Abstract
The existing network security infrastructure is not ready for future protocols such as Multipath TCP (MPTCP). The outcome is that middleboxes are configured to block such protocols. This paper studies the security risk that arises if future protocols are used over unaware infrastructures. In particular, the practicality and severity of cross-path fragmentation attacks utilizing MPTCP against the signature-matching capability of the Snort intrusion detection system (IDS) is investigated. Results reveal that the attack is realistic and opens the possibility to evade any signature-based IDS. To mitigate the attack, a solution is also proposed in the form of the MPTCP Linker tool. The work outlines the importance of MPTCP support in future network security middleboxes.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Traditional TCP is the same TCP we know and use today.
- 2.
Multipath TCP is also referred to as MPTCP.
- 3.
Among these three files, one contains old and deleted rules, one is for local rules and the third is for obsolete X windows rules. All of these were deemed irrelevant.
- 4.
According to the new Snort rule categories.
- 5.
About one half of the Snort rule set is evaluated, but similar results are expected from the remaining rules.
References
Advanced Reference Archive of Current Heuristics for NIDS: Arachnids event signatures export for snort (2000–2001). http://www.autoshun.org/downloads/vision.conf, http://www.autoshun.org/downloads/vision18.conf
Afzal, Z.: MPTCP-Linker (2015). https://github.com/zafzal/MPTCP-Linker
Afzal, Z., Lindskog, S.: Automated testing of IDS rules. In: Proceedings of the 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 1–2. IEEE, April 2015
Armitage, G., Williams, N., et al.: FreeBSD kernel patch to enable Multipath TCP (2014). http://caia.swin.edu.au/urp/newtcp/mptcp/tools.html
Bonaventure, O.: Apple seems to also believe in Multipath TCP (2013). http://perso.uclouvain.be/olivier.bonaventure/blog/html/2013/09/18/mptcp.html
Braun, M.B., Paasch, C., Gont, F., Bonaventure, O., Raiciu, C.: Analysis of MPTCP Residual Threats and Possible Fixes. Internet Draft draft-ietf-mptcp-attacks-02, IETF (2014). https://tools.ietf.org/id/draft-ietf-mptcp-attacks-02.txt
Detal, G.: MPTCP-enabled kernel for the nexus 5 (2014). https://github.com/gdetal/mptcp_nexus5
Detal, G., Paasch, C., Bonaventure, O.: Multipath in the middle (box). In: Proceedings of the 2013 Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 1–6. ACM (2013)
Ford, A., Raiciu, C., Handley, M., Bonaventure, O., et al.: TCP extensions for multipath operation with multiple addresses. Experimental RFC 6824, IETF (2013). https://tools.ietf.org/html/rfc6824
Giovanni, C.: Fun with packets: Designing a stick (2002). http://repo.hackerzvoice.net/depot_ouah/dos_ids.html
Han, H., Shakkottai, S., Hollot, C., Srikant, R., Towsley, D.: Multi-path TCP: a joint congestion control and routing scheme to exploit path diversity in the internet. IEEE/ACM Trans. Networking 14(6), 1260–1271 (2006)
Honda, M., Nishida, Y., Raiciu, C., Greenhalgh, A., Handley, M., Tokuda, H.: Is it still possible to extend TCP? In: Proceedings of the 11th ACM SIGCOMM Internet Measurement Conference (IMC), pp. 181–194. ACM (2011)
Huitema, C.: Multi-homed TCP. Internet Draft draft-huitema-multi-homed-01, IETF (1995). https://tools.ietf.org/html/draft-huitema-multi-homed-01
Langley, A.: Probing the viability of TCP extensions (2008). http://www.imperialviolet.org/binary/ecntest.pdf
Lopez, E.: Multipath TCP middlebox behavior. Internet Draft draft-lopez-mptcp-middlebox-00, IETF (2014). https://tools.ietf.org/html/draft-lopez-mptcp-middlebox-00
Manev, P.: Rule2alert (2014). https://github.com/pevma/rule2alert
Münz, G., Weber, N., Carle, G.: Signature detection in sampled packets. In: Proceedings of the Workshop on Monitoring, Attack Detection and Mitigation (MonAM). IEEE (2007)
Mutz, D., Vigna, G., Kemmerer, R.: An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), pp. 374–383. IEEE (2003)
Nodejitsu: http-server (2014). https://github.com/nodeapps/http-server
Paasch, C., Barré, S., et al.: Multipath TCP implementation (v0.88) in the Linux kernel (2013). http://www.multipath-tcp.org
Patton, S., Yurcik, W., Doss, D.: An achilles heel in signature-based IDS: squealing false positives in SNORT. In: Proceedings of 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (2001)
Pearce, C.: MPTCP roams free (by default!) (2014). http://labs.neohapsis.com/2014/10/20/mptcp-roams-free-by-default-os-x-yosemite/
Pearce, C., Thomas, P.: Multipath TCP: breaking today’s networks with tomorrow’s protocols. In: Black Hat USA, August 2014
Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on Systems Administration, pp. 229–238 (1999)
Stallman, R.: GNU General Public License, version 2 (1991)
Stewart, R.: Stream control transmission protocol. RFC 4960, IETF (2007). https://tools.ietf.org/html/rfc4960
The Snort Team: Snort official website. https://www.snort.org/
Thomas, P.: mptcp-abuse (2014). https://github.com/Neohapsis/mptcp-abuse
Wischik, D., Handley, M., Braun, M.B.: The resource pooling principle. ACM SIGCOMM Comput. Commun. Rev. 38(5), 47–52 (2008)
Acknowledgments
The work was carried out in the High Quality Networked Services in a Mobile World (HITS) project, funded partly by the Knowledge Foundation of Sweden. The authors are grateful for the support provided by Catherine Pearce of Cisco.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Afzal, Z., Lindskog, S. (2015). Multipath TCP IDS Evasion and Mitigation. In: Lopez, J., Mitchell, C. (eds) Information Security. ISC 2015. Lecture Notes in Computer Science(), vol 9290. Springer, Cham. https://doi.org/10.1007/978-3-319-23318-5_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-23318-5_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23317-8
Online ISBN: 978-3-319-23318-5
eBook Packages: Computer ScienceComputer Science (R0)