2010/01/30

gfw的前世今生

标题的GFW之所以加上引号是因为,GFW是局外人起的绰号,它的真实称呼并非如
此,但"GFW"也确实如实涵盖了这一在中国一贯隐晦而模糊的概念。
时间表
- 1998年9月22日,公安部部长办公会议通过研究,决定在全国公安机关开展全国
公安工作信息化工程――"金盾工程"建设。
- 1999年4月20日,公安部向国家计委送交金盾工程立项报告和金盾工程项目建议
书。
- 1999年4月25日,上万名法轮功练习者围攻中南海。
- 1999年6月,国家计算机网络与信息安全管理中心成立,局级事业单位。
- 1999年7月22日,中华人民共和国政府宣布法轮功妨碍国家安全和社会稳定,认
定法轮大法研究会及法轮功为非法组织,决定予以取缔。
- 1999-2000年,在哈尔滨工业大学任教多年的方滨兴调任国家计算机网络与信息
安全管理中心副总工程师。
- 1999年12月23日,国务院发文成立国家信息化工作领导小组,国务院副总理吴邦
国任组长。其第一下属机构计算机网络与信息安全管理工作办公室设在已经成立的
国家计算机网络与信息安全管理中心,取代计算机网络与信息安全管理部际协调小
组,对"公安部、安全部、保密局、商用密码管理办公室以及信息产业部"等部门的
网络安全管理进行组织协调。
- 2000-2002年,方滨兴在国家计算机网络与信息安全管理中心任总工程师、副主
任、教授级高级工程师。
- 2000年4月20日,公安部成立金盾工程领导小组及办公室。
- 2000年5月,005工程开始实施。
- 2000年8月19日,大纪元时报创刊。
- 2000年10月,信息产业部组建计算机网络应急处理协调中心。
- 2000年12月28日,第九届全国人民代表大会常务委员会第十九次会议通过《关于
维护互联网安全的决定》。
- 2001年,方滨兴"计算机病毒及其预防技术"获国防科学技术三等奖,排名第一。
- 2001年,方滨兴获国务院政府特殊津贴、信息产业部"在信息产业部重点工程中
做出突出贡献特等奖先进个人"称号,中组部、中宣部、中央政法委、公安部、民
政部、人事部等联合授予"先进个人"称号。
- 2001年1月19日,国家计算机网络与信息安全管理中心上海分中心成立,位于上
海市黄浦区中山南路508号6楼。国家计算机网络应急技术处理协调中心上海分中心
是工业和信息化部直属的中央财政全额拨款事业单位。
- 2001年4月25日,"金盾工程"经国务院批准立项。
- 2001年7月,计算机网络与信息安全管理工作办公室批准哈尔滨工业大学建立国
家计算机信息内容安全重点实验室,胡铭曾、方滨兴牵头。
- 2001年7月24日,国家计算机网络与信息安全管理中心广州分中心成立,位于广
州市越秀区建中路2、4号。
- 2001年8月8日,国家计算机网络与信息安全管理中心组建国家计算机网络应急处
理协调中心,缩写CNCERT/CC。
- 2001年8月23日,国家信息化领导小组重新组建,中央政治局常委、国务院总理
朱 基任组长。
- 2001年11月28日,国家计算机网络与信息安全管理中心上海互联网交换中心成
立。提供"互联网交换服务,互联网骨干网华东地区数据交换,数据流量监测与统
计,网间通信质量监督,交换中心设备维护与运行,网间互联费用计算,网间互联
争议协调",位于上海市黄浦区中山南路508号。
- 2001年11月28日,国家计算机网络与信息安全管理中心广州互联网交换中心成
立,位于广州市越秀区建中路204号。
- 2001年12月,在北京的国家计算机网络与信息安全管理中心综合楼开始兴建。
- 2001年12月17日,国家计算机网络与信息安全管理中心湖北分中心成立。
- 2002年,方滨兴任中国科学院计算技术研究所客座研究员、博士生导师、信息安
全首席科学家。2002-2006年,方滨兴在国家计算机网络与信息安全管理中心任主
任、总工程师、教授级高级工程师,升迁后任其名誉主任。
- 2002年1月25日,报道称:"国家计算机网络与信息安全管理中心上海互联网交换
中心日前开通并投入试运行,中国电信、中国网通、中国联通、中国吉通等4家国
家级互联单位首批接入。中国移动互联网的接入正在进行之中,近期可望成为第五
家接入单位。"
- 2002年2月1日,国家计算机网络与信息安全管理中心新疆分中心成立。
- 2002年2月25日,国家计算机网络与信息安全管理中心贵州分中心成立。
- 2002年3月20日,多个国家计算机网络与信息安全管理中心省级分中心同时成
立。
- 2002年9月3日,Google.com被封锁,主要手段为DNS劫持。
- 2002年9月12日,Google.com封锁解除,之后网页快照等功能被封锁,手段为
TCP会话阻断。
- 2002年11月,经费6600万的国家信息安全重大项目"大范围宽带网络动态阻断系
统"(大范围宽带网络动态处置系统)项目获国防科学技术二等奖。云晓春排名第
一,方滨兴排名第二。哈尔滨工业大学计算机网络与信息内容安全重点实验室李
斌、清华大学计算机系网络技术研究所、清华大学网格计算研究部杨广文有参与。
- 2003-2007年,方滨兴任信息产业部互联网应急处理协调办公室主任。
- 2003年1月31日,经费4.9亿的国家信息安全重大项目"国家信息安全管理系
统"(005工程)获2002年度国家科技进步一等奖,方滨兴排名第一,胡铭曾排名第
二,清华大学排名第三,哈尔滨工业大学排名第四,云晓春排名第四,北京大学排
名第五,郑纬民排名第七,中国科学院计算技术研究所有参与。
- 2003年2月,在北京的国家计算机网络与信息安全管理中心综合楼工程竣工。
- 2003年7月,国家计算机网络应急处理协调中心更名为国家计算机网络应急技术
处理协调中心。
- 2003年9月2日,全国"金盾工程"会议在北京召开,"金盾工程"全面启动。
- 2004年,国家信息安全重大项目"大规模网络特定信息获取系统",经费
7000万,获国家科技进步二等奖。
- 2005年,方滨兴任国防科学技术大学兼职教授、特聘教授、博士生导师。
- 2005年,方滨兴被遴选为中国工程院院士。
- 2005年,"该系统"已经在北京、上海、广州、长沙建立了互相镜像的4套主系
统,之间用万兆网互联。每套系统由8CPU的多节点集群构成,操作系统是红旗
Linux,数据库用的是OracleRAC。2005年国家计算机网络与信息安全管理中心(北
京)就已经建立了一套384*16节点的集群用于网络内容过滤(005工程)和短信过
滤(016工程)。该系统在广州、上海都有镜像,互相以十万兆网链接,可以协同
工作,也可以独立接管工作。
- 2006年11月16日,"金盾工程"一期在北京正式通过国家验收,其为"为中华人民
共和国公安部设计,处理中国公安管理的业务,涉外饭店管理,出入境管理,治安
管理等的工程"。
- 2007年4月6日,国家计算机网络与信息安全管理中心上海分中心机房楼奠基,位
于康桥镇杨高南路5788号,投资9047万元,"……是国家发改委批准实施的国家级重
大项目,目前全国只有北京和上海建立了分中心,它是全国互联网信息海关,对保
障国家信息安全担负着重要作用。"
- 2007年7月17日,大量使用中国国内邮件服务商的用户与国外通信出现了退信、
丢信等普遍现象。
- 2007年12月,方滨兴任北京邮电大学校长。
- 2008年1月18日,信息产业部决定免去方滨兴的国家计算机网络与信息安全管理
中心名誉主任、信息产业部互联网应急处理协调办公室主任职务,"另有职用"。
- 2008年2月29日,方滨兴当选第十一届全国人民代表大会安徽省代表。
- 2009年8月10日,方滨兴在"第一届中国互联网治理与法律论坛"上大力鼓吹网络
实名制。
机构关系
国家计算机网络与信息安全管理中心(安管中心)是原信产部现工信部的直属部
门。
安管中心与国家信息化工作领导小组计算机网络与信息安全管理工作办公室与国家
计算机网络应急技术处理协调中心(CNCERT/CC,互联网应急中心)是一个机构几
块牌子的关系。比如方滨兴简历中"1999-2000年在国家计算机网络应急技术处理协
调中心任副总工"与"计算机网络应急处理协调中心"的成立时间两种说法就有着微
妙的矛盾。实际上几个机构的人员基本一致。
安管中心下属互联网交换中心与国家互联网络交换中心是不同的机构。
各安管中心省级分中心一般挂靠当地的通信管理局。
安管中心的主要科研力量来自"哈尔滨工业大学一定会兴盛"方滨兴当博导有一批学
生的哈工大以及关系良好的中科院计算所,这两个机构是那三个国家信息 安全重
大项目的主要参与者,之后还在不断吸引人才并为安管中心输送人才和技术。在方
滨兴空降北邮之后,往安管中心输血的成分中哈工大的逐渐减少,北邮的逐 渐增
多。
CNCERT/CC的国内"合作伙伴"有中国互联网协会主办北京光芒在线网络科技有限公
司承办的中国互联网用户反垃圾邮件中心,是个没有实权的空壳;国家反计算机入
侵及防病毒研究中心、国家计算机病毒应急处理中心,是公安部、科技部麾下;违
法和不良信息举报中心是国新办势力范围;国家计算机网络入侵防范中心是中科院
研究生院的机构,同样直接支撑CNCERT/CC。
CNCERT/CC的应急支撑单位中民营企业最初领跑者是绿盟,后来绿盟因其台谍案被
罢黜,启明星辰取而代之。而安管中心具有一些资质认证、准入审 批的行政权
力,这可能是民间安全企业趋之若骛的原因。不过,民营企业并未参与到国家信息
安全的核心项目建设中,安管中心许多外围项目交给民企外企做,比如 像隔离器
之类的访问限制设备外包给启明星辰以作为辅助、备用,或者在与他们在网络安全
监测上有所交流。
GFW与金盾没有关系
敏锐的读者从时间表应该已经看出这样的感觉了。实际上,GFW与金盾就是没有关
系,两者泾渭分明,有很多区别。
公安系统搞网络监控的是公安部十一局
GFW是“国家信息关防工程”的一个子工程,直接上级是国家信息化工作领导小组和
信息产业部 是政治局亲自抓的国防工程
这个工程主要监测发现有害网站和信息,IP地址定位,网上对抗信息的上报,跟踪有害短信息和
及时进行封堵 江泽民,朱镕基,胡锦涛,李岚清,吴邦国等多次视察该工程
“国家信息关防工程”包括 “国家信息安全管理系统 工程代号为005。还有国家
信息安全016工程等等
GFW主要是舆情 情报系统的工具,而金盾主要是公安系统的工具。GFW的总支持者是负责
宣传工作的李长春,和张春江 江绵恒 最初的主要需求来自政治局 政法委 安全部 610办 ;
而金盾的 总支持者是公安
系统的高层人士,主要需求来自公安部门。GFW主外,作网络海关用;而金盾主
内,作侦查取证用。GFW建设时间短,花费少,成效好;而金盾 建设时间长,花费
巨大(GFW的十倍以上),成效不显著。
GFW依附于三个国家级国际出入口骨干网交换中心
从CRS GSR流量分光镜像到自己的交换中心搞入侵检测,再扩散到一些放在ISP那里的
路由封IP,位置集中,设备数量少;而金盾则是公安内部信息网络,无处
不在,数量巨大。GFW的科研实力雄厚,国内研 究信息安全的顶尖人才和实验室有
不少在为其服务,比如哈工大信息安全重点实验室、中科院计算所 软件所 高能所 国防科大
总参三部 安全部9局 北邮 西电 、 上海交大 北方交大 北京电子科技学院
解放军信息工程学院 解放军装甲兵工程学院 信产部中电30所 总参56所等等;
另外几乎所有985 211高校都参与此工程
一些公司商业机构也参与某些外围工程项目如 Websense packeteer BlueCoat 华为
北大方正 港湾 启明星辰 神州数码也提供了一些辅助设备
中搜 奇虎 北京大正 雅虎等等参与了搜索引擎安全管理系统
在某些省市级的网络机房里,接入监控的部门就五花八门了,有安全、公安、纪检、部队,等等
部署的设备也是五花八门 正规军 杂牌军 洋外援各自为战
而金
盾的科研实力较弱,公安系统的公安部第三研究所信息网络安全研发中心、国家反
计算机入侵与防病毒研究中心都缺乏科研力量和科研成果,2008年8月成立信息网
络安全公安部重点实验室想 与哈工大的重点实验室抗衡,还特意邀请方滨兴来实
验室学术委员会,不过这个实验室光是电子数据取证的研究方向就没什么前景,而
且也没什么研究成果。GFW 之父方滨兴没有参与金盾工程,而工程院里在支持金盾
工程的是沈昌祥;实际上那个公安部重点实验室的学术委员会名单很是有趣,沈昌
祥自然排第一,方滨兴因为 最近声名太显赫也不好意思不邀请他,方滨兴可能也
有屈尊与公安系统打好关系的用意。
GFW发展和状况
GFW主要使用的硬件来自曙光和华为,没有思科、Juniper,软件大部为自主开发。
原因很简单,对国家信息安全基础设施建设,方滨兴在他最近的 讲话《五个层面
解读国家信息安全保障体系》中也一直强调"信息安全应该以自主知识产权为主"。
何况GFW属于保密的国防工程
而且GFW没有闲钱去养洋老爷,肥水不流外人田。李国杰是 工程院信息工程部主
任、曙光公司董事长、中科院计算所所长,GFW的大量服务器设备订单都给了曙
光。方滨兴还将安管中心所需的大型机大订单给李国杰、国防 科大卢锡城、总参
56所陈左宁三位院士所在单位各一份。所以GFW为什么那么多曙光的设备,GFW为什
么那么多中科院计算所的科研力量,为什么方滨兴成为 中科院计算所和国防科大
都有显赫的兼职,为什么方滨兴从老家哈尔滨出来打拼短短7年时间就入选工程院
卢浮宫?就是因为方滨兴头脑灵活,做事皆大欢喜。
网上有人讽刺GFW夜郎自大,事实上这是盲目乐观,无知者无畏。GFW的技术是世界
顶尖的,GFW集中了哈工大、中科院、北邮货真价实的顶尖人才, 科研力量也是实
打实地雄厚,什么动态SSL Freenet VPN SSH TOR GNUnet JAP I2P Psiphon
什么Feed Over Email 算什么葱。所有的翻墙方法,
只要有人想得到,GFW都有研究并且有反制措施的实验室方案储备
比如说 串接式封堵 采用中间人攻击手段来替换加密通信双方所用的没有经过可信赖CA签名保护的数字证书
网关/代理间的证书协调,
在出口网关上进行解密检测也就是所谓深度内容检测 七层过滤
HTTPS 是需要认证的。客户端访问服务器时,服务器端提供CA证书,但有些实现也可以不提供CA证书
那么对于不提供CA证书的服务器,防火墙处理很简单,一律屏蔽掉
另外检测默认的CA发证机构,如果证书不是这些机构(Verisign、Thawte Geotrust)发的,杀无赦
就是在客户端与服务器端进行https握手的阶段,过滤掉一切无CA证
书或使用不合法CA证书的https请求。这一步是广谱过滤,与服务器的IP地址无关
。GFW主要是入侵防御
系统,检测-攻击两相模型。 所有传输层明文的翻墙方案,检测然后立即进行攻击
是很容易的事情;即使传输层用TLS之类的加密无法实时检测,那种方案面向最终
用户肯定是透明的,谁也不 能阻止GFW也作为最终用户来静态分析其网络层可检测
特征。入侵检测然后TCP会话重置攻击算是干净利落的手段了,最不济也能通过人
工的方式来查出翻墙方 法的网络层特征(仅仅目标IP地址就已经足够)然后进行
定点清除。如果是一两个国家的敌人,GFW也能找到集群来算密钥。GFW是难得能有
中央财政喂奶的 科研项目。那些在哈工大地下室、中科院破楼里的穷研究生即使
没有钱也能搞出东西来,现在中央财政喂奶,更是干劲十足了。GFW什么都行,就
是P2P没办 法,因为匿名性太好了,既不能实时检测出来,也无法通过静态分析找
到固定的、或者变化而可跟踪的网络层特征。就这样也能建两个陷阱节点搞点小破
坏,而且中 科院的242项目"P2P协议分析与测量"一直都没停。什么时候国外开学
术会议还是Defcon谁谁发一篇讲Tor安全性的paper,立即拿回来研究一 番实现一
下,已然紧跟学术技术最前沿了。不过实际上,即使GFW这样一个中国最顶尖的技
术项目也摆脱不了山寨的本性,就是做一个东西出来很容易,但是要把东西做细致
就不行了。
不过可能有人就疑问,为什么GFW什么都能封但又不真的封呢?我的这个翻墙方法
一直还是好好的嘛。其实GFW有它自己的运作方式。GFW从性质上讲 是纯粹的科研
技术部门,对政治势力来说是一个完全没有主观能动性的工具。GFW内部有很严格
权限管理,技术与政治封装隔离得非常彻底。封什么还是解封什 么,都是完全由
上峰决定,党指挥枪,授权专门人员操作关键词列表,与技术实现者隔离得很彻
底,互相都不知道在做什么。所以很多时候一些莫名其妙的封禁比如 封
freebsd.org封freepascal.org(可能都联想到freetibet.org),或者把跟轮子的
