Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2015: Information Security pp 265–282Cite as

Multipath TCP IDS Evasion and Mitigation

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9290))

Abstract

The existing network security infrastructure is not ready for future protocols such as Multipath TCP (MPTCP). The outcome is that middleboxes are configured to block such protocols. This paper studies the security risk that arises if future protocols are used over unaware infrastructures. In particular, the practicality and severity of cross-path fragmentation attacks utilizing MPTCP against the signature-matching capability of the Snort intrusion detection system (IDS) is investigated. Results reveal that the attack is realistic and opens the possibility to evade any signature-based IDS. To mitigate the attack, a solution is also proposed in the form of the MPTCP Linker tool. The work outlines the importance of MPTCP support in future network security middleboxes.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Traditional TCP is the same TCP we know and use today.

  2. 2.

    Multipath TCP is also referred to as MPTCP.

  3. 3.

    Among these three files, one contains old and deleted rules, one is for local rules and the third is for obsolete X windows rules. All of these were deemed irrelevant.

  4. 4.

    According to the new Snort rule categories.

  5. 5.

    About one half of the Snort rule set is evaluated, but similar results are expected from the remaining rules.

References

  1. Advanced Reference Archive of Current Heuristics for NIDS: Arachnids event signatures export for snort (2000–2001). http://www.autoshun.org/downloads/vision.conf, http://www.autoshun.org/downloads/vision18.conf

  2. Afzal, Z.: MPTCP-Linker (2015). https://github.com/zafzal/MPTCP-Linker

  3. Afzal, Z., Lindskog, S.: Automated testing of IDS rules. In: Proceedings of the 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 1–2. IEEE, April 2015

    Google Scholar 

  4. Armitage, G., Williams, N., et al.: FreeBSD kernel patch to enable Multipath TCP (2014). http://caia.swin.edu.au/urp/newtcp/mptcp/tools.html

  5. Bonaventure, O.: Apple seems to also believe in Multipath TCP (2013). http://perso.uclouvain.be/olivier.bonaventure/blog/html/2013/09/18/mptcp.html

  6. Braun, M.B., Paasch, C., Gont, F., Bonaventure, O., Raiciu, C.: Analysis of MPTCP Residual Threats and Possible Fixes. Internet Draft draft-ietf-mptcp-attacks-02, IETF (2014). https://tools.ietf.org/id/draft-ietf-mptcp-attacks-02.txt

  7. Detal, G.: MPTCP-enabled kernel for the nexus 5 (2014). https://github.com/gdetal/mptcp_nexus5

  8. Detal, G., Paasch, C., Bonaventure, O.: Multipath in the middle (box). In: Proceedings of the 2013 Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 1–6. ACM (2013)

    Google Scholar 

  9. Ford, A., Raiciu, C., Handley, M., Bonaventure, O., et al.: TCP extensions for multipath operation with multiple addresses. Experimental RFC 6824, IETF (2013). https://tools.ietf.org/html/rfc6824

  10. Giovanni, C.: Fun with packets: Designing a stick (2002). http://repo.hackerzvoice.net/depot_ouah/dos_ids.html

  11. Han, H., Shakkottai, S., Hollot, C., Srikant, R., Towsley, D.: Multi-path TCP: a joint congestion control and routing scheme to exploit path diversity in the internet. IEEE/ACM Trans. Networking 14(6), 1260–1271 (2006)

    Article  Google Scholar 

  12. Honda, M., Nishida, Y., Raiciu, C., Greenhalgh, A., Handley, M., Tokuda, H.: Is it still possible to extend TCP? In: Proceedings of the 11th ACM SIGCOMM Internet Measurement Conference (IMC), pp. 181–194. ACM (2011)

    Google Scholar 

  13. Huitema, C.: Multi-homed TCP. Internet Draft draft-huitema-multi-homed-01, IETF (1995). https://tools.ietf.org/html/draft-huitema-multi-homed-01

  14. Langley, A.: Probing the viability of TCP extensions (2008). http://www.imperialviolet.org/binary/ecntest.pdf

  15. Lopez, E.: Multipath TCP middlebox behavior. Internet Draft draft-lopez-mptcp-middlebox-00, IETF (2014). https://tools.ietf.org/html/draft-lopez-mptcp-middlebox-00

  16. Manev, P.: Rule2alert (2014). https://github.com/pevma/rule2alert

  17. Münz, G., Weber, N., Carle, G.: Signature detection in sampled packets. In: Proceedings of the Workshop on Monitoring, Attack Detection and Mitigation (MonAM). IEEE (2007)

    Google Scholar 

  18. Mutz, D., Vigna, G., Kemmerer, R.: An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), pp. 374–383. IEEE (2003)

    Google Scholar 

  19. Nodejitsu: http-server (2014). https://github.com/nodeapps/http-server

  20. Paasch, C., Barré, S., et al.: Multipath TCP implementation (v0.88) in the Linux kernel (2013). http://www.multipath-tcp.org

  21. Patton, S., Yurcik, W., Doss, D.: An achilles heel in signature-based IDS: squealing false positives in SNORT. In: Proceedings of 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (2001)

    Google Scholar 

  22. Pearce, C.: MPTCP roams free (by default!) (2014). http://labs.neohapsis.com/2014/10/20/mptcp-roams-free-by-default-os-x-yosemite/

  23. Pearce, C., Thomas, P.: Multipath TCP: breaking today’s networks with tomorrow’s protocols. In: Black Hat USA, August 2014

    Google Scholar 

  24. Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on Systems Administration, pp. 229–238 (1999)

    Google Scholar 

  25. Stallman, R.: GNU General Public License, version 2 (1991)

    Google Scholar 

  26. Stewart, R.: Stream control transmission protocol. RFC 4960, IETF (2007). https://tools.ietf.org/html/rfc4960

  27. The Snort Team: Snort official website. https://www.snort.org/

  28. Thomas, P.: mptcp-abuse (2014). https://github.com/Neohapsis/mptcp-abuse

  29. Wischik, D., Handley, M., Braun, M.B.: The resource pooling principle. ACM SIGCOMM Comput. Commun. Rev. 38(5), 47–52 (2008)

    Article  Google Scholar 

Download references

Acknowledgments

The work was carried out in the High Quality Networked Services in a Mobile World (HITS) project, funded partly by the Knowledge Foundation of Sweden. The authors are grateful for the support provided by Catherine Pearce of Cisco.

Author information

Authors and Affiliations

  1. Karlstad University, Karlstad, Sweden

    Zeeshan Afzal & Stefan Lindskog

Authors
  1. Zeeshan Afzal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Lindskog
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zeeshan Afzal .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Javier Lopez

  2. Royal Holloway University of London, Egham, United Kingdom

    Chris J. Mitchell

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Afzal, Z., Lindskog, S. (2015). Multipath TCP IDS Evasion and Mitigation. In: Lopez, J., Mitchell, C. (eds) Information Security. ISC 2015. Lecture Notes in Computer Science(), vol 9290. Springer, Cham. https://doi.org/10.1007/978-3-319-23318-5_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23318-5_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23317-8

  • Online ISBN: 978-3-319-23318-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation