Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang...
-
Upload
jasmine-holmes -
Category
Documents
-
view
224 -
download
0
Transcript of Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang...
![Page 1: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/1.jpg)
Improvement of TCP Packet Reassembly in Libnids
Advisor : Shyh-In HwangPresenter : Chun-Hui HwangE-mail: [email protected] 2009.07.01
![Page 2: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/2.jpg)
2/28
Outline
• Motivation
• Goals
• Libnids Introduction
• System architecture
• Approaches
• Implementation
• Experiment Result
• Conclusion
• Future work
![Page 3: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/3.jpg)
3/28
Motivation
• Network security monitor is important
• API libraries are convenient
• Libnids is often used by network monitor systems
• Libnids drawback :
– when packet lose, it can’t reassemble following packets
– It consumes a lot of memory to store packets
![Page 4: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/4.jpg)
4/28
Goals
• To modify libnids - add a packet dispatch mechanism
• Let libnids can analyze and reassemble packets which already received
• Memory can be released normally
• Packet header informations delivered to AP layer
![Page 5: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/5.jpg)
5/28
Libnids Introduction(1/2)
• Library Network Intrusion Detection System
• Emulates the IP stack of Linux 2.0.x
• Libnids capability:– IP defragmentation
– TCP stream reassembly
– TCP port scan detection
![Page 6: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/6.jpg)
6/28
Libnids Introduction(2/2)
• Libnids applications:– Network Protocol Analysis
– Sniffer
– Network Intrusion Detection System
– Other SNMP traffic analyze (May,2007)
data reassembly Combine with dsniff (Nov.2006 & 2007)
check connection state and session data Network tracing system (April,2009)
IP defragmentation, TCP stream reassembly
![Page 7: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/7.jpg)
7/28
System architecture
Internet
SnifferPC PC
Router
Switch
PC PC
![Page 8: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/8.jpg)
8/28
Libnids process
Sniffer
Libnids initialization
Packet complete?
Catch packets
Packet reassembly
Data recovery
Analyze dataNo
Yes
Packet reassembly
IP defragmen-tation
TCP stream reassembly
![Page 9: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/9.jpg)
9/28
Approaches
Improvement of libnids start
Sniffer program call libnids
Write a sniffer program
Read offline packets
Packets reassembly
Add packet dispatch
mechanism
Finish improvement
Packet header information to AP
![Page 10: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/10.jpg)
10/28
Packet dispatch & Packet header informations
• Packet dispatch mechanism– A FIN or RESET packet has been received
– Packet sequence number falls outside of the current sliding window
– Users define timeout period for packets
• Packet header informations– An additional option
![Page 11: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/11.jpg)
11/28
Implementation
• Use a sniffer program read offline packets
• Packet proceed to IP defragmentation
• Packet proceed to TCP stream reassembly– Check packet header length 、 IP address
– Check packet header flag
– TCP packet or not
– Check time stamp
– Check TCP connection
– Check data length add packet flag-FIN greater than 0
• Packets go into TCP queue
![Page 12: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/12.jpg)
12/28
Implementation
Start TCP stream assembly
IP address
NoCheck TCPheader length
Check ACK flag
TCP information hash
table
TCP packet format
Decide packet form client or server
Data length sequence num
Check timestamp
Data length + FIN flag
TCP stream assembly end
TCP queue function
No
No
Yes
Yes
No
Yes
Euqal 0
Check packet from a new TCP
connection
Check RST flag
Not euqal 0
Euqal 1
Not euqal 1
Check SYN flag
Yes
No
Yes
Check SYN flag
Greater than 1
Not greater than 1
![Page 13: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/13.jpg)
Implementation
C 3
Client
Server
C 4 C 5 C 6 C 7
S 3 S 4 S 5 S 6 S 7
C 8
S 8
C 9 C 10
S 9 S 10
C 1 C 2
S 1 S 2
SYN ACK ACK ACK FIN
SYN
ACK ACK ACK ACKFIN
ACK
C 11
ACK
close
close
Libnids queue for client
Application Layer
Libnids queue for server
C 3
Client
Server
C 4 C 5 C 6 C 7
S 3 S 4 S 5 S 6 S 7
C 8
S 8
C 9 C 10
S 9 S 10
C 1 C 2
S 1 S 2
SYN ACK ACK ACK FIN
SYN
ACK ACK ACK ACKFIN
ACK
C 11
ACK
close
close
Libnids queue for client
Application Layer
Libnids queue for server
lost packets
C 3
Client
Server
C 4 C 5 C 6 C 7
S 3 S 4 S 5 S 6 S 7
C 8
S 8
C 9 C 10
S 9 S 10
C 1 C 2
S 1 S 2
SYN ACK ACK ACK FIN
SYN
ACK ACK ACK ACKFIN
ACK
C 11
ACK
close
close
Libnids queue for client
Application Layer
Libnids queue for server
queued packets in libnidslost packets
C 3
Client
Server
C 4 C 5 C 6 C 7
S 3 S 4 S 5 S 6 S 7
C 8
S 8
C 9 C 10
S 9 S 10
C 1 C 2
S 1 S 2
SYN ACK ACK ACK FIN
SYN
ACK ACK ACK ACKFIN
ACK
C 11
ACK
close
close
Libnids queue for client
Application Layer
Libnids queue for server
