Download blue

Improvement of TCP Packet Reassembly
in Libnids
Advisor : Shyh-In Hwang
Presenter : Chun-Hui Hwang
E-mail: [email protected]
2009.07.01
Outline
•
•
•
•
•
•
•
•
•
2/28
Motivation
Goals
Libnids Introduction
System architecture
Approaches
Implementation
Experiment Result
Conclusion
Future work
Motivation
•
•
•
•
3/28
Network security monitor is important
API libraries are convenient
Libnids is often used by network monitor systems
Libnids drawback :
– when packet lose, it can’t reassemble following packets
– It consumes a lot of memory to store packets
Goals
• To modify libnids - add a packet dispatch mechanism
• Let libnids can analyze and reassemble packets which
already received
• Memory can be released normally
• Packet header informations delivered to AP layer
4/28
Libnids Introduction(1/2)
• Library Network Intrusion Detection System
• Emulates the IP stack of Linux 2.0.x
• Libnids capability:
– IP defragmentation
– TCP stream reassembly
– TCP port scan detection
5/28
Libnids Introduction(2/2)
• Libnids applications:
–
–
–
–
Network Protocol Analysis
Sniffer
Network Intrusion Detection System
Other
 SNMP traffic analyze (May,2007)
 data reassembly
 Combine with dsniff (Nov.2006 & 2007)
 check connection state and session data
 Network tracing system (April,2009)
 IP defragmentation, TCP stream reassembly
6/28
System architecture
Internet
Router
Switch
7/28
PC
PC
Sniffer
PC
PC
Libnids process
Packet
reassembly
Sniffer
Packet
reassembly
Libnids
initialization
IP defragmentation
TCP stream
reassembly
Data recovery
Catch packets
Packet
complete?
Yes
8/28
No
Analyze data
Approaches
9/28
Improvement of
libnids start
Packets
reassembly
Write a sniffer
program
Add packet
dispatch
mechanism
Sniffer program
call libnids
Packet header
information to AP
Read offline
packets
Finish
improvement
Packet dispatch & Packet header informations
• Packet dispatch mechanism
– A FIN or RESET packet has been received
– Packet sequence number falls outside of the current sliding
window
– Users define timeout period for packets
• Packet header informations
– An additional option
10/28
Implementation
• Use a sniffer program read offline packets
• Packet proceed to IP defragmentation
• Packet proceed to TCP stream reassembly
–
–
–
–
–
–
Check packet header length、IP address
Check packet header flag
TCP packet or not
Check time stamp
Check TCP connection
Check data length add packet flag-FIN greater than 0
• Packets go into TCP queue
11/28
Implementation
TCP
packet format
Start TCP
stream assembly
No
Check timestamp
No
Yes
No
Check TCP
header length
Yes
Check packet
from a new TCP
connection
Check SYN flag
Yes
Decide packet form
client or server
Euqal 0
IP address
Not euqal 0
Not greater than 1
Data length
+ FIN flag
Check SYN flag
Greater than 1
Not euqal 1
TCP queue function
Check ACK flag
Data length
sequence num
Euqal 1
TCP
information hash
table
Yes
12/28
No
Yes
Check RST flag
No
TCP stream
assembly end
Implementation
Application Layer
Libnids queue for client
Client
C1
C2
C3
C4
C5
C6
C7
C8
C9
C 10
C 11
close
SYN
ACK
S1
S2
SYN
ACK
Server
ACK
S3
S4
ACK
lost packets
Libnids queue for server
ACK
S5
ACK
S6
S7
FIN
S8
ACK
queued packets in libnids
S9
ACK
S 10
FIN
ACK
close
Packet dispatch mechanism
• A FIN or RESET packet has been received
Application Layer
Libnids queue for client
Client
C3
C4
ACK
lost packets
14/28
C5
C6
C7
ACK
queued packets in libnids
C8
C9
C 10
FIN
packets delivered to AP
Packet dispatch mechanism
• Packet sequence number falls outside of the current sliding
window
Application Layer
Libnids queue for client
ACK
Client
C3
C4
ACK
C5
C6
C7
lost packets
C9
C 10
ACK
Sliding window
15/28
C8
Sliding window Sliding window
queued packets in libnids
packets delivered to AP
Packet dispatch mechanism
• Users define timeout period for packets
Application Layer
Libnids queue for client
May be retransmitted after 60s + User defined waiting time
Client
C3
C4
ACK
lost packets
16/28
C5
C6
C7
C8
C9
ACK
queued packets in libnids
packets delivered to AP
Packet header informations
• Use option choice
– Payload
– Packet header informations
•
•
•
•
•
•
17/28
payload
source/destination IP
source/destination port
data length
all packets byte
data offset
Experiment Analyze
Application Layer
Libnids queue for client
Client
C3
C4
ACK
lost packets
18/28
C5
C6
C7
C8
C9
ACK
queued packets in libnids
packets delivered to AP
Experiment Analyze
Application Layer
Libnids queue for client
Client
C3
C4
ACK
lost packets
19/28
C5
C6
C7
C8
C9
ACK
queued packets in libnids
packets delivered to AP
Experiment Analyze
Application Layer
Libnids queue for client
Client
C3
C4
ACK
lost packets
20/28
C5
C6
C7
C8
C9
ACK
queued packets in libnids
packets delivered to AP
Experiment Analyze
Application Layer
Libnids queue for client
Client
#1-C3 #1-C 4 #1-C5
#2-C3
#2-C4
ACK
#2-C5
#2-C6
#2-C7
#1-C6
#1-C7
ACK
Application Layer
Libnids queue for client
Client
C3
C4
C5
C6
C7
TCP session 1
ACK
lost packets
C3
C4
C5
TCP session 2
21/28
C6
C7
queued packets in libnids
packets delivered to AP
ACK
Experiment Result
Result of analysis
Packet
lost
Packet with
information
Original libnids
Improved libnids
Success
Analysis
Success
Analysis
1
6
3
50%
6
100%
2
13
8
62%
13
100%
3
20
17
85%
20
100%
4
21
15
71%
21
100%
5
60
54
90%
60
100%
22/28
Experiment Result
100
Analysis(%)
80
60
Original libnids
Improved libnids
40
20
0
6
13
20
21
Packets with information
23/28
60
Experiment Analyze
Application Layer
Libnids queue for client
C5
Client
C3
C4
C5
C6
ACK
sliding window
24/28
C7
C8
C9
ACK
sliding window
lost packets
queued packets in libnids
late packets
packets delivered to AP
Experiment Result
Result of analysis
Packet Packet with
late
information
Original libnids
Improved libnids
Success
Analysis
Success
Analysis
1
14
8
57%
13
93%
2
23
15
68%
22
96%
3
61
54
89%
60
98%
4
25
23
92%
24
96%
5
86
77
90%
84
98%
25/28
Experiment Result
100
Analysis
80
60
Original libnids
Improved libnids
40
20
0
14
23
61
25
Packets with information
26/28
86
Conclusion
•
•
•
•
27/28
Libnids packet dispatch mechanism
Libnids can reassemble suspended packets
Do not consume a lot of memory
Packet header informations delivered to AP layer
Thank you
28/28