The Community for Technology Leaders
RSS Icon
Subscribe
Miami Beach, Florida, USA
Dec. 11, 2006 to Dec. 15, 2006
ISBN: 0-7695-2716-7
pp: 89-98
Randy Smith , University of Wisconsin-Madison, USA
Cristian Estan , University of Wisconsin-Madison, USA
Somesh Jha , University of Wisconsin-Madison, USA
ABSTRACT
Network Intrusion Detection Systems (NIDS) have become crucial to securing modern networks. To be effective, a NIDS must be able to counter evasion attempts and operate at or near wire-speed. Failure to do so allows malicious packets to slip through a NIDS undetected. In this paper, we explore NIDS evasion through algorithmic complexity attacks. We present a highly effective attack against the Snort NIDS, and we provide a practical algorithmic solution that successfully thwarts the attack. This attack exploits the behavior of rule matching, yielding inspection times that are up to 1.5 million times slower than that of benign packets. Our analysis shows that this attack is applicable to many rules in Snort?s ruleset, rendering vulnerable the thousands of networks protected by it. Our countermeasure confines the inspection time to within one order of magnitude of benign packets. Experimental results using a live system show that an attacker needs only 4.0 kbps of bandwidth to perpetually disable an unmodified NIDS, whereas all intrusions are detected when our countermeasure is used.
INDEX TERMS
null
CITATION
Randy Smith, Cristian Estan, Somesh Jha, "Backtracking Algorithmic Complexity Attacks against a NIDS", ACSAC, 2006, Computer Security Applications Conference, Annual, Computer Security Applications Conference, Annual 2006, pp. 89-98, doi:10.1109/ACSAC.2006.17
3 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool