"Why does MPTCP have to make things so complicated?": cross-path NIDS evasion and countermeasures
Foster, Henry August
MetadataShow full item record
A recent enhancement to Transmission Control Protocol (TCP) is Multipath TCP (TCP), a new transport layer protocol that enhances TCP to be capable of communicating over multiple paths by establishing several "subflow" connections between endpoints. Each subflow behaves in the same way that a traditional, single path, TCP connection would. Previous work has demonstrated that adversaries can perform cross-path data fragmentation to evade Network Intrusion Detection System (NIDS) when the NIDS in unable to integrate related subflows into a single MPTCP data stream. We present a general solution to enable current penetration testing tools to perform MPTCP cross-path fragmentation attacks. On the defensive side, we demonstrate that existing transport layer proxies can be used in conjunction with an MPTCP kernel to transparently convert a multipath connection into a single-path connection that can be analyzed by a NIDS. We also investigate extending Short to perform MPTCP stream reassembly and create a prototype Snort plugin for accomplishing this functionality.