A typical computer networking system may include, among other things, an intrusion detection system (IDS) configured to monitor network traffic and to block attempted attacks on or intrusions into the protected network space. Such intrusion detection systems may coexist with various types of firewalls, packet monitors, and other devices and typically include intrusion sensing functions (e.g., advanced routers). These systems include both active and passive devices and may be generally referred to as “sensors.” Passive network sensors, for example, may utilize “promiscuous mode” access: a promiscuous network monitoring device, commonly referred to as a sniffer, examines copies of all of the packets directly from the network media, regardless of packet destination. Active sensors may read the packet off the network, store it until it is processed, and write it back to the network, possibly with modification.
One way to circumvent a conventional IDS is to use the time to live (TTL) field of the conventional Internet Protocol (IP) packet to confuse (or “de-synchronize”) the sensor. This is a desirable goal for the attacker because a de-synchronized IDS typically “fails open,” i.e., it stops applying its policy and filtering rules and allows all traffic to pass through. Ill-intentioned people have been known to send a TCP/IP packet with a TTL set low enough (e.g., TTL=1) so that the packet reaches the sensor but does not make it to the destination host. Since this packet is only seen by the sensor and not the end host, its only purpose is to confuse the IDS with a data stream that the end host will never process. On retransmission, however, the attacker sends a packet with a higher TTL (such as TTL=50 or 55), but now containing malicious data in the payload field. “Malicious data” includes a virus or other software code designed to subvert or disable the target host. The “retransmitted” TCP packet passes through the IDS sensor because the sensor assumes that any packet received with a previously seen TCP sequence number is a retransmit packet and does not try to re-analyze the data payload. Re-analysis of retransmit packets is generally considered too difficult because IDS sensors do not store the state they were in when the packet was first received: that kind of packet inspection is very costly in terms of processor resources and throughput/latency impacts. Typically, packet state is only maintained for the original packet, and even that state is limited to a few bytes of data.
The malicious packet will thus be sent on unimpeded to the destination host in accordance with conventional IP routing protocols. Furthermore, there are other ways of de-synchronizing an IDS that allow a maliciously-formed retransmit packet to bypass IDS protection. This type of attack is sometimes called an “overwrite” attack because the attacker is attempting to insert code by overwriting the data payload in a retransmit packet. The end host will accept the bad packet because the original packet (the packet that timed out) will not have been seen and acknowledged by the end host. Once the bad payload arrives at the end host, it may then initiate or trigger an attack on the end host or on other hosts in the network.
By design, the only difference between the original packet and its corresponding retransmit packet are the “mutable” fields within the IP packet header, such the TTL field, and the mutable fields within the TCP header, such as the Flags and Acknowledgement Number fields. The TCP packet (encapsulated within the IP data payload field) is supposed to be unchanged from the original TCP/IP transmission.
Intrusion detection systems and the various types of insertion, evasion, and overwrite attacks are generally described in (for example) T. H. Ptacek and T. N. Newsham, Insertion, Evasion, and Denial Of Service: Eluding Network Intrusion Detection, Secure Networks, Inc. (January 1998), http://www.acri.org/vern/Ptacek-Newsham-Evasion-98.ps (visited on Mar. 19, 2003); V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, Computer Networks, 31 (23-24) pp. 2435-2463 (December 1999); and M. Handley, V. Paxson, and C. Kreibich, Network Intrusion Detection: Evasion, Traffic Normalization, and End-To-End Protocol Semantics, Proc. USENIX Security Symposium 2001, http://www.icir.org/vern/papers/-norm-usenix-sec-01-html/index.html (visited on Mar. 19, 2003), incorporated herein by reference in their entireties.