GPass八杆子打不着的"package.debian.org/zh-cn/lenny/gpass" 列为关键词,都
是那些摆弄着IE6的官僚们的颐指气使,技术人员要是知道了都得气死。方滨兴在
他最近的讲话《五个层面解读国家信息安全保障体系》中讲一个 立足国情的原
则,说:"主要是强调综合平衡安全成本与风险,如果风险不大就没有必要花太大
的安全成本来做。在这里面需要强调一点就是确保重点的,如等级保 护就是根据
信息系统的重要性来定级,从而施加适当强度的保护。"所以对于小众的翻墙方
式,GFW按照它的职能发现了也就只能过一下目心里有个底,上峰根本 都不知道有
这么一种方式所以也根本不会去封、GFW自己也没权限封,或者知道了也懒得再花
钱花精力去布置。枪打出头鸟,什么时候都是这样。
目前的状况是对于敏感数据能通过封锁基本上就是安全的,
否则就被过滤掉了,对于庞大的网络数据用人来分析是不可能的,敏感数据只能基于
过滤技术根据数据流里面的一些特征来发现,目前的解密技术对于庞大数据流量和加
密技术想使用解密的方法是不可能实现的,只要加密数据流没有可识别的特征,过滤
技术就不会有任何记录和反映,因此过滤技术是无法真正实现网络封锁的,因此必需
加入新的参数,它们选择了量,即保存你的一段时间的数据。现在的破网方法用的比
较多得是动态网,无界,花园,等等,由于接点相对来说是有限的和可知的,因此保
存一段时间的数据就有了意义,由于使用破网软件的人很多,不可能人人都抓,可以
根据量来区分出重点,和经常使用破网软件的人,当然你可已通过代理来连接这些可
知接点来解决这个问题,破网软件也提供了这样的方法,但是通过代理联接可知的
接点的请求还是可能被截获的
方滨兴一个人把GFW崛起过程中的政治势能全部转化为他的动能之后就把GFW扔掉
了。现在GFW是平稳期,完全是清水衙门,既没有什么后台,也无法 再有什么政
治、资金上的利益可以攫取,也无法再搞什么新的大型项目,连IPv6对GFW来说都
成了一件麻烦事情。方滨兴在他最近的讲话《五个层面解读国家 信息安全保障体
系》中也感慨道:"比如说Web 2.0概念出现后,甚至包括病毒等等这些问题就比较
容易扩散,再比如说IPv6出来之后,入侵检测就没有意义了,因为协议都看不懂还
检测什么……"GFW 一直就没有地位,一直就是一个没人管的萝莉,国新办、网监、
广电、版权、通管局之类的怪蜀黍都压在上面要做这做那。所以方滨兴在他最近的
讲话《五个层面解 读国家信息安全保障体系》中也首先强调一个机制,"需要宏观
层面,包括主管部门予以支持。"所以,想解封网站,不要去找GFW本体,那没
用,要去找GFW 的上峰,随便哪个都行。而ISP就根本跟GFW没关系了,都不知道
GFW具体搞些什么,起诉ISP完全属于没找到脉门。
不过GFW现在还是运行得很好,工作能力还有很大潜力可挖,唯一害怕的就是
DDoS死撞墙。GFW的规模在前面的时间表里也有数字可以估计,而且 GFW现在的网
站封禁列表也有几十万条之多。网络监控和对MSN YMSG ICQ等IM 短信监控也都尽善尽美。
GFW在数据挖掘和协议分析上做的还比较成功
多媒体数据如音频 视频 图形图像的智能识别分析 自然语言语义判断识别
模式匹配 p2p VoIP IM 流媒体 加密内容识别过滤 串接式封堵 等等是将来的重点
不过GFW也没
有像机器学习之类的自组织反馈机制来自动生成关键词,因为它 本身没有修改关
键词的权限,所以这种技术也没必要,况且国内这种技术也是概念吹得多论文发得
多实践不成熟。现在GFW和金盾最想要的就是能够从万草从中揪 出一小撮毒草的数
据挖掘之类的人工智能技术。方滨兴在他最近的讲话《五个层面解读国家信息安全
保障体系》中提到"舆情驾驭核心能力","首先要能够发现和 获取,然后要有分析
和引导的能力"。怎么发现?就靠中科院在研的973课题"文本识别及信息过滤"和
863重点项目"大规模网络安全事件监控"这种项目。 金盾工程花大钱搞出来,好评
反而不如GFW,十一局的干警们脸上无光无法跟老一辈交代啊。公安系统的技术力
量跟GFW没法比,不过公安系统有的是钱,先游 山玩水吃喝一通,然后把剩下的税
金像冲厕所一样随便买个几十万个摄像头几万台刀片几十PB硬盘接到省市级网络中
心,把什么东西都记录下来。问题是记下来不 能用,只能靠公安干警一页一页地
翻Excel。所以说,虽然看起来GFW千疮百孔,金盾深不可测,只是因为公安部门比
起GFW来比较有攻击性,看到毒草不 是给你一个RST而是给你一张拘留证。反而是
GFW大多数时候都把毒草给挡住了,而大多数毒草金盾都是没发现的。
国家信息安全话语范式
在轮子闹事被取缔之后,轮子组织仍然在从四面八方进行各种手段的宣传,而且逐
渐依靠上了各种境外背景。境内的宣传活动很快就被公安和国安清理掉了, 然而
从境外网上而来的大量网络宣传让从未有过网络化经验的中央无所适从、毫无办
法、十分着急。这些东西对中央来说都是难以忍受的安全威胁,为这些威胁又发
生在网上,自然国家网络安全就被提上了首要议程。适逢信息化大潮,电子政务概
念兴起,中央下决心好好应对信息化的问题,于是就成立了国家信息化工作领导
小 组。我们可以看到,首批组成名单中,安全部门和宣传部门占了大多数席
位,而且其第一下属机构就是处理安全问题,第二下属才是处理信息化改革,安全
需求之强 烈,可见一斑。
正是这个时候,一贯对信息安全充满独到见解的方滨兴被信产部的张春江调入了安
管中心练级。方滨兴对信息安全的见解与高层对网络安全的需求不谋而合。 一个
方滨兴见解的集大成概括,方滨兴在他最近的讲话《五个层面解读国家信息安全保
障体系》中说:"一定要有一个信息安全法,有了这个核心法你才能做一系列 的工
作。"国家信息安全体系的首要核心就是以信息安全为纲的法律保障体系,通过国
家意志――法律来定义何谓"信息安全"。信息安全本来是纯技术、完全中性 的词
语,通过国家意志的定义,将"煽动…煽动…煽动…煽动…捏造…宣扬…侮辱…损害…其
他…"定义为所谓的网络攻击、网络垃圾、网络有害信息、网络安全威 胁,却在实
现层面完全技术性、中立性地看待安全,丝毫不考虑现实政治问题。这样既在技术
上实现完备的封装,也给了用户以高可扩展性的安全事件定义界面。对 国家安全
与技术安全实现充满隐喻的捆绑,对意识形态与信息科学进行牢不可破的焊接,这
就是方滨兴带给高层的开拓性思维,这就是方滨兴提出的国家信息安全话 语范
式。
这个话语范式是如此自然、封装得如此彻底,以至于几乎所有人都没有意识到中国
的网络化发展出现了怎样严重的问题。几乎所有网民都没有意识到,给他们 带来
巨大麻烦和沮丧的GFW竟然是本来应该为网民打黑除恶的国家互联网应急响应中
心;几乎所有网民都没有意识到,自己在网上某处的一亩三分地修剪花草对于 国
家来说竟然是网络安全攻击事件;几乎所有决策者都没有意识到,那个看似立竿见
影的防火墙实际上具有怎样强大的副作用、会给互联网发展带来怎样大的伤害;
几乎所有决策者都没有意识到,使用GFW这样专业的安全工具来进行网络封锁意味
着什么。意识形态面对网络化这样变幻莫测的景色无法忍受,就只能用眼罩封闭
住眼睛。在讨论网络化的中文理论文本中,摆到首要位置占据最多篇幅的便是网络
安全和网络威胁。国家信息化工作领导小组第一下属机构便是处理安全问题。这
样,在网络本身都没有发展起来的时候,就在理论上对网络进行种种限制和控
制;在网络仍然自发地成长起来以后,便在文化上对网络进行系统性妖魔化,在地
理上 对网络中国进行闭关锁国。更严重的是,在根本不了解技术本质和副作用的
情况下使用国家信息安全工具,就像一个不懂事的小孩把玩枪械。在维护安全的话
语之 下,决策者根本不知道使用GFW进行网络封锁就是在自己的网络国土上使用军
队进行镇压,切断网线就是在自己的网络国土上种蘑菇。
更悲哀的是,GFW的建设者们大多都没有意识到他们在做的究竟是什么事情,在签
订保密协议之后就无意识中投身党国事业滚滚长江东逝水。像云晓春这种 跟着方
滨兴出来打江山的,方滨兴倒是高飞了,云晓春们就只能鞠躬尽瘁干死技术,在安
管中心反而被王秀军、黄澄清之辈后来居上。而当初在哈工大跟着方滨兴的 穷研
究生们,最后也陆陆续续去了百度之类的公司。GFW面临与曼哈顿工程一样的伦理
困局。科学本是中立的,但科学家却被政治摆弄。技术工作者们只关心也只 被允
许关心如何实现安全,并不能关心安全的定义到底如何。他们缺乏学术伦理精
神,不能实践"对自己工作的一切可能后果进行检验和评估;一旦发现弊端或危
险,应改变甚至中断自己的工作;如果不能独自做出抉择,应暂缓或中止相关研
究,及时向社会报警"的准则。结果就算他们辛辛苦苦做研究却也不能造福民
生,反 而被扣上"扼杀中国人权""纳粹帮凶"的帽子,不可谓不是历史的悲哀。
这种话语范式浸透了社会的方方面面。在这种话语之下,中国有了世界上最强大的
防火墙,但中国的网络建设却远远落后于世界先进水平;中国有了世界上最 庞大
的网瘾治疗产业链,但中国的网络产业却只会山寨技;中国有了世界上最多的网
民,但在互联网上却听不见中国的声音。GFW已经实现了人们的自我审查,让 人们
即使重获自由也无法飞翔,完成了其根本目的。现在即使对GFW的DDoS的技术已经
成熟,然而推倒墙却也变得没有意义,只能让公安系统的金盾得势,更 多的网民
被捕,最终新墙竖起。这一切都出自意识形态化现代性与网络化后现代性之间巨大
断裂,以及"国家信息安全话语"这种致命的讳疾忌医。
结语
一部GFW简史同时也是中国网络化简史。网络化既是技术变革,也是文化变革。网
络文化这种"有害成份"无法分而治之,因为网络化的技术变革与文化变 革是一体
的;后现代的网络文化也无法与现代的意识形态文化进行同化,因为两者分属不同
的范式。网络的确是意识形态完全的敌人,因为网络多元化文化要求取消 意识形
态的中心地位;但意识形态不是网络的敌人,事实上网络没有敌人,因为网络只有
解构对象。因此对于执政者来说,意识形态的中心地位与网络化发展趋势两 者只
能选择其一。实际情况是,执政者选择了前者,而把大刀挥向了Web 2.0。于是网
络用它一贯调侃的风格模仿意识形态话语进行了如下讽刺:"我们对你陈旧的政权
概念和意识形态烂腌菜毫不感兴趣。你无法理解在人类网络化的历 史潮流之前宏
大叙事为何而消解,你也无法理解国家和民族概念为何将分崩离析,你无法改变你
对互联网的无知。你的政权无法成为我们真正的敌人。"其实, 《2009匿名网民宣
言》只是过早的预言,cyberpunk式的谜语。
然而,无论中国的互联网受到了怎样的限制和压迫,即便中国网民的眼界已经被成
功禁锢,中国的网络还是以它自己的方式适应种种压力顽强地发展。无论有多么强
大的GFW或者金盾,即使被关在果壳之中,网络仍然在以意识形态完全不能理解的
方式走向后现代蓝海,自成为无限空间之王。
金盾工程大家都了解,简单来说把它定义为公安信息化工程,或者叫公安工作信息化工程。行业的任务来说,打击犯罪、社会治安行政管理。从这个行业来说,涉
及到整个社会管理的多方面
从目标来讲,要做信息化。重点来讲包括几个方面,一个是公安业务运作信息化,包括和大家密切相关的人口管理、户籍管理、驾驶执照管理,另外从内部来讲有
一个信息高度共享问题。打击犯罪,要用社会治安行政管理当中的数据,用自己记录的一些资料对的工作进行帮助
“金盾工程”是以公安信息网络为先导,以各项公安工作信息化为主要内容,建立统一指挥、快速反应、协同作战机制,在全国范围内开展公安信息化的工程,主
要包括建设公安综合业务通信网、公安综合信息系统、全国公安指挥调度系统以及全国公共网络监控中心 警务平台等
“金盾工程”各级公安机关建成了畅通的全国公安信息网络,联网计算机超过64万台,全国每百名民警拥有联网计算机38台,比1999年翻了两番多。人口
信息、违法犯罪信息、机动车驾驶人信息等最基础、最常用的23个一类系统已投入运行。目前,全国利用信息破案已占全部破案总数的20%左右
金盾工程建设的目标,2005年以前在全国公安机关形成信息化基础设施比较完备、应用种类比较齐全、部分公安工作的流程实现信息化工作流程,满足当前急
需的科学规范,适应我国公安信息化框架体系。现在提出来的目标,2007年基本实现公安信息化。提出来科学规范实用,这也是现任部长周部长提出来的
金盾工程建设的现状,从部党委做出决定,金盾工程的实施从98年9月份公安部作出在全国实施金盾工程建设的决定。五年时间里面坚持边立项、边探索、便建
设,边应用的方针。成立了工程的组织机构,设立了金盾办,现在金盾办主任由部领导担任,设立了综合、网络、应用等六个组。从资金投入来讲,99年到
2001年,公安部安排了近四亿元资金。从99年到2002年地方各级公安机关投入近50亿。的金盾工程呈多级星型结构,数据、网络、图象是分开的,一
般的数据带宽在4×2MB,二级网带宽大概在2M左右,开通率接近100%,三级网开通率接近80%。现在的难题主要是基层所队接入网的开通,目前只占
30%,东部比较好。北京、上海这些地方基本是百分之百,采用光纤直接联到派出所,条件比较好。其它地方有的地方采用扩频微波,有的地方租用电信DNN
电路。   从应用系统建设来讲取得了长足进步,人口信息系统已经覆盖90%的人口,280多个地级以上城市实现联网查询。出入境查询系统覆盖全国所有
口岸,交通管理信息系统覆盖所有机动车和驾驶员,82%的机动车和95%的驾驶员信息可以联网查询。   针对打击犯罪的系统建立起来,网上追逃、指纹
等等系统。现在装备的计算机大概在30多万台。从立项批复情况看,去年10月份国家计委正式批复可行性研究报告,今年八月正式批复项目初步设计,核定总
投资规模为30多亿元,其中中央投资8亿元,其余为地方投资。中央投资主要是指公安部和计委,西部地区考虑到经济发展的不平衡,特意在申请中间强调了对
西部地区必须要给与一定的补贴,要不然西部肯定上不来。信息化要求步调基本一致。刚才讲到城市犯罪中间可能有大部分是外地人,而外地人口来自于来自相对
比较贫困的地区或者西部地区。如果西部地区的信息上不来,你的作用发挥非常有限,在这一点来讲,国家计委还是充分肯定的意见,给了一部分西部投资资金。
第一期投资基金30多个亿,当时提交立项以及做可行性研究报告,国内申请立项基建投资的信息化工程不是很多见,在此之前大规模的信息工程基本不是走计委
这条线。这个项目计委投资四百多万,做了第一个信息化投资项目。地方有各种渠道,大家觉得公安信息化非常重要,金盾工程非常重要。总投资规模会超过30
多亿,东部投资会超过这个数字。   金盾工程的原则是起点要高,科学、规范、实用,公安的特点业务比较多,统筹规划、突出重点、统一领导、统一规划、
统一标准、分级管理。最近强调突出重点,以需求为导向,以应用为核心推动金盾工程。   支撑整个应用体系的包括运行管理体系,还有安全保障体系。在这
上面还有信息化的标准规范体系,金盾工程的规模相对比较大一些,部门业务比较多
应用系统包括建立共享性的信息资源库,过去有一些,但是覆盖面或者集中性都不是太理想。现在提出要建设全国性的库,包括人口、出入境,在逃人员、被盗抢
汽车、警员等信息。电子政务当中规划的四个资源库之一,也是为内容库准备信息资源。这一信息资源库有了适当的办法,有些信息是可以提供给社会或者提供给
其它部门的
一些金盾子项目
人脸识别查询在百万级的几个人脸库中进行高速人脸识别查询
旅客进入边检通报时,插入ic卡,从数据库里调出相应的人脸图案、数据,现场抓拍游客的面像即时与之比对,比对通过,关闸自动打开。人脸识别作为指纹识
别的补充,使识别准确率达到百分之百,而且使用这套系统通关只要五到六秒时间。
车辆出入境“快捷通”系统集成了远程电子预报、指纹/面像双生物特征的识别及比对技术、智能化自动控制机械定位等多种先进技术,做到了远距离自动识别车
辆号牌,即时调取车辆及司机资料,计算机自动比对司机指纹及面像,完成出入境边防检查的各项查验手续
雷管上了“户口”成功地研制出了系列工业雷管机械编码机,解决了生产线上雷管编码信息与计算机接口以及雷管编码信息在流通中方便有效传递的技术问题。目
前,全国74家雷管生产企业已经全部采用了雷管编码技术和信息管理系统
社会危险人员防控平台。平台将全市车站、机场、旅馆、银行等社会生活领域各个信息点采集到的人员信息数据,与在逃人员、涉毒人员、盗抢车辆等数据资源库
进行实时比对、碰撞,及时过滤、捕获社会危险人员和嫌疑车辆,并通过信息中心报警,传递到一线民警终端微机和手机上
现场指纹,DNA数据库 指纹信息 在逃人员,在押人员 重大案件,盗抢车辆,失踪人员,未知名尸体信息资源库

