major Components

• IP Flow Preprocess
• Preparing IP flows
• Extraction of TCP connection and IP flow
  parameters
• RTT, transmission rate, packet loss rate, path
  MTU
• Address remapping, ARP emulation
• IP Flow process
• Creating a POSIX thread for each IP flow
• TCP control block emulation
• Traffic Models
• TCP parameters for the initiation of TCP control
  blocks
• Gap-based packet loss model

38
TCPopera Major Components (Contd)

• TCP Functions
• Based on BSD4.4-Lite release (1994) - TCP Reno
• 8 TCP timers
• Timeout Retransmission
• RTT measurement
• Fast Retransmit Fast Recovery
• Flow Congestion Control
• TCPopera Timer
• Slow timer (500ms)
• Fast timer (200ms)
• Packet Injection/Packet Capturing
• Libnet and Pcap
• IP/TCP checksum recalculation if a packet is
  modified

39
Config file Example

• SETDROP ALL 192.186.0.2 25
• SETDROP DACK 192.186.0.3 25
• SETDROP DATA 192.186.0.3 50
• SETRETRANSMIT 192.186.0.2 3
• SETRETRANSMIT 192.186.0.3 2
• SETINITTIMEOUT 192.186.0.2 1.3

40
TCPopera Example

• DROPPED
• 100801.644364 nupte.cs.ucdavis.edu.32780 gt
  192.186.0.3.telnet P 56(1) ack 6 win 5840
  ltnop,nop,timestamp 69960 240133055gt (DF) tos
  0x10
• 100801.644474 192.186.0.3.telnet gt
  nupte.cs.ucdavis.edu.32780 P 67(1) ack 6 win
  5792 ltnop,nop,timestamp 240133066 69960gt (DF)
  tos 0x10
• TCPopera generates
• 1st transmission
• 100806.134362 nupte.cs.ucdavis.edu.32780 gt
  192.186.0.3.telnet P 56(1) ack 6 win 5840
  ltnop,nop,timestamp 69960 240133055gt (DF) tos
  0x10
• RETRANSMISSION
• 100807.824361 nupte.cs.ucdavis.edu.32780 gt
  192.186.0.3.telnet P 56(1) ack 6 win 5840
  ltnop,nop,timestamp 69960 240133055gt (DF) tos
  0x10
• 100807.824471 192.186.0.3.telnet gt
  nupte.cs.ucdavis.edu.32780 P 67(1) ack 6 win
  5792 ltnop,nop,timestamp 240133066 69960gt (DF)
  tos 0x10

