* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download blue
Backpressure routing wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
Network tap wikipedia , lookup
Computer network wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Point-to-Point Protocol over Ethernet wikipedia , lookup
Distributed firewall wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Internet protocol suite wikipedia , lookup
Serial digital interface wikipedia , lookup
UniPro protocol stack wikipedia , lookup
TCP congestion control wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Improvement of TCP Packet Reassembly in Libnids Advisor : Shyh-In Hwang Presenter : Chun-Hui Hwang E-mail: [email protected] 2009.07.01 Outline • • • • • • • • • 2/28 Motivation Goals Libnids Introduction System architecture Approaches Implementation Experiment Result Conclusion Future work Motivation • • • • 3/28 Network security monitor is important API libraries are convenient Libnids is often used by network monitor systems Libnids drawback : – when packet lose, it can’t reassemble following packets – It consumes a lot of memory to store packets Goals • To modify libnids - add a packet dispatch mechanism • Let libnids can analyze and reassemble packets which already received • Memory can be released normally • Packet header informations delivered to AP layer 4/28 Libnids Introduction(1/2) • Library Network Intrusion Detection System • Emulates the IP stack of Linux 2.0.x • Libnids capability: – IP defragmentation – TCP stream reassembly – TCP port scan detection 5/28 Libnids Introduction(2/2) • Libnids applications: – – – – Network Protocol Analysis Sniffer Network Intrusion Detection System Other SNMP traffic analyze (May,2007) data reassembly Combine with dsniff (Nov.2006 & 2007) check connection state and session data Network tracing system (April,2009) IP defragmentation, TCP stream reassembly 6/28 System architecture Internet Router Switch 7/28 PC PC Sniffer PC PC Libnids process Packet reassembly Sniffer Packet reassembly Libnids initialization IP defragmentation TCP stream reassembly Data recovery Catch packets Packet complete? Yes 8/28 No Analyze data Approaches 9/28 Improvement of libnids start Packets reassembly Write a sniffer program Add packet dispatch mechanism Sniffer program call libnids Packet header information to AP Read offline packets Finish improvement Packet dispatch & Packet header informations • Packet dispatch mechanism – A FIN or RESET packet has been received – Packet sequence number falls outside of the current sliding window – Users define timeout period for packets • Packet header informations – An additional option 10/28 Implementation • Use a sniffer program read offline packets • Packet proceed to IP defragmentation • Packet proceed to TCP stream reassembly – – – – – – Check packet header length、IP address Check packet header flag TCP packet or not Check time stamp Check TCP connection Check data length add packet flag-FIN greater than 0 • Packets go into TCP queue 11/28 Implementation TCP packet format Start TCP stream assembly No Check timestamp No Yes No Check TCP header length Yes Check packet from a new TCP connection Check SYN flag Yes Decide packet form client or server Euqal 0 IP address Not euqal 0 Not greater than 1 Data length + FIN flag Check SYN flag Greater than 1 Not euqal 1 TCP queue function Check ACK flag Data length sequence num Euqal 1 TCP information hash table Yes 12/28 No Yes Check RST flag No TCP stream assembly end Implementation Application Layer Libnids queue for client Client C1 C2 C3 C4 C5 C6 C7 C8 C9 C 10 C 11 close SYN ACK S1 S2 SYN ACK Server ACK S3 S4 ACK lost packets Libnids queue for server ACK S5 ACK S6 S7 FIN S8 ACK queued packets in libnids S9 ACK S 10 FIN ACK close Packet dispatch mechanism • A FIN or RESET packet has been received Application Layer Libnids queue for client Client C3 C4 ACK lost packets 14/28 C5 C6 C7 ACK queued packets in libnids C8 C9 C 10 FIN packets delivered to AP Packet dispatch mechanism • Packet sequence number falls outside of the current sliding window Application Layer Libnids queue for client ACK Client C3 C4 ACK C5 C6 C7 lost packets C9 C 10 ACK Sliding window 15/28 C8 Sliding window Sliding window queued packets in libnids packets delivered to AP Packet dispatch mechanism • Users define timeout period for packets Application Layer Libnids queue for client May be retransmitted after 60s + User defined waiting time Client C3 C4 ACK lost packets 16/28 C5 C6 C7 C8 C9 ACK queued packets in libnids packets delivered to AP Packet header informations • Use option choice – Payload – Packet header informations • • • • • • 17/28 payload source/destination IP source/destination port data length all packets byte data offset Experiment Analyze Application Layer Libnids queue for client Client C3 C4 ACK lost packets 18/28 C5 C6 C7 C8 C9 ACK queued packets in libnids packets delivered to AP Experiment Analyze Application Layer Libnids queue for client Client C3 C4 ACK lost packets 19/28 C5 C6 C7 C8 C9 ACK queued packets in libnids packets delivered to AP Experiment Analyze Application Layer Libnids queue for client Client C3 C4 ACK lost packets 20/28 C5 C6 C7 C8 C9 ACK queued packets in libnids packets delivered to AP Experiment Analyze Application Layer Libnids queue for client Client #1-C3 #1-C 4 #1-C5 #2-C3 #2-C4 ACK #2-C5 #2-C6 #2-C7 #1-C6 #1-C7 ACK Application Layer Libnids queue for client Client C3 C4 C5 C6 C7 TCP session 1 ACK lost packets C3 C4 C5 TCP session 2 21/28 C6 C7 queued packets in libnids packets delivered to AP ACK Experiment Result Result of analysis Packet lost Packet with information Original libnids Improved libnids Success Analysis Success Analysis 1 6 3 50% 6 100% 2 13 8 62% 13 100% 3 20 17 85% 20 100% 4 21 15 71% 21 100% 5 60 54 90% 60 100% 22/28 Experiment Result 100 Analysis(%) 80 60 Original libnids Improved libnids 40 20 0 6 13 20 21 Packets with information 23/28 60 Experiment Analyze Application Layer Libnids queue for client C5 Client C3 C4 C5 C6 ACK sliding window 24/28 C7 C8 C9 ACK sliding window lost packets queued packets in libnids late packets packets delivered to AP Experiment Result Result of analysis Packet Packet with late information Original libnids Improved libnids Success Analysis Success Analysis 1 14 8 57% 13 93% 2 23 15 68% 22 96% 3 61 54 89% 60 98% 4 25 23 92% 24 96% 5 86 77 90% 84 98% 25/28 Experiment Result 100 Analysis 80 60 Original libnids Improved libnids 40 20 0 14 23 61 25 Packets with information 26/28 86 Conclusion • • • • 27/28 Libnids packet dispatch mechanism Libnids can reassemble suspended packets Do not consume a lot of memory Packet header informations delivered to AP layer Thank you 28/28