2010/01/14

阅后即焚:"GFW"

于 09-8-30 通过 Harmonic GeO's Blog 作者:Harmonic GeO

引言:
标题的GFW之所以加上引号是因为,GFW是局外人起的绰号,它的真实称呼并非如此,但"GFW"也确实如实涵盖了这一在中国一贯隐晦而模糊的概念。

时间表

· 1998年9月22日,公安部部长办公会议通过研究,决定在全国公安机关开展全国公安工作信息化工程——"金盾工程"建设。

· 1999年4月20日,公安部向国家计委送交金盾工程立项报告和金盾工程项目建议书。

· 1999年4月25日,上万名法轮功练习者围攻中南海。

· 1999年6月,国家计算机网络与信息安全管理中心成立,局级事业单位。

· 1999年7月22日,中华人民共和国政府宣布法轮功妨碍国家安全和社会稳定,认定法轮大法研究会及法轮功为非法组织,决定予以取缔。

· 1999-2000年,在哈尔滨工业大学任教多年的方滨兴调任国家计算机网络与信息安全管理中心副总工程师。

· 1999年12月23日,国务院发文成立国家信息化工作领导小组,国务院副总理吴邦国任组长。其第一下属机构计算机网络与信息安全管理工作办公室设在已经 成立的国家计算机网络与信息安全管理中心,取代计算机网络与信息安全管理部际协调小组,对"公安部、安全部、保密局、商用密码管理办公室以及信息产业部" 等部门的网络安全管理进行组织协调。

· 2000-2002年,方滨兴在国家计算机网络与信息安全管理中心任总工程师、副主任、教授级高级工程师。

· 2000年4月20日,公安部成立金盾工程领导小组及办公室。

· 2000年5月,005工程开始实施。

· 2000年8月19日,大纪元时报创刊。

· 2000年10月,信息产业部组建计算机网络应急处理协调中心。

· 2000年12月28日,第九届全国人民代表大会常务委员会第十九次会议通过《关于维护互联网安全的决定》。

· 2001年,方滨兴"计算机病毒及其预防技术"获国防科学技术三等奖,排名第一。

· 2001年,方滨兴获国务院政府特殊津贴、信息产业部"在信息产业部重点工程中做出突出贡献特等奖先进个人"称号,中组部、中宣部、中央政法委、公安部、 民政部、人事部等联合授予"先进个人"称号。

· 2001年1月19日,国家计算机网络与信息安全管理中心上海分中心成立,位于上海市黄浦区中山南路508号6楼。国家计算机网络应急技术处理协调中心上 海分中心是工业和信息化部直属的中央财政全额拨款事业单位。

· 2001年4月25日,"金盾工程"经国务院批准立项。

· 2001年7月,计算机网络与信息安全管理工作办公室批准哈尔滨工业大学建立国家计算机信息内容安全重点实验室,胡铭曾、方滨兴牵头。

· 2001年7月24日,国家计算机网络与信息安全管理中心广州分中心成立,位于广州市越秀区建中路2、4号。

· 2001年8月8日,国家计算机网络与信息安全管理中心组建国家计算机网络应急处理协调中心,缩写CNCERT/CC。

· 2001年8月23日,国家信息化领导小组重新组建,中央政治局常委、国务院总理朱镕基任组长。

· 2001年11月28日,国家计算机网络与信息安全管理中心上海互联网交换中心成立。提供"互联网交换服务,互联网骨干网华东地区数据交换,数据流量监测 与统计,网间通信质量监督,交换中心设备维护与运行,网间互联费用计算,网间互联争议协调",位于上海市黄浦区中山南路508号。

· 2001年11月28日,国家计算机网络与信息安全管理中心广州互联网交换中心成立,位于广州市越秀区建中路204号。

· 2001年12月,在北京的国家计算机网络与信息安全管理中心综合楼开始兴建。

· 2001年12月17日,国家计算机网络与信息安全管理中心湖北分中心成立。

· 2002年,方滨兴任中国科学院计算技术研究所客座研究员、博士生导师、信息安全首席科学家。2002-2006年,方滨兴在国家计算机网络与信息安全管 理中心任主任、总工程师、教授级高级工程师,升迁后任其名誉主任。

· 2002年1月25日,报道称:"国家计算机网络与信息安全管理中心上海互联网交换中心日前开通并投入试运行,中国电信、中国网通、中国联通、中国吉通等 4家国家级互联单位首批接入。中国移动互联网的接入正在进行之中,近期可望成为第五家接入单位。"

· 2002年2月1日,国家计算机网络与信息安全管理中心新疆分中心成立。

· 2002年2月25日,国家计算机网络与信息安全管理中心贵州分中心成立。

· 2002年3月20日,多个国家计算机网络与信息安全管理中心省级分中心同时成立。

· 2002年9月3日,Google.com被封锁,主要手段为DNS污染。

· 2002年9月12日,Google.com封锁解除,之后网页快照等功能被封锁,手段为TCP会话阻断。

· 2002年11月,经费6600万的国家信息安全重大项目"大范围宽带网络动态阻断系统"(大范围宽带网络动态处置系统)项目获国防科学技术二等奖。云晓 春排名第一,方滨兴排名第二。哈尔滨工业大学计算机网络与信息内容安全重点实验室李斌、清华大学计算机系网络技术研究所、清华大学网格计算研究部杨广文有 参与。

· 2003-2007年,方滨兴任信息产业部互联网应急处理协调办公室主任。

· 2003年1月31日,经费4.9亿的国家信息安全重大项目"国家信息安全管理系统"(005工程)获2002年度国家科技进步一等奖,方滨兴排名第一, 胡铭曾排名第二,清华大学排名第三,哈尔滨工业大学排名第四,云晓春排名第四,北京大学排名第五,郑纬民排名第七,中国科学院计算技术研究所有参与。

