"Why Does Mptcp Have To Make Things So Complicated ": Cross Path Nids Evasion And Countermeasures

Foster, Henry A

"Why Does Mptcp Have To Make Things So Complicated ": Cross Path Nids Evasion And Countermeasures

Active / Technical Report | Accession Number: AD1029760 |

Open PDF

Abstract:

A recent enhancement to Transmission Control Protocol TCP is Multipath TCP MPTCP, a new transport layer protocol that enhances TCP to be capable of communicating over multiple paths by establishing several subflow connections between endpoints. Each subflow behaves in the same way that a traditional, single-path, TCP connection would. Previous work has demonstrated that adversaries can perform cross-path data fragmentation to evade Network Intrusion Detection Systems NIDS when the NIDS is unable to integrate related subflows into a single MPTCP data stream. We present a general solution to enable current penetration testing tools to perform MPTCP cross-path fragmentation attacks. On the defensive side, we demonstrate that existing transport layer proxies can be used in conjunction with an MPTCP kernel to transparently convert a multipath connection into a single-path connection that can be analyzed by a NIDS. We also investigate extending Snort to perform MPTCP stream reassembly and create a prototype Snort plugin for accomplishing this functionality.

Author(s):

Foster, Henry A

Author Organization(s):

Naval Postgraduate School Monterey United States

Descriptive Note:

Technical Report

Pagination:

0103

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release;

RECORD

Collection: TR

Subject Terms

Joint Capability Areas:

JCA_6_Net Centric; JCA_6.1.3_Switching and Routing; JCA_6.1.2_Wireless Transmission; JCA_6.1_Information Transport; JCA_5_Command and Control; JCA_4.7.2_Installation Services; JCA_4.7_Base and Installations Support; JCA_6.4.1_Secure Information Exchange; JCA_6.2.1_Information Sharing; JCA_6.2.2_Computing Services; JCA_6.4_Information Assurance; JCA_5.4_Decide; JCA_5.4.1_Manage Risk; JCA_6.2.3_Core Enterprise Services; JCA_6.2_Enterprise Services; JCA_5.3_Planning; JCA_5.2_Understand; JCA_5.2.3_Share Knowledge and Situational Awareness; JCA_3.2_Engagement; JCA_3_Force Application; JCA_3.2.2_Non-Kinetic Means

Modernization Areas:

Cyber

Communities of Interest:

Energy and Power Technologies

Descriptor(s):

intrusion detection systems, computer network security, command and control, network topology, communication channels, denial of service attack, operating systems (computers), mobile devices, application protocols, computer access control, information exchange

Keyword(s):

MPTCP(Multipath TCP), TCP(transmission control protocol), Cross path fragmentation, session splicing, Snort, proxy

Report Date:

2016 Sep 01

Creation Date:

2017 May 01