Ptacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic defense is for the IPS to reassemble TCP and IP packets,and to consistently normalize the output stream. Current IPS standards require keeping state for 1 million connections. Both the state and processing requirements of reassembly and normalization are barriers to scalability for an IPS at speeds higher than 10 Gbps.In this paper, we suggest breaking with this paradigm using an approach we call Split-Detect. We focus on the simplest form of signature, an exact string match, and start by splitting the signature into pieces. By doing so the attacker is either forced to include at least one piece completely in a packet, or to display potentially abnormal behavior (e.g., several small TCP fragments or out-of-order packets) that cause the attacker's flow to be diverted to a slow path. We prove that under certain assumptions this scheme can detect all byte-string evasions. We also show using real traces that the processing and storage requirements of this scheme can be 10% of that required by a conventional IPS, allowing reasonable cost implementations at 20 Gbps. While the changes required by Split-Detect may be a barrier to adoption, this paper exposes the assumptions that must be changed to avoid normalization and reassembly in the fast path.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Alfred V. Aho , Margaret J. Corasick, Efficient string matching: an aid to bibliographic search, Communications of the ACM, v.18 n.6, p.333-340, June 1975  [doi>10.1145/360825.360855]
	2	Noga Alon , Yossi Matias , Mario Szegedy, The space complexity of approximating the frequency moments, Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, p.20-29, May 22-24, 1996, Philadelphia, Pennsylvania, United States  [doi>10.1145/237814.237823]
	3	Guido Appenzeller , Isaac Keslassy , Nick McKeown, Sizing router buffers, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
	4	David D. Clark, The structuring of systems using upcalls, Proceedings of the tenth ACM symposium on Operating systems principles, p.171-180, December 1985, Orcas Island, Washington, United States
	5	S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, "Deep packet inspection using parallel Bloom filters. Hot Interconnects Aug. 2003.
	6	S. Dharmapurikar, V. Paxson, "Robust TCP stream reassembly in the presence of adversaries". Proceedings of the 14th USENIXSecurity Symposium Baltimore, 2005.
	7	"The Future of the Internet". Red Herring April 10th, 2006.
	8	M. Handley, C. Kreibich, and V. Paxson. "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics". Proc. USENIX Security Symposium May 2001.
	9	Kirill Levchenko , Ramamohan Paturi , George Varghese, On the difficulty of scalably detecting network attacks, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030087]
	10	Nikto, http://www.cirt.net/code/nikto.shtml
	11	NSS Group.Intrusion Prevention Systems (IPS)Group Test (Edition 3), NSS Group, August 2005, http://www.nss.co.uk
	12	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999  [doi>10.1016/S1389-1286(99)00112-7]
	13	V. Paxson and M. Handley, "Defending Against NIDS Evasion using Traffic Normalizers". Second International Workshop on the Recent Advances in Intrusion Detection September 1999.
	14	T. Ptacek and T. Newsham. "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", Secure Networks, Inc., Jan. 1998.
	15	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	16	C. Shannon, D. Moore, k. claffy, "Characteristics of Fragmented IP Traffic on Internet Links", Workshop on Passive and Active Measurement 2001.
	17	Dug Song, 2002, Fragroute, http://www.monkey.org/dugsong/fragroute/

• ACM SIGCOMM Computer Communication Review
  Volume 36 ,  Issue 4   October 2006