· 2003年2月,在北京的国家计算机网络与信息安全管理中心综合楼工程竣工。

· 2003年7月,国家计算机网络应急处理协调中心更名为国家计算机网络应急技术处理协调中心。

· 2003年9月2日,全国"金盾工程"会议在北京召开,"金盾工程"全面启动。

· 2004年,国家信息安全重大项目"大规模网络特定信息获取系统",经费7000万,获国家科技进步二等奖。

· 2005年,方滨兴任国防科学技术大学兼职教授、特聘教授、博士生导师。

· 2005年,方滨兴被遴选为中国工程院院士。

· 2005年,"该系统"已经在北京、上海、广州、长沙建立了互相镜像的4套主系统,之间用万兆网互联。每套系统由8CPU的多节点集群构成,操作系统是红 旗Linux,数据库用的是OracleRAC。2005年国家计算机网络与信息安全管理中心(北京)就已经建立了一套384*16节点的集群用于网络内 容过滤(005工程)和短信过滤(016工程)。该系统在广州、上海都有镜像,互相以十万兆网链接,可以协同工作,也可以独立接管工作。

· 2006年11月16日,"金盾工程"一期在北京正式通过国家验收,其为"为中华人民共和国公安部设计,处理中国公安管理的业务,涉外饭店管理,出入境管 理,治安管理等的工程"。

· 2007年4月6日,国家计算机网络与信息安全管理中心上海分中心机房楼奠基,位于康桥镇杨高南路5788号,投资9047万元,"……是国家发改委批准 实施的国家级重大项目,目前全国只有北京和上海建立了分中心,它是全国互联网信息海关,对保障国家信息安全担负着重要作用。"

· 2007年7月17日,大量使用中国国内邮件服务商的用户与国外通信出现了退信、丢信等普遍现象。

· 2007年12月,方滨兴任北京邮电大学校长。

· 2008年1月18日,信息产业部决定免去方滨兴的国家计算机网络与信息安全管理中心名誉主任、信息产业部互联网应急处理协调办公室主任职务,"另有职 用"。

· 2008年2月29日,方滨兴当选第十一届全国人民代表大会安徽省代表。

· 2009年8月10日,方滨兴在"第一届中国互联网治理与法律论坛"上大力鼓吹网络实名制。

机构关系

国家计算机网络与信息安全管理中心(安管中心)是原信产部现工信部的直属部门。

安管中心与国家信息化工作领导小组计算机网络与信息安全管理工作办公室与国家计算机网络应急技术处理协调中心(CNCERT/CC,互联网应急中心)是一 个机构几块牌子的关系。比如方滨兴简历中"1999-2000年在国家计算机网络应急技术处理协调中心任副总工"与"计算机网络应急处理协调中心"的成立 时间两种说法就有着微妙的矛盾。实际上几个机构的人员基本一致。

安管中心下属互联网交换中心与国家互联网络交换中心是不同的机构。

各安管中心省级分中心一般挂靠当地的通信管理局。

安管中心的主要科研力量来自"哈尔滨工业大学一定会兴盛"方滨兴当博导有一批学生的哈工大以及关系良好的中科院计算所,这两个机构是那三个国家信息 安全重大项目的主要参与者,之后还在不断吸引人才并为安管中心输送人才和技术。在方滨兴空降北邮之后,往安管中心输血的成分中哈工大的逐渐减少,北邮的逐 渐增多。

CNCERT/CC的国内"合作伙伴"有中国互联网协会主办北京光芒在线网络科技有限公司承办的中国互联网用户反垃圾邮件中心,是个没有实权的空壳;国家 反计算机入侵及防病毒研究中心、国家计算机病毒应急处理中心,是公安部、科技部麾下;违法和不良信息举报中心是国新办势力范围;国家计算机网络入侵防范中 心是中科院研究生院的机构,同样直接支撑CNCERT/CC。

CNCERT/CC的应急支撑单位中民营企业最初领跑者是绿盟,后来绿盟因其台谍案被罢黜,启明星辰取而代之。而安管中心具有一些资质认证、准入审批的行 政权力,这可能是民间安全企业趋之若骛的原因。不过,民营企业并未参与到国家信息安全的核心项目建设中,安管中心许多外围项目交给民企外企做,比如像隔离 器之类的访问限制设备外包给启明星辰以作为辅助、备用,或者在与他们在网络安全监测上有所交流。

GFW与金盾没有关系

敏锐的读者从时间表应该已经看出这样的感觉了。实际上,GFW与金盾就是没有关系,两者泾渭分明,有很多区别。

GFW主要是宣传系统的工具,而金盾主要是公安系统的工具。GFW的总支持者是负责宣传工作的李长春,最初的主要需求来自各610办公室;而金盾的总支持 者是公安系统的高层人士,主要需求来自公安部门。GFW主外,作网络海关用;而金盾主内,作侦查取证用。GFW建设时间短,花费少,成效好;而金盾建设时 间长,花费巨大(GFW的十倍以上),成效不显著。GFW依附于三个国家级互联网交换中心(不存在省级GFW)分光到自己的交换中心搞入侵防御,再扩散到 一些放在ISP那里的路由封IP,位置集中,设备数量少;而金盾则是进驻各大交换中心数据中心,无处不在,数量巨大。GFW的科研实力雄厚,国内研究信息 安全的顶尖人才和实验室有不少在为其服务,比如哈工大的信息安全重点实验室、中科院计算所、北邮;而金盾的科研实力较弱,公安系统的公安部第三研究所信息 网络安全研发中心、国家反计算机入侵与防病毒研究中心都缺乏科研力量和科研成果,2008年8月成立信息网络安全公安部重点实验室想与哈工大的重点实验室 抗衡,还特意邀请方滨兴来实验室学术委员会,不过这个实验室光是电子数据取证的研究方向就没什么前景,而且也没什么研究成果。GFW之父方滨兴没有参与金 盾工程,而工程院里在支持金盾工程的是沈昌祥;实际上那个公安部重点实验室的学术委员会名单很是有趣,沈昌祥自然排第一,方滨兴因为最近声名太显赫也不好 意思不邀请他,方滨兴可能也有屈尊与公安系统打好关系的用意。

GFW发展和状况

GFW主要使用的硬件来自曙光和华为,没有思科、Juniper,软件大部为自主开发。原因很简单,对国家信息安全基础设施建设,方滨兴在他最近的讲话 《五个层面解读国家信息安全保障体系》中也一直强调"信息安全应该以自主知识产权为主"。而且GFW没有闲钱去养洋老爷,肥水不流外人田。李国杰是工程院 信息工程部主任、曙光公司董事长、中科院计算所所长,GFW的大量服务器设备订单都给了曙光。方滨兴还将安管中心所需的大型机大订单给李国杰、国防科大卢 锡城、总参56所陈左宁三位院士所在单位各一份。所以GFW为什么那么多曙光的设备,GFW为什么那么多中科院计算所的科研力量,为什么方滨兴成为中科院 计算所和国防科大都有显赫的兼职,为什么方滨兴从老家哈尔滨出来打拼短短7年时间就入选工程院卢浮宫?就是因为方滨兴头脑灵活,做事皆大欢喜。

网上有人讽刺GFW夜郎自大,事实上这是盲目乐观,无知者无畏。GFW的技术是世界顶尖的,GFW集中了哈工大、中科院、北邮货真价实的顶尖人才,科研力 量也是实打实地雄厚,什么动态轮什么Feed Over Email算什么葱。所有的翻墙方法,只要有人想得到,GFW都有研究并且有反制措施的实验室方案储备。GFW主要是入侵防御系统,检测-攻击两相模型。 所有传输层明文的翻墙方案,检测然后立即进行攻击是很容易的事情;即使传输层用TLS之类的加密无法实时检测,那种方案面向最终用户肯定是透明的,谁也不 能阻止GFW也作为最终用户来静态分析其网络层可检测特征。入侵检测然后TCP会话重置攻击算是干净利落的手段了,最不济也能通过人工的方式来查出翻墙方 法的网络层特征(仅仅目标IP地址就已经足够)然后进行定点清除。如果是一两个国家的敌人,GFW也能找到集群来算密钥。GFW是难得能有中央财政喂奶的 科研项目。那些在哈工大地下室、中科院破楼里的穷研究生即使没有钱也能搞出东西来,现在中央财政喂奶,更是干劲十足了。GFW什么都行,就是P2P没办 法,因为匿名性太好了,既不能实时检测出来,也无法通过静态分析找到固定的、或者变化而可跟踪的网络层特征。就这样也能建两个陷阱节点搞点小破坏,而且中 科院的242项目"P2P协议分析与测量"一直都没停。什么时候国外开学术会议还是Defcon谁谁发一篇讲Tor安全性的paper,立即拿回来研究一 番实现一下,已然紧跟学术技术最前沿了。不过实际上,即使GFW这样一个中国最顶尖的技术项目也摆脱不了山寨的本性,就是做一个东西出来很容易,但是要把 东西做细致就不行了。

不过可能有人就疑问,为什么GFW什么都能封但又不真的封呢?我的这个翻墙方法一直还是好好的嘛。其实GFW有它自己的运作方式。GFW从性质上讲是纯粹 的科研技术部门,对政治势力来说是一个完全没有主观能动性的工具。GFW内部有很严格权限管理,技术与政治封装隔离得非常彻底。封什么还是解封什么,都是 完全由上峰决定,党指挥枪,授权专门人员操作关键词列表,与技术实现者隔离得很彻底,互相都不知道在做什么。所以很多时候一些莫名其妙的封禁比如封 freebsd.org封freepascal.org(可能都联想到freetibet.org),或者把跟轮子的GPass八杆子打不着 的"package.debian.org/zh-cn/lenny/gpass"列为关键词,都是那些摆弄着IE6的官僚们的颐指气使,技术人员要是知 道了都得气死。方滨兴在他最近的讲话《五个层面解读国家信息安全保障体系》中讲一个立足国情的原则,说:"主要是强调综合平衡安全成本与风险,如果风险不 大就没有必要花太大的安全成本来做。在这里面需要强调一点就是确保重点的,如等级保护就是根据信息系统的重要性来定级,从而施加适当强度的保护。"所以对 于小众的翻墙方式,GFW按照它的职能发现了也就只能过一下目心里有个底,上峰根本都不知道有这么一种方式所以也根本不会去封、GFW自己也没权限封,或 者知道了也懒得再花钱花精力去布置。枪打出头鸟,什么时候都是这样。

方滨兴一个人把GFW崛起过程中的政治势能全部转化为他的动能之后就把GFW扔掉了。现在GFW是平稳期,完全是清水衙门,既没有什么后台,也无法再有什 么政治、资金上的利益可以攫取,也无法再搞什么新的大型项目,连IPv6对GFW来说都成了一件麻烦事情。方滨兴在他最近的讲话《五个层面解读国家信息安 全保障体系》中也感慨道:"比如说Web 2.0概念出现后,甚至包括病毒等等这些问题就比较容易扩散,再比如说IPv6出来之后,入侵检测就没有意义了,因为协议都看不懂还检测什么……"GFW 一直就没有地位,一直就是一个没人管的萝莉,国新办、网监、广电、版权、通管局之类的怪蜀黍都压在上面要做这做那。所以方滨兴在他最近的讲话《五个层面解 读国家信息安全保障体系》中也首先强调一个机制,"需要宏观层面,包括主管部门予以支持。"所以,想解封网站,不要去找GFW本体,那没用,要去找GFW 的上峰,随便哪个都行。而ISP就根本跟GFW没关系了,都不知道GFW具体搞些什么,起诉ISP完全属于没找到脉门。

不过GFW现在还是运行得很好,工作能力还有很大潜力可挖,唯一害怕的就是DDoS死撞墙。GFW的规模在前面的时间表里也有数字可以估计,而且GFW现 在的网站封禁列表也有几十万条之多。网络监控和短信监控也都尽善尽美。不过GFW也没有像机器学习之类的自组织反馈机制来自动生成关键词,因为它本身没有 修改关键词的权限,所以这种技术也没必要,况且国内这种技术也是概念吹得多论文发得多实践不成熟。现在GFW和金盾最想要的就是能够从万草从中揪出一小撮 毒草的数据挖掘之类的人工智能技术。方滨兴在他最近的讲话《五个层面解读国家信息安全保障体系》中提到"舆情驾驭核心能力","首先要能够发现和获取,然 后要有分析和引导的能力"。怎么发现?就靠中科院在研的973课题"文本识别及信息过滤"和863重点项目"大规模网络安全事件监控"这种项目。金盾工程 花大钱搞出来,好评反而不如GFW,十一局的干警们脸上无光无法跟老一辈交代啊。公安系统的技术力量跟GFW没法比,不过公安系统有的是钱,先游山玩水吃 喝一通,然后把剩下的税金像冲厕所一样随便买个几十万个摄像头几万台刀片几十PB硬盘接到省市级网络中心,把什么东西都记录下来。问题是记下来不能用,只 能靠公安干警一页一页地翻Excel。所以说,虽然看起来GFW千疮百孔,金盾深不可测,只是因为公安部门比起GFW来比较有攻击性,看到毒草不是给你一 个RST而是给你一张拘留证。反而是GFW大多数时候都把毒草给挡住了,而大多数毒草金盾都是没发现的。

国家信息安全话语范式

在轮子闹事被取缔之后,轮子组织仍然在从四面八方进行各种手段的宣传,而且逐渐依靠上了各种境外背景。境内的宣传活动很快就被公安和国安清理掉了,然而从 境外网上而来的大量网络宣传让从未有过网络化经验的中央无所适从、毫无办法、十分着急。这些东西对中央来说都是难以忍受的安全威胁,为这些威胁又发生在网 上,自然国家网络安全就被提上了首要议程。适逢信息化大潮,电子政务概念兴起,中央下决心好好应对信息化的问题,于是就成立了国家信息化工作领导小组。我 们可以看到,首批组成名单中,安全部门和宣传部门占了大多数席位,而且其第一下属机构就是处理安全问题,第二下属才是处理信息化改革,安全需求之强烈,可 见一斑。

