LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting

More documents

Recommendations

Info

5 Implementation Ambiguity Resolution via Passive OS Fingerprinting 201 The current version of the NFR IDS sensor implements both IP fragment and TCP overlapping segment ambiguity resolution. Concerning IP fragmentation, five common variations exist [1]: – BSD: left-trim incoming fragments to existing fragments with a lower or equal offset; discard if they overlap completely – BSD-Right: Same as BSD, except right-trim existing fragments when a new fragment overlaps – Linux: Same as BSD, except only fragments with a lower offset are trimmed – First: always accept the first value received – Last: always accept the last value received. The IP fragment reassembly engine implements all five of the observed policies described in [1]. The TCP Re-sequencing engine emulates the BSD and Last policies also described in [1]. The rest of this section describes how the sensor utilizes the fingerprint tables at runtime. 5.1 Performing a Lookup Operation During runtime, TCP SYN and SYNACK values for TCP traffic seen by the IDS are kept in a cache. The cache is keyed by IP address, so if an entry already exists its values are overwritten. Once it is deemed necessary to perform a lookup of a particular IP address to determine its operating system type (this event is triggered by an ambiguity on the wire), we first need to see if any cached SYN or SYNACK information is available in the cache. If SYN information is available, we can perform a lookup of the SYN values in the SYN table containing the mappings. If SYNACK information is available for that particular IP (corresponding to a server process), then we take the encoded value of the TCP options present in the SYN segment, as shown in Table 2, corresponding to the SYNACK, and hash into one of 16 fingerprint sub-tables to match the SYNACK TCP/IP values. A successful lookup will give the sensor access to its ambiguity resolution policies. Whether the ambiguity is with overlapping IP fragments or overlapping TCP segments, the sensor can perform the proper correction and push the correctly sequenced data up the protocol stack. 5.2 Best-Match Fingerprinting Xprobe2[10] utilizes a “fuzzy” approach to actively fingerprinting remote hosts. In a similar fashion, we employ a best-match algorithm to obtain a best guess of the host’s operating system type in the situation where no exact match is found. When a lookup is attempted, as described in section 5.1, and fails to find an entry in the SYN or SYNACK fingerprint tables, we invoke the best-match algorithm. Upon failure, then we iterate over every entry in the particular table
202 G. Taleck that failed (either the SYN table or one of the 16 SYNACK sub-tables) and tally a score for each field. Once all fingerprint scores have been calculated, the highest score wins. 6 Resource Consumption With ever-increasing network speeds, it is important for the network analysis of packets by an IDS to be as fast as possible. To this end, a number of optimizations have been made to satisfy the constraints placed on the IDS sensor. 6.1 On-demand Resolution Since detecting the OS type can be an O(n) operation, the SYN and SYNACK data from an IP are cached in a tree based upon the IP address of the host. To prevent dubious SYN/SYNACK entries from flooding the cache, the insertion is only done once the three-way handshake is complete and we understand a complete connection has been made. There is little sense in occupying resources for some port scan or even a flood. When an ambiguity arises in future traffic received by the IDS, a lookup is performed on the IP address of the host receiving the ambiguous packets, and a decision is made as to how to resolve the ambiguity. With this approach, only costly operations are performed when necessitated by the network traffic. 6.2 Fingerprint Caching As described in the previous section, when an ambiguity arises, a lookup is made into the IP SYN/SYNACK cache. If an entry is found that matches the destination IP address of the packet(s) containing the ambiguity, the values of the SYN/SYNACK entry are used to look up the OS type in a fingerprint cache. Since the IDS does not perform any computationally intensive operations until an ambiguity arises, the average runtime cost is merely the cost of caching SYN and SYNACK information. The resulting computational overhead is negligible. At cold start, this cache is initialized to contain all the fingerprints of the database, built as described in Section 4. During runtime, if the lookup of the OS type in the fingerprint cache fails, the best-match algorithm is invoked to make a best guess. This resulting value is then inserted as a new entry into the fingerprint cache, such that any following lookup will result in a cache hit. 6.3 Memory Utilization The two caches used for the SYN/SYNACK lookup tree and the OS fingerprint tree can grow to very large sizes. Even though the amount of memory per entry may be small, an IDS monitoring a large network can quickly expand the size of these caches. Our implementation does not limit the size of these caches; rather,
Page 1 and 2: Ambiguity Resolution via Passive OS
Page 3 and 4: 194 G. Taleck 2.2 Traffic Normaliza
Page 5 and 6: 196 G. Taleck IDS Client Server SYN
Page 7 and 8: 198 G. Taleck Minimal FTP Client FT
Page 9: 200 G. Taleck Table 2. Encoding of
Page 13 and 14: 204 G. Taleck The “freshness” o
Page 15: 206 G. Taleck 7. Fyodor: Remote OS

LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting

Create successful ePaper yourself

Delete template?

Save as template?