41
You can specify it explicitly as var
HOME_NET 20.20.0.0/16 var HOME_NET
10.1.1.0/24,192.168.1.0/24,192.168.1.0/16
Set up the external variable to specify this
TCPopera node covers all other hosts other than
HOME_NET. var EXTERNAL_NET on Configure the
replay mode. TCPopera supports three different
replay mode. var REPLAY_MODE INTERACTIVE_REPLAY
var REPLAY_MODE CLIENT_EMULATION var
REPLAY_MODE SERVER_EMULATION If the
replay_mode is CLIENT_EMULATION, the following
variable stores the server list that the client
should be connected to. var CE_SERVER_LIST
./ce_server.config Configure your
defaultrouter in your testbed. Trusted
Interface var DEFAULTROUTER_IPV4 172.16.0.254 var
DEFAULTROUTER_MAC 009027322329 External
Interface var DEFAULTROUTER_IPV4
192.168.0.254 var DEFAULTROUTER_MAC
00045A724653 Configure node type for the
synchronization var SYNC_SERVER_FLAG on
Configure your synchronization server IP
address and port number TCPopera will use this
information to synchronize the replaying
information. var SYNC_SERVER_ADDR 30.30.1.100 var
SYNC_SERVER_PORT 9999 locations for output
files output DEBUG_FILE ../output/opera.debug outp
ut FLOW_FILE ../output/opera.flow output LOG_FILE
../output/opera.log output DROP_FILE
../output/opera.drop output STAT_FILE
../output/opera.stat Include the address
remapping file. This line will read remap file
and change the IP addresses in a trace file to
new IP addresses as specified in the remap
file. config remap ./config/remap.config If
you want to use the general packet loss rate
configuration, uncomment the following
variables. var PL_RATE 0.001 var PLR_INDEX
1.0 var PLR_SCALE 2.0 Otherwise, include the
drop rate file. config drop_rate
../config_files/drop_rate.config Include the
TCP/IP parameter configuration file Include
flow_parameter ./config/flow.config
42
You can specify it explicitly as var
HOME_NET 20.20.0.0/16 var HOME_NET
10.1.1.0/24,192.168.1.0/24,192.168.0.0/16
Set up the external variable to specify this
TCPopera node covers all other hosts other than
HOME_NET. var EXTERNAL_NET on Configure the
replay mode. TCPopera supports three different
replay mode. var REPLAY_MODE INTERACTIVE_REPLAY
var REPLAY_MODE CLIENT_EMULATION var
REPLAY_MODE SERVER_EMULATION If the
replay_mode is CLIENT_EMULATION, the following
variable stores the server list that the client
should be connected to. var CE_SERVER_LIST
./ce_server.config Configure your
defaultrouter in your testbed. Trusted
Interface var DEFAULTROUTER_IPV4 172.16.0.254 var
DEFAULTROUTER_MAC 009027322329 External
Interface var DEFAULTROUTER_IPV4
192.168.0.254 var DEFAULTROUTER_MAC
00045A724653 Configure node type for the
synchronization var SYNC_SERVER_FLAG on
Configure your synchronization server IP
address and port number TCPopera will use this
information to synchronize the replaying
information. var SYNC_SERVER_ADDR 30.30.1.100 var
SYNC_SERVER_PORT 9999 locations for output
files output DEBUG_FILE ../output/opera.debug outp
ut FLOW_FILE ../output/opera.flow output LOG_FILE
../output/opera.log output DROP_FILE
../output/opera.drop output STAT_FILE
../output/opera.stat Include the address
remapping file. This line will read remap file
and change the IP addresses in a trace file to
new IP addresses as specified in the remap
file. config remap ./config/remap.config If
you want to use the general packet loss rate
configuration, uncomment the following
variables. var PL_RATE 0.001 var PLR_INDEX
1.0 var PLR_SCALE 2.0 Otherwise, include the
drop rate file. config drop_rate
../config_files/drop_rate.config Include the
TCP/IP parameter configuration file Include
flow_parameter ./config/flow.config
43
You can specify it explicitly as var
HOME_NET 20.20.0.0/16 var HOME_NET
10.1.1.0/24,192.168.1.0/24,192.168.1.0/16
Set up the external variable to specify this
TCPopera node covers all other hosts other than
HOME_NET. var EXTERNAL_NET on Configure the
replay mode. TCPopera supports three different
replay mode. var REPLAY_MODE INTERACTIVE_REPLAY
var REPLAY_MODE CLIENT_EMULATION var
REPLAY_MODE SERVER_EMULATION If the
replay_mode is CLIENT_EMULATION, the following
variable stores the server list that the client
should be connected to. var CE_SERVER_LIST
./ce_server.config Configure your
defaultrouter in your testbed. Trusted
Interface var DEFAULTROUTER_IPV4 172.16.0.254 var
DEFAULTROUTER_MAC 009027322329 External
Interface var DEFAULTROUTER_IPV4
192.168.0.254 var DEFAULTROUTER_MAC
00045A724653 Configure node type for the
synchronization var SYNC_SERVER_FLAG on
Configure your synchronization server IP
address and port number TCPopera will use this
information to synchronize the replaying
information. var SYNC_SERVER_ADDR 30.30.1.100 var
SYNC_SERVER_PORT 9999 locations for output
files output DEBUG_FILE ../output/opera.debug outp
ut FLOW_FILE ../output/opera.flow output LOG_FILE
../output/opera.log output DROP_FILE
../output/opera.drop output STAT_FILE
../output/opera.stat Include the address
remapping file. This line will read remap file
and change the IP addresses in a trace file to
new IP addresses as specified in the remap
file. config remap ./config/remap.config If
you want to use the general packet loss rate
configuration, uncomment the following
variables. var PL_RATE 0.001 var PLR_INDEX
1.0 var PLR_SCALE 2.0 Otherwise, include the
drop rate file. config drop_rate
../config_files/drop_rate.config Include the
TCP/IP parameter configuration file Include
flow_parameter ./config/flow.config
44
You can specify it explicitly as var
HOME_NET 20.20.0.0/16 var HOME_NET
10.1.1.0/24,192.168.1.0/24,192.168.1.0/16
Set up the external variable to specify this
TCPopera node covers all other hosts other than
HOME_NET. var EXTERNAL_NET on Configure the
replay mode. TCPopera supports three different
replay mode. var REPLAY_MODE INTERACTIVE_REPLAY
var REPLAY_MODE CLIENT_EMULATION var
REPLAY_MODE SERVER_EMULATION If the
replay_mode is CLIENT_EMULATION, the following
variable stores the server list that the client
should be connected to. var CE_SERVER_LIST
./ce_server.config Configure your
defaultrouter in your testbed. Trusted
Interface var DEFAULTROUTER_IPV4 172.16.0.254 var
DEFAULTROUTER_MAC 009027322329 External
Interface var DEFAULTROUTER_IPV4
192.168.0.254 var DEFAULTROUTER_MAC
00045A724653 Configure node type for the
synchronization var SYNC_SERVER_FLAG on
Configure your synchronization server IP
address and port number TCPopera will use this
information to synchronize the replaying
information. var SYNC_SERVER_ADDR 30.30.1.100 var
SYNC_SERVER_PORT 9999 locations for output
files output DEBUG_FILE ../output/opera.debug outp
ut FLOW_FILE ../output/opera.flow output LOG_FILE
../output/opera.log output DROP_FILE
../output/opera.drop output STAT_FILE
../output/opera.stat Include the address
remapping file. This line will read remap file
and change the IP addresses in a trace file to
new IP addresses as specified in the remap
file. config remap ./config/remap.config If
you want to use the general packet loss rate
configuration, uncomment the following
variables. var PL_RATE 0.001 var PLR_INDEX
1.0 var PLR_SCALE 2.0 Otherwise, include the
drop rate file. config drop_rate
../config_files/drop_rate.config Include the
TCP/IP parameter configuration file Include
flow_parameter ./config/flow.config
45
TCPopera Validation
Snort (stream4)
External TCPopera node
Internal TCPopera node
BSD Firewall (ipfw)
Dummynet
LAN