正是这个时候,一贯对信息安全充满独到见解的方滨兴被信产部的张春江调入了安管中心练级。方滨兴对信息安全的见解与高层对网络安全的需求不谋而合。一个方 滨兴见解的集大成概括,方滨兴在他最近的讲话《五个层面解读国家信息安全保障体系》中说:"一定要有一个信息安全法,有了这个核心法你才能做一系列的工 作。"国家信息安全体系的首要核心就是以信息安全为纲的法律保障体系,通过国家意志——法律来定义何谓"信息安全"。信息安全本来是纯技术、完全中性 的词语,通过国家意志的定义,将"煽动…煽动…煽动…煽动…捏造…宣扬…侮辱…损害…其他…"定义为所谓的网络攻击、网络垃圾、网络有害信息、网络安全威 胁,却在实现层面完全技术性、中立性地看待安全,丝毫不考虑现实政治问题。这样既在技术上实现完备的封装,也给了用户以高可扩展性的安全事件定义界面。对 国家安全与技术安全实现充满隐喻的捆绑,对意识形态与信息科学进行牢不可破的焊接,这就是方滨兴带给高层的开拓性思维,这就是方滨兴提出的国家信息安全话 语范式。

这个话语范式是如此自然、封装得如此彻底,以至于几乎所有人都没有意识到中国的网络化发展出现了怎样严重的问题。几乎所有网民都没有意识到,给他们带来巨 大麻烦和沮丧的GFW竟然是本来应该为网民打黑除恶的国家互联网应急响应中心;几乎所有网民都没有意识到,自己在网上某处的一亩三分地修剪花草对于国家来 说竟然是网络安全攻击事件;几乎所有决策者都没有意识到,那个看似立竿见影的防火墙实际上具有怎样强大的副作用、会给互联网发展带来怎样大的伤害;几乎所 有决策者都没有意识到,使用GFW这样专业的安全工具来进行网络封锁意味着什么。意识形态面对网络化这样变幻莫测的景色无法忍受,就只能用眼罩封闭住眼 睛。在讨论网络化的中文理论文本中,摆到首要位置占据最多篇幅的便是网络安全和网络威胁。国家信息化工作领导小组第一下属机构便是处理安全问题。这样,在 网络本身都没有发展起来的时候,就在理论上对网络进行种种限制和控制;在网络仍然自发地成长起来以后,便在文化上对网络进行系统性妖魔化,在地理上对网络 中国进行闭关锁国。更严重的是,在根本不了解技术本质和副作用的情况下使用国家信息安全工具,就像一个不懂事的小孩把玩枪械。在维护安全的话语之下,决策 者根本不知道使用GFW进行网络封锁就是在自己的网络国土上使用军队进行镇压,切断网线就是在自己的网络国土上种蘑菇。

更悲哀的是,GFW的建设者们大多都没有意识到他们在做的究竟是什么事情,在签订保密协议之后就无意识中投身党国事业滚滚长江东逝水。像云晓春这种跟着方 滨兴出来打江山的,方滨兴倒是高飞了,云晓春们就只能鞠躬尽瘁干死技术,在安管中心反而被王秀军、黄澄清之辈后来居上。而当初在哈工大跟着方滨兴的穷研究 生们,最后也陆陆续续去了百度之类的公司。GFW面临与曼哈顿工程一样的伦理困局。科学本是中立的,但科学家却被政治摆弄。技术工作者们只关心也只 被允许关心如何实现安全,并不能关心安全的定义到底如何。他们缺乏学术伦理精神,不能实践"对自己工作的一切可能后果进行检验和评估;一旦发现弊端或危 险,应改变甚至中断自己的工作;如果不能独自做出抉择,应暂缓或中止相关研究,及时向社会报警"的准则。结果就算他们辛辛苦苦做研究却也不能造福民生,反 而被扣上"扼杀中国人权""纳粹帮凶"的帽子,不可谓不是历史的悲哀。

这种话语范式浸透了社会的方方面面。在这种话语之下,中国有了世界上最强大的防火墙,但中国的网络建设却远远落后于世界先进水平;中国有了世界上最庞大的 网瘾治疗产业链,但中国的网络产业却只会山寨技;中国有了世界上最多的网民,但在互联网上却听不见中国的声音。GFW已经实现了人们的自我审查,让人们即 使重获自由也无法飞翔,完成了其根本目的。现在即使对GFW的DDoS的技术已经成熟,然而推倒墙却也变得没有意义,只能让公安系统的金盾得势,更 多的网民被捕,最终新墙竖起。这一切都出自意识形态化现代性与网络化后现代性之间巨大断裂,以及"国家信息安全话语"这种致命的讳疾忌医。

结语

一部GFW简史同时也是中国网络化简史。网络化既是技术变革,也是文化变革。网络文化这种"有害成份"无法分而治之,因为网络化的技术变革与文化变革是一 体的;后现代的网络文化也无法与现代的意识形态文化进行同化,因为两者分属不同的范式。网络的确是意识形态完全的敌人,因为网络多元化文化要求取消意识形 态的中心地位;但意识形态不是网络的敌人,事实上网络没有敌人,因为网络只有解构对象。因此对于执政者来说,意识形态的中心地位与网络化发展趋势两者只能 选择其一。实际情况是,执政者选择了前者,而把大刀挥向了Web 2.0。于是网络用它一贯调侃的风格模仿意识形态话语进行了如下讽刺:"我们对你陈旧的政权概念和意识形态烂腌菜毫不感兴趣。你无法理解在人类网络化的历 史潮流之前宏大叙事为何而消解,你也无法理解国家和民族概念为何将分崩离析,你无法改变你对互联网的无知。你的政权无法成为我们真正的敌人。"其实, 《2009匿名网民宣言》只是过早的预言,cyberpunk式的谜语。

然而,无论中国的互联网受到了怎样的限制和压迫,即便中国网民的眼界已经被成功禁锢,中国的网络还是以它自己的方式适应种种压力顽强地发展。无论有多么强 大的GFW或者金盾,即使被关在果壳之中,网络仍然在以意识形态完全不能理解的方式走向后现代蓝海,自成为无限空间之王。

2010/01/01

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection


Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

Thomas H. Ptacek
tqbf@securenetworks.com

Timothy N. Newsham
newsham@securenetworks.com

Secure Networks, Inc.

January, 1998



"Not everything that is counted counts, and not everything that counts can be counted."
Albert Einstein
". . . yes, a game where people throw ducks at balloons, and nothing is what it seems. . . "
Homer J. Simpson



Abstract
All currently available network intrusion detection (ID) systems rely upon a mechanism of data collection---passive protocol analysis---which is fundamentally flawed. In passive protocol analysis, the intrusion detection system (IDS) unobtrusively watches all traffic on the network, and scrutinizes it for patterns of suspicious activity. We outline in this paper two basic problems with the reliability of passive protocol analysis: (1) there isn't enough information on the wire on which to base conclusions about what is actually happening on networked machines, and (2) the fact that the system is passive makes it inherently "fail�open," meaning that a compromise in the availability of the IDS doesn't compromise the availability of the network. We define three classes of attacks which exploit these fundamental problems---insertion, evasion, and denial of service attacks --- and describe how to apply these three types of attacks to IP and TCP protocol analysis. We present the results of tests of the efficacy of our attacks against four of the most popular network intrusion detection systems on the market. All of the ID systems tested were found to be vulnerable to each of our attacks. This indicates that network ID systems cannot be fully trusted until they are fundamentally redesigned.
1 Introduction

Intrusion detection is a security technology that attempts to identify and isolate ``intrusions'' against computer systems. Different ID systems have differing classifications of ``intrusion''; a system attempting to detect attacks against web servers might consider only malicious HTTP requests, while a system intended to monitor dynamic routing protocols might only consider RIP spoofing. Regardless, all ID systems share a general definition of ``intrusion'' as an unauthorized usage of or misuse of a computer system.
Intrusion detection is an important component of a security system, and it complements other security technologies. By providing information to site administration, ID allows not only for the detection of attacks explicitly addressed by other security components (such as firewalls and service wrappers), but also attempts to provide notification of new attacks unforeseen by other components. Intrusion detection systems also provide forensic information that potentially allow organizations to discover the origins of an attack. In this manner, ID systems attempt to make attackers more accountable for their actions, and, to some extent, act as a deterrent to future attacks.

1.1 The CIDF Model of Intrusion Detection Systems

There are many different ID systems deployed world-wide, and almost as many different designs for them. Because there are so many different ID systems, it helps to have a model within which to consider all of them. The Common Intrusion Detection Framework (CIDF)[1] defines a set of components that together define an intrusion detection system. These components include event generators (``E-boxes''), analysis engines (``A-boxes''), storage mechanisms (``D-boxes''), and even countermeasures (``C-boxes''). A CIDF component can be a software package in and of itself, or part of a larger system. Figure 1 shows the manner in which each of these components relate.
The purpose of an E-box is to provide information about events to the rest of the system. An ``event'' can be complex, or it can be a low-level network protocol occurrence. It need not be evidence of an intrusion in and of itself. E-boxes are the sensory organs of a complete IDS--- without E-box inputs, an intrusion detection system has no information from which to make conclusions about security events.

A-boxes analyze input from event generators. A large portion of intrusion detection research goes into creating new ways to analyze event streams to extract relevant information, and a number of different approaches have been studied. Event analysis techniques based on statistical anomaly detection[2], graph analysis[3], and even biological immune system models[4] have been proposed.

E-boxes and A-boxes can produce large quantities of data. This information must be made available to the system's operators if it is to be of any use. The D-box component of an IDS defines the means used to store security information and make it available at a later time.


Figure 1: CIDF component relationships

Many ID systems are designed only as alarms. However, most commercially available ID systems are equipped with some form of countermeasure (C-box) capability, ranging from shutting down TCP connections to modifying router filter lists. This allows an IDS to try to prevent further attacks from occurring after initial attacks are detected. Even systems that don't provide C-box capabilities can be hooked into home-brewed response programs to achieve a similar effect.

1.2 Network Intrusion Detection and Passive Analysis

Many ID systems are driven off of audit logs provided by the operating system, detecting attacks by watching for suspicious patterns of activity on a single computer system. This type of IDS is good at discerning attacks that are initiated by local users, and which involve misuse of the capabilities of one system. However, these ``host based'' (and multi-host) intrusion detection systems have a major shortcoming: they are insulated from network events that occur on a low level (because they only interpret high-level logging information). Network intrusion detection systems are driven off of interpretation of raw network traffic. They attempt to detect attacks by watching for patterns of suspicious activity in this traffic. Network ID systems are good at discerning attacks that involve low-level manipulation of the network, and can easily correlate attacks against multiple machines on a network.
It's important to understand that while network ID has advantages over host-based ID, it also has some distinct disadvantages. Network ID systems are bad at determining exactly what's occurring on a computer system; hostbased ID systems are kept informed by the operating system as to exactly what's happening. It is probably impossible to accurately reconstruct what is happening on a system by watching ``shell'', ``login'', and ``telnet'' sessions. Network ID systems work by examining the contents of actual packets transmitted on the network. These systems parse packets, analyzing the protocols used on the network, and extract relevant information from them. This is typically accomplished by watching the network passively and capturing copies of packets that are transmitted by other machines.


Figure 2: An example network topology using a passive monitor

Passive network monitors take advantage of ``promiscuous mode'' access. A promiscuous network device, or ``sniffer'', obtains copies of packets directly from the network media, regardless of their destination (normal devices only read packets addressed to them). Figure 2 shows a simplified network topology in which a passive network monitor has been deployed.

Passive protocol analysis is useful because it is unobtrusive and, at the lowest levels of network operation, extremely difficult to evade. The installation of a sniffer does not cause any disruption to the network or degradation to network performance. Individual machines on the network can be (and usually are) ignorant to the presence of sniffer. Because the network media provides a reliable way for a sniffer to obtain copies of raw network traffic, there's no obvious way to transmit a packet on a monitored network without it being seen.

1.3 Signature Analysis

The question of what information is relevant to an IDS depends upon what it is trying to detect. For a system that is monitoring DNS traffic, the names of the hosts being queried for (and the responses to these queries) might be relevant. For a system attempting to detect attacks against FTP servers, the contents of all TCP connections to the FTP port would be interesting.
Some attacks can be discerned simply by parsing IP packets; an attempt to circumvent a packet filter using IP fragments is clearly observable simply by examining the fragment offset fields of individual IP fragments. Other attacks occur over multiple packets, or must be interpreted outside the context of the actual protocol (for instance, a DNS query might only be relevant if it involves a certain host).


Figure 3: CIDF model of a network IDS

Most ID systems identify such attacks using a technique called ``signature analysis'' (also called ``misuse detection''). Signature analysis simply refers to the fact that the ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets, as an attack. For example, an IDS that watches web servers might be programmed to look for the string ``phf'' as an indicator of a CGI program attack.

Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a substring within a stream of data carried by network packets. When it finds this substring (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of an attack.

Signature analysis and passive protocol analysis together define the event generation and analysis techniques used by the majority of commercially available ID systems. Figure 3 shows how these components fit into the CIDF model. For simplicity's sake, the remainder of this paper refers to systems that work like this as ``network ID systems.''

1.4 The Need for Reliable Intrusion Detection

Because of its importance within a security system, it is critical that intrusion detection systems function as expected by the organizations deploying them. In order to be useful, site administration needs to be able to rely on the information provided by the system; flawed systems not only provide less information, but also a dangerously false sense of security. Moreover, the forensic value of information from faulty systems is not only negated, but potentially misleading.
Given the implications of the failure of an ID component, it is reasonable to assume that ID systems are themselves logical targets for attack. A smart intruder who realizes that an IDS has been deployed on a network she is attacking will likely attack the IDS first, disabling it or forcing it to provide false information (distracting security personnel from the actual attack in progress, or framing someone else for the attack).