queued packets in libnidslost packets
![Page 14: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/14.jpg)
14/28
Packet dispatch mechanism
• A FIN or RESET packet has been received
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10
FIN
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10
FIN
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10
FIN
lost packets queued packets in libnids packets delivered to AP
![Page 15: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/15.jpg)
15/28
Packet dispatch mechanism
• Packet sequence number falls outside of the current sliding window
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10
ACK
Sliding window
queued packets in libnids lost packets
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 10
Sliding windowSliding window
packets delivered to AP
![Page 16: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/16.jpg)
16/28
Packet dispatch mechanism
• Users define timeout period for packets
C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 6 C 7
ACK
C 8 C 9C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 6 C 7
ACK
C 8 C 9C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 6 C 7
ACK
lost packets
C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 6
queued packets in libnids
C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 6 C 7
ACK
C 8
packets delivered to AP
C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 6 C 7
ACK
C 8 C 9C 3
Client
C 4 C 5
ACK
Libnids queue for client
Application Layer
C 6 C 7
ACK
C 8 C 9
May be retransmitted after 60s + User defined waiting time
![Page 17: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/17.jpg)
17/28
Packet header informations
• Use option choice– Payload
– Packet header informations• payload
• source/destination IP
• source/destination port
• data length
• all packets byte
• data offset
![Page 18: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/18.jpg)
18/28
Experiment Analyze
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
packets delivered to APqueued packets in libnidslost packets
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
![Page 19: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/19.jpg)
19/28
Experiment Analyze
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
queued packets in libnidslost packets packets delivered to AP
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
![Page 20: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/20.jpg)
20/28
Experiment Analyze
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
queued packets in libnidslost packets packets delivered to AP
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
![Page 21: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/21.jpg)
21/28
Experiment Analyze
C 4 C 5 C 6 C 7C 3
ACK
TCP session 1
#1-C 4
Client
#1-C5 #2-C3 #2-C4 #2-C5 #2-C6 #2-C7 #1-C6#1-C3
ACK ACK
#1-C7
Libnids queue for client
Application Layer
C 4 C 5 C 6 C 7C 3
ACK
TCP session 2
Client
Libnids queue for client
Application Layer
queued packets in libnids
lost packets
packets delivered to AP
![Page 22: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/22.jpg)
22/28
Experiment Result
Packet lost
Packet with information
Result of analysis
Original libnids Improved libnids
Success Analysis Success Analysis
1 6 3 50% 6 100%
2 13 8 62% 13 100%
3 20 17 85% 20 100%
4 21 15 71% 21 100%
5 60 54 90% 60 100%
![Page 23: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/23.jpg)
23/28
Experiment Result
0
20
40
60
80
100
6 13 20 21 60
Packets with information
Ana
lysi
s(%
)
Original libnids
Improved libnids
![Page 24: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/24.jpg)
24/28
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application LayerC 5
Experiment Analyze
packets delivered to AP
queued packets in libnidslost packets
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
sliding windowsliding window
C 5
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
C 3
Client
C 4 C 5 C 6 C 7 C 8 C 9
ACK ACK
Libnids queue for client
Application Layer
late packets
![Page 25: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/25.jpg)
25/28
Experiment Result
Packet late
Packet with information
Result of analysis
Original libnids Improved libnids
Success Analysis Success Analysis
1 14 8 57% 13 93%
2 23 15 68% 22 96%
3 61 54 89% 60 98%
4 25 23 92% 24 96%
5 86 77 90% 84 98%
![Page 26: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/26.jpg)
26/28
Experiment Result
0
20
40
60
80
100
14 23 61 25 86
Packets with information
Ana
lysi
s
Original libnids
Improved libnids
![Page 27: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/27.jpg)
27/28
Conclusion
• Libnids packet dispatch mechanism
• Libnids can reassemble suspended packets
• Do not consume a lot of memory
• Packet header informations delivered to AP layer
![Page 28: Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: sky97.tw@gmail.com 2009.07.01.](https://reader036.fdocuments.us/reader036/viewer/2022081507/5514f4c3550346b0478b6001/html5/thumbnails/28.jpg)
28/28
Thank you