"Why does MPTCP have to make things so complicated?": cross-path NIDS evasion and countermeasures

Loading...
Thumbnail Image
Authors
Foster, Henry August
Subjects
MPTCP
multipath PCP
Intrusion
Detection
Cross-path fragmentation
networking
IDS
session-making
Snort
proxy
Advisors
Xie, Geoffrey
Date of Issue
2016-09
Date
Sep-16
Publisher
Monterey, California: Naval Postgraduate School
Language
Abstract
A recent enhancement to Transmission Control Protocol (TCP) is Multipath TCP (TCP), a new transport layer protocol that enhances TCP to be capable of communicating over multiple paths by establishing several "subflow" connections between endpoints. Each subflow behaves in the same way that a traditional, single path, TCP connection would. Previous work has demonstrated that adversaries can perform cross-path data fragmentation to evade Network Intrusion Detection System (NIDS) when the NIDS in unable to integrate related subflows into a single MPTCP data stream. We present a general solution to enable current penetration testing tools to perform MPTCP cross-path fragmentation attacks. On the defensive side, we demonstrate that existing transport layer proxies can be used in conjunction with an MPTCP kernel to transparently convert a multipath connection into a single-path connection that can be analyzed by a NIDS. We also investigate extending Short to perform MPTCP stream reassembly and create a prototype Snort plugin for accomplishing this functionality.
Type
Thesis
Description
Series/Report No
Department
Computer Science
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
Copyright is reserved by the copyright owner.
Collections