In order for a software component to resist attack, it must be designed and implemented with an understanding of the specific means by which it can be attacked. Unfortunately, very little information is publicly available to IDS designers to document the traps and pitfalls of implementing such a system. Furthermore, the majority of commercially available ID systems have proprietary, secret designs, and are not available with source code. This makes independent third-party analysis of such software for security problems difficult.

The most obvious aspect of an IDS to attack is its ``accuracy''. The ``accuracy'' of an IDS is compromised when something occurs that causes the system to incorrectly identify an intrusion when none has occurred (a ``false positive'' output), or when something occurs that causes the IDS to incorrectly fail to identify an intrusion when one has in fact occurred (a ``false negative''). Some researchers[5] discuss IDS failures in terms of deficiencies in ``accuracy'' and ``completeness'', where ``accuracy'' reflects the number of false positives and ``completeness'' reflects the number of false negatives.

Other attacks might seek to disable the entire system, preventing it from functioning effectively at all. We say that these attacks attempt to compromise the ``availability'' of the system.

1.5 Points of Vulnerability in ID Systems

Each component identified by the CIDF model has unique security implications, and can be attacked for different reasons.
As the only inputs of raw data into the system, E-boxes act as the eyes and ears of an IDS. An attack against the event generation capabilities of an IDS blinds it to what's actually happening in the system it's monitoring. For example, an attack against the E-box of a network IDS could prevent it from obtaining packets off the network, or from appropriately decoding these packets.

Some intrusion detection systems rely on sophisticated analyses to provide security information. In such systems, the reliability of the A-box components used is important because an attacker that knows how to fool them can evade detection --- and complicated analytical techniques may provide many avenues of attack. On the other hand, overly simplistic systems may fail to detect attackers that intentionally mask their attacks with complex, coordinated system interactions from multiple hosts[6].

The need for reliable data storage is obvious. An attacker that can subvert the D-box components of an IDS can prevent it from recording the details of her attack; poorly implemented data storage techniques can even allow sophisticated attackers to alter recorded information after an attack has been detected, eliminating its forensic value.

The C-box capability can also be attacked. If a network relies on these countermeasures for protection, an attacker who knows how to thwart the C-box can continue attacking the network, immune to the safety measures employed by the system. More importantly, countermeasure capabilities can be fooled into reacting against legitimate usage of the network --- in this case, the IDS can actually be turned against the network using it (often un-detectably).

It is apparent that there are many different points at which an intrusion detection system can be attacked. A comprehensive treatment of all potential vulnerabilities is far outside the scope of this paper. Rather than attempting to document general problems common to all ID systems, we focus on a specific class of attacks against certain types of intrusion detection systems.

There exist several serious problems with the use of passive protocol analysis as an event-generation source for signature-analysis intrusion detection systems. This paper documents these problems, presents several attacks that exploit them to allow an attacker to evade detection by ID systems, and verifies their applicability to the most popular commercial ID systems on the market.

2 Problems with Network ID Systems

Our work defines two general problems with network intrusion detection: first, that there is insufficient information available in packets read off the wire to correctly reconstruct what is occurring inside complex protocol transactions, and next, that ID systems are inherently vulnerable to denial of service attacks. The first of these problems reduces the accuracy of the system, and the second jeopardizes its availability.
2.1 Insufficiency of Information on the Wire

A network IDS captures packets off the wire in order to determine what is happening on the machines it's watching. A packet, by itself, is not as significant to the system as the manner in which the machine receiving that packet behaves after processing it. Network ID systems work by predicting the behavior of networked machines based on the packets they exchange.
The problem with this technique is that a passive network monitor cannot accurately predict whether a given machine on the network is even going to see a packet, let alone process it in the expected manner. A number of issues exist which make the actual meaning of a packet captured by an IDS ambiguous.

A network IDS is typically on an entirely different machine from the systems it's watching. Often, the IDS is at a completely different point on the network. The basic problem facing a network IDS is that these differences cause inconsistencies between the ID system and the machines it watches. Some of these discrepancies are the results of basic physical differences, others stem from different network driver implementations.

For example, consider an IDS and an end-system located at different places on a network. The two systems will receive any given packet at different points in time. This difference in time is important; during the lag, something can happen on the end-system that might prevent it from accepting the packet. The IDS, however, has already processed the packet---thinking that it will be dealt with normally at the end-system.

Consider an IP packet with a bad UDP checksum. Most operating systems will not accept such a packet. Some older systems might. The IDS needs to know whether every system it watches will accept such a packet, or it can end up with an inaccurate reconstruction of what happened on those machines.

Some operating systems might accept a packet that is obviously bad. A poor implementation might, for example, allow an IP packet to have an incorrect checksum. If the IDS doesn't know this, it will discard packets that the endsystem accepts, again reducing the accuracy of the system.

Even if the IDS knows what operating system every machine on the network runs, it still might not be able to tell just by looking at a packet whether a given machine will accept it. A machine that runs out of memory will discard incoming packets. The IDS has no easy way to determine whether this is the case on the end-system, and thus will assume that the end-system has accepted the packet. CPU exhaustion and network saturation at the end-system can cause the same problem.

Together, all these problems result in a situation where the IDS often simply can't determine the implications of a packet merely by examining it; it needs to know a great deal about the networking behavior of the end-systems that it's watching, as well as the traffic conditions of their network segments. Unfortunately, a network IDS doesn't have any simple way of informing itself about this; it obtains all its information from packet capture.

2.2 Vulnerability to Denial of Service

A ``denial of service'' (DOS) attack is one that is intended to compromise the availability of a computing resource. Common DOS attacks include ping floods and mail bombs --- both intended to consume disproportionate amounts of resources, starving legitimate processes. Other attacks are targeted at bugs in software, and are intended to crash the system. The infamous ``ping of death'' and ``teardrop'' attacks are examples of these.
Denial of service attacks can be leveraged to subvert systems (thus compromising more than availability) as well as to disable them. When discussing the relevance of DOS attacks to a security system, the question of whether the system is ``fail-open'' arises. A ``fail-open'' system ceases to provide protection when it is disabled by a DOS attack. A ``fail-closed'' system, on the other hand, leaves the network protected when it is forcibly disabled.

The terms ``fail-open'' and ``fail-closed'' are most often heard within the context of firewalls, which are access-control devices for networks. A fail-open firewall stops controlling access to the network when it crashes, but leaves the network available. An attacker that can crash a fail-open firewall can bypass it entirely. Good firewalls are designed to ``fail-closed'', leaving the network completely inaccessible (and thus protected) if they crash.

Network ID systems are passive. They do not control the network or maintain its connectivity in any way. As such, a network IDS is inherently fail-open. If an attacker can crash the IDS or starve it of resources, she can attack the rest of the network as if the IDS wasn't even there. Because of the obvious susceptibility to DOS attacks that network ID systems have, it's important that they be fortified against them.

Unfortunately, denial of service attacks are extremely difficult to defend against. The resource starvation problem is not easily solvable, and there are many different points at which the resources of an IDS can be consumed. Attacks that crash the IDS itself are easily fixed, but finding all such vulnerabilities is not easily done.

3 Attacks

We discuss in this paper three different types of attacks against sniffer-based network ID systems. Two of them attempt to subtly thwart protocol analysis, preventing the signature-recognition system from obtaining adequate information from which to draw conclusions. The third leverages simple resource-starvation attacks to disrupt or disable the entire system.
1 Vern Paxson of LBNL presented a paper describing several of the same attacks as we do at roughly the same time.[17]
All of our attacks involve an attacker that is specifically manipulating her network usage to create abnormal, or even pathological, streams of traffic. In most cases, they require low-level packet forgery. However, unlike normal ``spoofing'' attacks, these techniques are simplified by the fact that the attacker is manipulating her own sessions, not attempting to disrupt those of other users. Two of our attacks are new1, and specific to traffic analysis systems (though not necessarily to intrusion detection). Both are mechanisms by which an attacker can fool a protocol analyzer into thinking that something is (or is not) happening on the network. The first of these, which we call ``insertion'', involves an attacker stuffing the system with subtly invalid packets; the second, ``evasion'', involves exploiting inconsistencies between the analyzer and an end system in order to slip packets past the analyzer.

3.1 Insertion

An IDS can accept a packet that an end-system rejects. An IDS that does this makes the mistake of believing that the end-system has accepted and processed the packet when it actually hasn't. An attacker can exploit this condition by sending packets to an end-system that it will reject, but that the IDS will think are valid. In doing this, the attacker is ``inserting'' data into the IDS --- no other system on the network cares about the bad packets.
We call this an ``insertion'' attack, and conditions that lend themselves to insertion attacks are the most prevalent vulnerabilities in the intrusion detection systems we tested. An attacker can use insertion attacks to defeat signature analysis, allowing her to slip attacks past an IDS.

To understand why insertion attacks foil signature analysis, it's important to understand how the technique is employed in real ID systems. For the most part, ``signature analysis'' uses pattern-matching algorithms to detect a certain string within a stream of data. For instance, an IDS that tries to detect a PHF attack will look for the string ``phf'' within an HTTP ``GET'' request, which is itself a longer string that might look something like ``GET /cgi-bin/phf?''.

The IDS can easily detect the string ``phf'' in that HTTP request using a simple substring search. However, the problem becomes much more difficult to solve when the attacker can send the same request to a webserver, but force the IDS to see a different string, such as ``GET /cgi-bin/pleasedontdetecttthisforme?''. The attacker has used an insertion attack to add ``leasedontdetectt'', ``is'', and ``orme'' to the original stream. The IDS can no longer pick out the string ``phf'' from the stream of data it observes.

Figure 4 gives a simple example of the same attack. An attacker confronts the IDS with a stream of 1-character packets (the attacker-originated data stream), in which one of the characters (the letter `X') will be accepted only by the IDS. As a result, the IDS and the end system reconstruct two different strings. In general, insertion attacks occur whenever an IDS is less strict in processing a packet than an end-system. An obvious reaction to this problem might be to make the IDS as strict as possible in processing packets read off the wire; this would minimize insertion attacks. However, another severe problem (``evasion'' attacks) occurs when this design approach is taken.


Figure 4: Insertion of the letter 'X'

3.2 Evasion

An end-system can accept a packet that an IDS rejects. An IDS that mistakenly rejects such a packet misses its contents entirely. This condition can also be exploited, this time by slipping crucial information past the IDS in packets that the IDS is too strict about processing. These packets are ``evading'' the scrutiny of the IDS.
We call these ``evasion'' attacks, and they are the easiest to exploit and most devastating to the accuracy of an IDS. Entire sessions can be carried forth in packets that evade an IDS, and blatantly obvious attacks couched in such sessions will happen right under the nose of even the most sophisticated analysis engine.

Evasion attacks foil pattern matching in a manner quite similar to insertion attacks. Again, the attacker causes the IDS to see a different stream of data than the end-system --- this time, however, the end-system sees more than the IDS, and the information that the IDS misses is critical to the detection of an attack.

In the insertion attack we mentioned above, the attacker sends an HTTP request, but muddies its contents on the IDS with additional data that make the request seem innocuous. In an evasion attack, the attacker sends portions of the same request in packets that the IDS mistakenly rejects, allowing her to remove parts of the stream from the ID system's view. For example, the original request could become ``GET /gin/f'', which would have no meaning to most ID systems. Figure 5 shows the same type of attack.


Figure 5: Evasion of the letter 'A'

3.3 Real World Insertion and Evasion

In reality, insertion and evasion attacks are not this easy to exploit. An attacker usually does not have the luxury of injecting arbitrary characters into a stream. However, these attacks can come into play well before pattern matching becomes a consideration. One example of a place in which insertion attacks can be leveraged at a very low level is stream reassembly. To understand how insertion and evasion play into reassembly, we'll first explain what we mean by the term.
Many network protocols are simple and easy to analyze. They involve one system sending a single request to another, and waiting for that system to respond. For example, a network monitor can easily determine the purpose of a single UDP DNS query by looking at one packet.

Other protocols are more complex, and require consideration of many individual packets before a determination can be made about the actual transaction they represent. In order for a network monitor to analyze them, it must statefully monitor an entire stream of packets, tracking information inside each of them. For example, in order to discover what is happening inside of a TCP connection, the monitor must attempt to reconstruct the streams of data being exchanged over the connection.

Protocols like TCP allow any amount of data (within the limits of the IP protocol's maximum packet size) to be contained in each discrete packet. A collection of data can be transmitted in one packet, or in a group of them. Because they can arrive at their destination out of order, even when transmitted in order, each packet is given a number that indicates its place within the intended order of the stream. This is commonly referred to as a ``sequence number'', and we call collections of packets marked with sequence numbers ``sequenced''.


Figure 6: Sequenced reassembly

The recipient of a stream of TCP packets has the responsibility of re-ordering and extracting the information contained in each of them, reconstructing the original collection of data that the sender transmitted. The process of taking a collection of unordered, sequenced packets and reconstructing the stream of data they contain is termed ``reassembly''. Figure 6 shows an example of how a stream of data tagged with sequence numbers might be reassembled.

Reassembly issues manifest themselves at the IP layer, as well; IP defines a mechanism, called ``fragmentation'', that allows machines to break individual packets into smaller ones. Each individual fragment bears a marker that denotes where it belongs in the context of the original packet; this field is called the ``offset''. IP implementations must be able to accept a stream of packet fragments and, using their offsets, reassemble them into the original packet.

Insertion attacks disrupt stream reassembly by adding packets to the stream that would cause it to be reassembled differently on the end-system---if the end system accepted the disruptive packets. The inserted packets could change the sequencing of the stream (consuming hundreds of sequence numbers), preventing the IDS from dealing properly with the valid packets that follow it. Packets can be inserted that overlap old data, rewriting the stream on the IDS. And, in some situations, packets can be inserted that simply add content to the stream which changes its meaning.

Evasion attacks disrupt stream reassembly by causing the IDS to miss parts of it. The packets lost by the IDS might be vital for the sequencing of the stream; the IDS might not know what to do with the packets it sees after the evasion attacks. In many situations, it's fairly simple for the attacker to create an entire stream that eludes the IDS.

