The Community for Technology Leaders
Computer Security Applications Conference, Annual (2006)
Miami Beach, Florida, USA
Dec. 11, 2006 to Dec. 15, 2006
ISSN: 1063-9527
ISBN: 0-7695-2716-7
pp: 89-98
Somesh Jha , University of Wisconsin-Madison, USA
Randy Smith , University of Wisconsin-Madison, USA
Cristian Estan , University of Wisconsin-Madison, USA
Network Intrusion Detection Systems (NIDS) have become crucial to securing modern networks. To be effective, a NIDS must be able to counter evasion attempts and operate at or near wire-speed. Failure to do so allows malicious packets to slip through a NIDS undetected. In this paper, we explore NIDS evasion through algorithmic complexity attacks. We present a highly effective attack against the Snort NIDS, and we provide a practical algorithmic solution that successfully thwarts the attack. This attack exploits the behavior of rule matching, yielding inspection times that are up to 1.5 million times slower than that of benign packets. Our analysis shows that this attack is applicable to many rules in Snort?s ruleset, rendering vulnerable the thousands of networks protected by it. Our countermeasure confines the inspection time to within one order of magnitude of benign packets. Experimental results using a live system show that an attacker needs only 4.0 kbps of bandwidth to perpetually disable an unmodified NIDS, whereas all intrusions are detected when our countermeasure is used.
Somesh Jha, Randy Smith, Cristian Estan, "Backtracking Algorithmic Complexity Attacks against a NIDS", Computer Security Applications Conference, Annual, vol. 00, no. , pp. 89-98, 2006, doi:10.1109/ACSAC.2006.17
103 ms
(Ver 3.3 (11022016))