• TCPopera nodes
• 2 GHz Intel Pentium 4, 768MB RAM
• Internal Redhat 8 (2.4.18), External Redhat 9
  (2.4.20)
• Network Emulator
• 455MHz Pentium II Celeron, 256MB RAM
• FreeBSD5.0, IPFW (with Dummynet)
• Snort 2.3
• 3.2 GHz Intel Pentium 4 Processor, 512MB
• Slackware 10.0 (2.4.26)
• All Snort rules are enabled including the Stream4
  analysis

46
TCPopera traffic reproduction

• DARPA IDEVAL99 (first 12 hours of 03/29/99)

Category Category Input trace TCPopera TCPopera
Category Category Input trace No loss 1 loss
IP Packets 1,502,584 1,552,882 1,531,388
IP Bytes 234,434,486 234,991,187 232,145,926
TCP Packets 1,225,905 1,276,195 1,254,762
TCP Bytes 194,927,209 195,483,762 192,647,088
UDP Packets 276,286 276,294 276,234
UDP Bytes 39,474,602 39,495,286 39,466,797
ICMP Packets 393 393 392
ICMP Bytes 32,675 32,139 32,041
TCP connections replayed TCP connections replayed 18,138 18,138 18,043
TCP connections completed TCP connections completed 14,974 14,971 14,796
47
TCPopera Traffic reproduction

• Traffic volume comparison (every minute)

IP Bytes
TCP Bytes
48
TCPopera Traffic Reproduction

• Inter-connection time

49
TCPopera Traffic Reproduction
Input Connections
C1
C2
C3
C4
C5
time
Replayed Connections
C1 (packet drop)
C2
C3
C4
C5
50
TCPopera validation (Snort Evaluation)

• ITRI Dataset
• Collected for 30 minutes from a host within
  140.96.114.0/24 segment in Taiwan
• Major applications HTTP, P2P (eDonkey), FTP

Signature No. of alerts No. of alerts No. of alerts No. of alerts
Signature Input trace TCPopera TCPopera TCPopera
Signature Input trace No-loss 1 loss 3 loss
ICMP Destination/Port Unreachable 5 5 5 5
ICMP Destination/Host Unreachable 2 2 2 2
ICMP Destination Unreachable Fragmentation needed but DF bit is set 1 1 1 1
P2P eDonkey Transfer 3 3 3 3
(stream4) Possible retransmission detection 38 212 200 181
(stream4) WINDOW violation detection 488 3 1 4
Total 537 226 212 196