3.4 Ambiguities

In many cases, defending against insertion and evasion attacks is easy. The behavior that an attacker is exploiting to insert packets into the IDS is, in these cases, simply wrong. The IDS might not be verifying a checksum or examining a header field correctly; fixing the problem merely involves modifying the IDS to check these things.



In some cases, however, fixing the problem is not easy. There are situations in which a network monitor cannot determine by looking at a packet whether it will be accepted. This can be due to varying end-system behavior (one operating system might process a packet differently from another). Basic network ambiguities can also cause problems. In some cases, unless the IDS knows exactly what path the packet is going to take to get to its destination, it won't know whether it will actually arrive there.

Attacks that exploit these kinds of problems cannot easily be defended against unless the IDS has a source of information that resolves the ambiguity. If the IDS knows what operating system is running on the destination system, it may be able to discern whether a packet is acceptable to that system. If the IDS can reliably track the topology of the network, it may be be able to determine whether or not a packet will ever be received by an end-system. In general, we say a traffic analysis problem is ``ambiguous'' if an important conclusion about a packet cannot be made without a secondary source of information.

Figure 7 shows the ambiguities this paper identifies. Each ambiguity can potentially be resolved if the IDS has certain information (either a reliable view of the topology of the network, the configuration of the end-systems it's watching, or the OS and version of those systems). This is, of course, not an exhaustive list.

The next two sections of this paper provide examples of how insertion and evasion attacks affect protocol analysis at the network (IP) and transport (TCP) layers. These sections provide real-world examples of attacks on IP network ID systems in great detail, working from the basic attacks we've defined here.

4 Network�Layer Problems

We begin our discussion of specific, observable problems in network intrusion detection systems at the IP layer. An insertion or evasion problem occurring within the IP processing of an IDS affects all higher levels of processing as well; a problem that allows an attacker to insert an arbitrary IP packet allows that attacker, by extension, to insert an arbitrary (well-formed) UDP or ICMP packet. It is thus extremely important that an ID system be immune to insertion or evasion attacks on this level.



4.1 Simple Insertion Attacks

There are many ways that an attacker can send an IP packet that only an IDS will accept. We collected candidate methods by examining the IP driver source code of the 4.4BSD operating system. Any condition that causes 4.4BSD to drop a received packet must be accounted for in an intrusion detection system. An inconsistency between 4.4BSD and an IDS represents a potential insertion or evasion attack against that IDS. Figure 8 lists all the points in FreeBSD 2.2's ``ip input'' routine that discard received datagrams.
4.1.1 Bad Header Fields

The easiest way for an IP datagram to be discarded by an endpoint is for it to have an invalid header field. The header fields of an IP packet are described in RFC731[7].
One problem with attempting to use packets with bad header fields for insertion attacks is that doing so often prevents the packet from being forwarded by Internet routers. This makes it difficult to use such packets for an attack, unless the IDS is situated on the same LAN as the attacker (in which case the attacker can already manipulate the IDS via packet forgery). A good example is the ``version'' field; assigning a value other than 4 to this field will prevent the packet from being routed.

Another problem with using bad header fields is the fact that some of them need to be correct for the packet to be parsed correctly (``correctly'' here meaning ``in the manner intended by the attacker''). For instance, incorrectly specifying the size of the IP packet itself, or the size of its header, may prevent the IDS from locating the transport layer of the packet.

One IP header field that is easy to neglect is the checksum. It may seem unnecessary for an IDS to verify the accuracy of the checksum on each captured IP packet; however, a datagram with a bad checksum will not be processed by most IP implementations. An IDS that does not reject packets with bad checksums is thus vulnerable to a very simple insertion attack.

A harder problem to solve is the TTL field. The TTL (time to live) field of an IP packet dictates how many ``hops'' a packet can traverse on its way to its destination. Every time a router forwards a packet, it decrements the TTL. When the TTL runs out, the packet is dropped. If the IDS is not on the same network segment as the systems it watches, it is possible to send packets that only the IDS will see by setting the TTL just long enough for the packet to reach the IDS, but too short for the packet to actually arrive at its destination.[17]

A similar problem occurs in relation to the ``Don't Fragment'' (DF) flag in the IP header. The DF flag tells forwarding devices not to split a packet up into fragments when the packet is too large to be forwarded, but instead to simply drop the packet. If the maximum packet size of the network the IDS is on is larger than that of the systems it watches, an attacker can insert packets by making them too large for the destination network and setting the DF bit.[17]

Both of these problems can lead to ambiguities that are only solveable if the IDS has an intimate knowledge of the topology of the network it is monitoring.

4.1.2 IP Options

The IP checksum problem is fairly simple to solve; an IDS can reasonably assume that if the checksum is wrong, the datagram will not be accepted by the endsystem it's addressed to. A trickier problem is that of parsing IP options. This is more likely to vary between hosts, and the interpretation of options requires specialized processing.
For example, most end-systems will drop a packet that is ``strict source routed''[9] when the host's own address is not in the specified source route. It is reasonable for an IDS to drop such packets, avoiding an insertion attack.

However, many operating systems can be configured to automatically reject source routed packets. Unless the IDS knows whether a source-routed packet's destination rejects such packets, the correct action to take is ambiguous.

Examination of source route options on IP packets may seem like an obvious requirement for a security program. However, there are other options that must be accounted for that are less obviously relevant. For instance, the ``timestamp'' option requests that certain recipients of the datagram place a timestamp within the packet. The code that processes the timestamp option can be forced to discard the packet (if the option is malformed). If the sniffer does not validate the timestamp option in the same manner as the end systems it watches, the inconsistency can be exploited. Figure 9 lists all the places in which FreeBSD



2.2's option processing code discards incoming datagrams.

Most IP option processing problems in the 4.4BSD option processing code results in the transmission of an ICMP error message, notifying the sender of the errant datagram of the problem. An IDS could potentially listen for such messages to determine whether an oddly-specified option is correct. This is not always reliable; some operating systems (Sun Solaris, for instance) will rate-limit ICMP, suppressing the error messages. Furthermore, tracking ICMP responses to datagrams bearing options requires the IDS to keep state for each IP packet; this will consume resources and potentially allow an attacker an avenue for a denial of service attack.
4.2 MAC Addresses

Although obviously not an IP problem per se, the same implications for insertion attacks exist due to link-layer addressing. An attacker on the same LAN as a network monitor can direct link-layer frames to the IDS, without ever allowing the host specified as the IP destination to see the packet.
If the attacker knows the link-layer address of the IDS, she can simply address her fake packet to the IDS. No other system on the LAN will process the packet, but, if the IDS doesn't check the MAC address on the received packet, it won't know this. Figure 10 shows an example of an attacker that inserts a character in the IDS by directing a packet to the IDS via the Ethernet link-layer.


Figure 10: Insertion Attacks at the Link Layer

Even if the attacker doesn't know the link-layer address of the network monitor, she can exploit the fact that the network monitor is operating in promiscuous mode by addressing the frame to a fake address. Again, unless the IDS verifies the destination address in the IP header against the correct link-layer address (and can do so reliably), it can be fooled by falsely-addressed link-layer frames.

4.3 IP Fragmentation

IP packets can be broken into smaller packets, and reassembled at the destination. This is termed ``fragmentation'', and is an integral part of the IP protocol. IP fragmentation allows the same information to travel over different types of network media (which may have different packet size limits) without limiting the entire protocol to an arbitrary small maximum packet size. A detailed explanation of IP fragmentation can be found in Stevens[8], or in RFC791[9].
Because end-systems will reassemble a stream of IP fragments, it is important that a network monitor correctly reassemble fragments as well. An IDS that does not correctly reassemble fragments can be attacked simply by ensuring that all data is exchanged between machines using artificially fragmented packets.

4.3.1 Basic Reassembly Problems

Streams of IP fragments usually arrive in order. The last fragment in a stream is clearly marked (the IP header contains a flag that specifies whether more fragments follow a given packet). However, even though it rarely happens, the protocol allows fragments to arrive in any arbitrary order. An end system must be able to reassemble a datagram from fragments that arrive out of order.
Because fragments usually arrive in order, it's easy to make the mistake of assuming that they always will. An IDS that does not properly handle outof-order fragments is vulnerable; an attacker can intentionally scramble her fragment streams to elude the IDS. It's also important that the IDS not attempt to reconstruct packets until all fragments have been seen. Another easily made mistake is to attempt to reassemble as soon as the marked final fragment arrives.

Another significant problem is the fact that received fragments must be stored until the stream of fragments can be reassembled into an entire IP datagram. An IDS can be attacked by flooding the network with partial, fragmented datagrams, which will never be completed. A naive IDS will run out of memory as it attempts to cache each fragment, since the fragmented packets are never completed.

End-systems must deal with this problem as well. Many systems drop fragments based on their TTL, to avoid running out of memory due to over-full fragment queues. An IDS that eventually drops old, incomplete fragment streams must do so in a manner consistent with the machines it's watching, or it will be vulnerable to insertion (due to accepting fragment streams that end-systems have dropped already) or evasion (due to dropping fragments that end-systems have not yet discarded) attacks.

4.3.2 Overlapping Fragments

It has long been known that there are serious security implications arising from interactions between fragmentation and network access control devices (like packet filters). Two well-known attacks involving fragmentation allow attackers to potentially evade packet filters by employing pathological fragment streams. The first of these attacks involves simply sending data using the smallest fragments possible; the individual fragments will not contain enough data to filter on.
The second problem is far more relevant to ID systems. It involves fragmentation overlap, which occurs when fragments of differing sizes arrive out of order and in overlapping positions. If a fragment arriving at an end-station contains data that has already arrived in a different fragment, it is possible that the newly arrived data may overwrite some of the old data.

This presents problems for an IDS. If the IDS does not handle overlapping fragments in a manner consistant with the systems it watches, it may, given a stream of fragments, reassemble a completely different packet than an endsystem in receipt of the same fragments. An attacker that understands the specific inconsistency between an end-system and an IDS can obscure her attack by couching data inside of overlapping fragment streams that will be reassembled differently on the two systems.

Overlap resolution is further complicated by the fact that data from conflicting fragments is used differently depending on their positions. In some situations, conflicts are resolved in favor of the new data. In others, the old data is preferred and the new data is discarded. An IDS that does this incorrectly is vulnerable to evasion attacks. Figure 11 shows the different scenarios involved in fragmentation overlap.


Figure 11: Forward and Reverse Overlap



4.3.3 Effects of End�System Fragmentation Bugs

ID systems aren't the only IP implementations that can incorrectly handle overlapping fragments. The IP drivers in end-systems can have bugs as well. The complexity of IP fragment reassembly makes the existence of incorrect implementations quite likely. Unless the IDS knows exactly which systems have nonstandard drivers, it is incapable of accurately reconstructing what's happening on them.
For example, Windows NT resolves overlapping fragments consistently in favor of the old data (we were unable to create a fragment stream that forced Window NT to rewrite a previously received fragment). This differs from 4.4BSD, which resolves conflicts as suggested by the standard (in favor of the new data in cases of forward overlap)[10]. Figure 12 gives examples of how several popular operating systems resolve overlap.

The end result is that fragmentation reassembly is different on the endsystem depending on the operating system. Unless the IDS knows which OS the system is running, it will have absolutely no way of knowing what form of conflict resolution was performed, and thus no conclusive evidence of what was actually reassembled.

4.3.4 IP Options in Fragment Streams

IP packets can bear options. When an IP packet is fragmented, the question arises as to whether the options from the original packet should be carried on all the fragments. RFC791[9] dictates that certain IP options are to be present in every fragment of a datagram (for example, the ``security'' option), and others must appear only in the first fragment.
A strict implementation of IP could discard fragments that incorrectly present options. Many implementations do not. If the IDS doesn't behave exactly like the machines it's watching in this respect, it will be vulnerable to insertion and evasion attacks.

4.4 Forensic Information from IP Packets

It is an unfortunate fact that the IP version 4 protocol is in no way authenticated. This poses some problems to ID systems attempting to collect evidence based on information seen in IP headers; anyone can forge an IP packet appearing to come from some arbitrary host.
This problem is particularly severe with connectionless protocols. In connection-oriented protocols, a weak conclusion can be drawn as to the origin of a session based on whether a valid connection is created; the sequence numbers employed by protocols like TCP provide at least cursory assurance that the attack is originating at the address it appears to come from. An IDS can observe that a connection uses consistantly correct sequence numbers and have a reasonable assurance that it's not being blindly spoofed.

Unfortunately, no such assurance exists with connectionless protocols; an attack against the DNS, for instance, could be sourced from any address on the net. It is important that operators of ID systems be aware of the questionable validity of the addressing information they're given by their system.

5 TCP Transport�Layer Problems

A large portion of the attacks detected by ID systems occur over TCP connections. This imposes the requirement that an IDS be able to reconstruct the flow of data passing through a stream of TCP packets. If the IDS can't do this in a manner consistent with end systems it's watching, it is vulnerable to attack.
For normal TCP connections, initiated by innocuous network applications like ``telnet'', this is not difficult. Against an attacker, who is stretching the TCP protocol to its limits (and, in exploiting OS bugs, beyond those limits) to avoid detection, the problem is far more difficult.

There are many different ways to implement a TCP connection monitor. Each has its advantages, and each has serious flaws. The lack of a canonical ``Right Way'' to process a captured stream of TCP packets is a major problem with network ID systems.

5.1 Definition of Terms

TCP connection monitoring is a complicated subject. In order to simplify our discussion, we define several terms describing information used by the monitor to track and record information flowing through a TCP session. For the most part, these terms are synonymous with those used by the BSD TCP implementation.
Every TCP connection has four identifiers (two for the client, two for the server) which distinguish it from any other connection on the network. These are the client (or source) and server (or destination) IP addresses, and the client and server TCP port numbers. Two connections cannot exist on the network that share these identifiers. We'll refer to this information as the ``connection parameters''.

The TCP protocol specification (RFC793[12]) defines several ``states'' that any given connection can be in. In this paper, we refer only to states observable by an IDS (those involving the actual exchange of data between two hosts).

The vast majority of all possible connections exist in the ``CLOSED'' state, meaning that no connection currently exists using those parameters. An active, established connection is said to be in ``ESTABLISHED'' state. We'll introduce other states when they become relevant to our discussion.

TCP implements a reliable, sequenced stream protocol. By ``reliable'', we mean that each end of a connection can determine whether data it has sent was successfully received, and can do something to remedy the situation when it isn't. TCP is ``sequenced'' because it employs ``sequence numbers'' to determine where any piece of data represented in a packet belongs within a stream.

In order for an IDS to reconstruct the information flowing through a TCP connection, it must figure out what sequence numbers are being used. We call the process that an IDS goes through to determine the current valid sequence numbers for a connection ``synchronization''. A scenario in which the IDS becomes confused about the current sequence numbers is termed ``desynchronization''.

When an IDS is desynchronized from a connection, it cannot accurately reconstruct the data being passed through the connection. In many cases, ID systems become completely blinded (not reconstructing any data from the connection) when this occurs. Thus, a major goal of an attacker is to desynchronize the IDS from her connections.

Along with sequence numbers, TCP tracks several other pieces of information about a connection. TCP defines a flow-control mechanism that prevents one side of a connection from sending too much data for the other side to process; this is tracked through each side's ``window''. TCP also allows for out-of-band data to be sent in a stream, using the ``urgent pointer''.

This collection of state information can be represented internally on an endsystem in any manner. We refer to the abstract concept of the block of information that an implementation must manage to follow a single connection as a ``TCP control block'', or ``TCB''. A network IDS must maintain a TCB for every connection that it watches.

5.1.1 IDS State Transition

TCBs are only useful for connections that are not (in fact) in CLOSED state. Because it would be infeasible for an IDS to maintain a TCB for every possible connection, any network IDS defines a mechanism by which TCBs can be created for newly detected connections, and destroyed for connections that are no longer relevant.
In our discussion of IDS TCP problems, we isolate three different points at which the processing of a connection by an IDS can be subverted. These are TCB creation (the point at which an IDS decides to instantiate a new TCB for a detected connection), stream reassembly (the process an IDS uses to reconstruct a stream associated with an open TCB), and TCB teardown (the point at which the IDS decides to retire a TCB).

Contributing to attacks against each of these three points are data insertion attacks, which can allow an attacker to confuse the IDS as to what data is actually arriving at the end-system. In some cases, such as within the context of stream reassembly, data insertion attacks make the reliable monitoring of a TCP session practically impossible; it is thus important the the IDS not be vulnerable to insertion attacks. This is not an easy goal to achieve.

5.2 Simple Insertion Attacks

As with the IP protocol, there are several different ways in which a single packet can be inserted into an IDS. TCP input processing is complex, and there are many different cases that can cause a received packet to be dropped. As always, if an IDS doesn't process TCP packets in the same manner as the end-systems it's monitoring, it is potentially vulnerable to insertion attacks.
As with our analysis of IP monitoring, we used the source code to the 4.4BSD kernel to obtain candidate cases for potential insertion attacks. Again, any point in 4.4BSD's tcp input() function that causes a received packet to be dropped without complete processing was identified as a possible problem. Figure 13 lists points in FreeBSD 2.2's tcp input() code where incoming segments are dropped.

A TCP segment is acknowledged if the receiving system generates a message in response to the segment; when this occurs, we indicate whether this is via an RST or ACK message. The transmission of a message in response to a bad segment is significant because an IDS could potentially detect invalid segments by examining the manner in which they are acknowledged, though this is complicated both by resource and efficiency issues, as well as the potential for inconsistant behavior across different operating systems.

5.2.1 Malformed Header Fields

Data from a TCP packet can be extracted and used in reassembly without looking at many of the header fields. This makes it dangerously easy to design a TCP session monitor that is vulnerable to packet insertion; it is important to validate the header fields of a TCP packet before considering its data.
One very easily overlooked field is the ``CODE'', which determines the type of message being sent in a given TCP segment. The TCP code is specified as a series of binary flags. Certain combinations of these flags are invalid, and should result in a discarded packet. Additionally, many TCP implementations will not accept data in a packet that does not have the ``acknowledge'' (``ACK'') flag set.

According to the TCP specification, TCP implementations are required to accept data contained in a SYN packet. Because this is a subtle and obscure point, some implementations may not handle this correctly. If an IDS doesn't consider data in a SYN packet, it is vulnerable to a trivial evasion attack; if it does, it may be vulnerable to insertion attacks involving incorrect end-system implementations.

Another often overlooked TCP input processing issue is checksum computation. All TCP implementations are required to validate incoming packets with the Internet checksum. Many ID systems fail to perform this check; packets can be inserted into these systems simply by sending TCP segments with intentionally corrupt checksums.

5.2.2 TCP Options

As in IP, it is important that the IDS process TCP options correctly. Unfortunately, processing of TCP options is significantly trickier than processing IP options. One reason for this is the fact that several TCP options have only recently been created (timestamp and window scale, for instance). Another is the fact that TCP specifies rules for when a TCP option can appear within the context of a connection. Certain options can be invalid in certain connection states.
RFC1323[13] introduces two new TCP options designed to increase the reliability and performance of TCP in high-speed environments. With these new options came the possibility that TCP options could appear on packets that were not SYN segments, a departure from the previous convention. RFC1323 dictates that options can only appear in non-SYN segments if the option has been specified and accepted previously in that connection.



Figure 13: FreeBSD 2.2 tcp input() packet drop points (netinet/tcp input.c)

Because certain TCP implementations may reject non-SYN segments containing options not previously seen, it's important that the IDS not blindly accept such a packet. On the other hand, some end-systems may simply ignore the bad options, but continue to process the packet; if the IDS doesn't correctly determine what the end-system has done, it will either be vulnerable to an insertion attack or another trivial packet evasion attack.

Another concept defined by RFC1323 is PAWS, or ``protection against wrapped sequence numbers''. Systems implementing PAWS track timestamps on segments; if a segment is received that contains a timestamp echo that is older than some threshold time, it is dropped. An attacker can trivially create a TCP segment with an artificially low timestamp, which will cause PAWS-compliant TCP stacks to drop the packet without further processing.

Not only does the IDS need to know whether the end-system supports PAWS, but it also needs to know what the end-system's threshold value for timestamps is. Without this information, an IDS may erroneously process invalid TCP segments, or, even worse, make an incorrect guess as to the validity of a segment and enable evasion attacks.

5.3 TCB Creation

The first point at which TCP session monitoring can be subverted is in TCB creation. The TCB creation policies of an IDS determine the point at which it begins recording data for a given connection, as well as the initial state (sequence numbers, etc) used to synchronize the monitoring with the actual session.
TCB creation is a troublesome issue. There are many different methods that can be employed to determine when to open a TCB, and none of the straightforward methods is without problems. Some techniques are obviously inferior to others, however, and it's important to indicate which these are. TCB creation establishes the initial state of a connection, including its sequence numbers; the ability to forge fake TCBs on the IDS can allow an attacker to desynchronize future connections that use the same parameters as the forged connection.

TCB creation as a concept revolves around the TCP three-way handshake (or ``3WH''), which is an exchange of TCP packets between a client (the ``active opener'' of a connection) and server (the ``passive opener''). The 3WH establishes the initial sequence numbers used for that connection, along with any other parameters (the use of running timestamps, for instance) that may be important.

There are very few options available to an end-system in implementing TCB creation; a TCB cannot be completely opened until a three-way handshake is completed successfully. Without the 3WH, the two ends of a connection have no agreed-upon sequence numbers to use, and will be unable to exchange data.

An IDS, on the other hand, has many options. ID systems can attempt to determine the sequence numbers being used simply by looking at the sequence numbers appearing in TCP data packets (we refer to this as ``synching on data''), or it can rely entirely on the 3WH. Compromises can be made to either approach; information from a 3WH can be used, but not relied upon, by the IDS, and the

IDS does not necessarily need to wait for an entire 3WH before opening a TCB. We attempt to outline all the straightforward mechanisms for establishing TCBs on an IDS here. This is by no means a complete list of all the ways this task can be accomplished, but these are the techniques that we expect to see utilized in typical ID systems.

5.3.1 Requiring Three�Way Handshake

The first decision for IDS designers to make is whether or not to rely completely on the three-way handshake for TCB initiation. An IDS that relies on the 3WH will not record data in a connection for which it did not observe a handshake.
This has a few distinct disadvantages. The first and most obvious is the fact that the IDS will miss entirely any TCP connection for which it does not see the 3WH. This obviously presents problems at program initialization time (the IDS will only be able to see connections that start after it does), but also presents a serious opportunity for connection evasion by an attacker who can prevent the IDS from seeing the 3WH.

Another problem occurs in combination with TCP reassembly. If an IDS uses the 3WH to determine the initial sequence numbers of a connection, and then validates data against those sequence numbers, it can potentially be tricked into desynchronization by an attacker who forges a realistic-looking (but fake) handshake. If the IDS records the sequence numbers from the handshake, a real connection, using different sequence numbers but the same parameters, will be undetectable as long as the attacker-created TCB is open.

TCP options compound this problem. In order to correctly deal with TCP extensions such as PAWS, the IDS must see the three-way handshake (the handshake determines whether the use of certain options is legitimate with the connection). If the IDS fails to detect this, it will be vulnerable to insertion attacks against some operating systems (notably 4.4BSD).

The Effects of Filtering on Handshake Detection Many security-conscious networks have network filtering in place that makes it difficult for a remote attacker to send packets to the network that have source addresses of machines behind the filter. This technique, which is referred to as ``inside-outside'' filtering or ``spoof-protection'', makes some attacks against TCB creation harder; the attacker, trying to trick the IDS into opening or desynchronizing a TCB, cannot easily forge server response packets.

An IDS can take advantage of this by trusting packets that appear to originate from machines behind such filters (the IDS assumes that the presence of these filters makes forging such packets impossible). Trusted packets can be used as a reliable indicator of connection state.

It's important to base the decision on whether to ``trust'' a packet off the source address on the packet, and not on the type of TCP message it contains. An IDS that ``trusts'' SYN+ACK packets, assuming that they are server response messages and thus protected by packet filters, cannot accurately detect attacks against network clients (in which the filtered addresses are the clients, not the servers).

Of course, the IDS must be configured to know which addresses are trustworthy and which aren't. An IDS which blindly relies on the fact that addresses on its own LAN are spoof-protected will be completely vulnerable if no actual spoof protection exists. The configuration of the IDS must be consistent with that of the actual packet filters.

Requiring Full Handshake An IDS that requires a full 3WH will not record data for a connection until it sees and accepts all 3 packets in the three-way handshake. Two of these packets are sent by the client (and thus, for server attacks, can be considered under the complete control of an attacker), and 1 of them is sent by the server. In TCP terminology, this means that the IDS doesn't start recording until the connection enters ESTABLISHED state.

As mentioned previously, requiring a complete handshake makes it dangerously easy to miss connections (due to packet evasion techniques, simple performance problems on the TCP monitor that cause it to miss packets, or even attacker-induced performance problems).

Allowing Partial Handshake An IDS that requires at least a partial 3WH will not record data for a connection until it sees some portion of the handshake occur. Evidence of a three-way handshake validates TCB initiation (we'll see that there are problems with blindly creating TCBs to synch up to data streams), and potentially reduces the ability of an attacker to trick the system into creating false TCBs. Requiring only partial handshakes also decreases the probability that a connection will be missed due to packet drops under load.

The question that then arises is ``what portion of the three-way handshake needs to be seen by the IDS before a TCB is created?''. An IDS can create a TCB when it sees the initial connection solicitation (the client SYN), or when it sees the server return a positive response (the server SYN+ACK). In the presence of inside-outside filtering, it can be difficult for an attacker to spoof the server response; server SYN+ACK responses are thus a more reliable indication that a connection is occurring. If an attacker cannot spoof the server response, the SYN+ACK also contains the valid sequence numbers for the connection, allowing the IDS to more accurately initialize the TCB.

In either case, it's important to note that until the handshake is completed, a connection doesn't actually exist. The only indication an IDS has that a connection isn't being spoofed is when then the client responds to the server SYN+ACK with an ACK confirming the server's initial sequence number. If an IDS uses partial handshakes to open TCBs, it can be tricked into opening TCBs for nonexistent connections.

5.3.2 Data Synchronization

The alternative to requiring a three-way handshake to open a TCB is to deduce the initial state of a connection by looking at data packets, presumably after a connection has been opened. Since the IDS is not an active participant in the connection, it doesn't necessarily even have to consider 3WH packets; it is entirely feasible to track normal connections simply by looking at ACK packets (packets containing data).
The primary advantage of this technique, which we refer to as ``synching on data'', is that the sniffer picks up more data than systems that require handshakes. The system can recover from the loss of an important 3WH packet, and can detect connection that began before the program was started. Unfortunately, synching on data creates the possibility that the sniffer will accept data that doesn't correspond to any open connection.

Worse still, ID systems that synch on data and are strict about sequence number checking can be desynchronized by an attacker who pollutes the observable connection state with forged data before initiating her attack.

Using SYN Packets A potential antidote to this problem is to allow the IDS to synch on data, but have it pay attention to 3WH packets that occur sometime after it starts recording data. These systems will initialize connection state from the first observed data packets, but will re-initialize themselves if they see evidence that a real 3WH is being performed (the 3WH is then presumed to set the real state, and previous state and data recorded should be regarded as intentionally faked).

It is important that this technique be implemented reliably. Because the process of combining data synchronization with handshake synchronization necessarily allows the monitor to resynchronize the connection based on some packet input, poor implementations can result in TCP session monitors that can be desynchronized (due to falsely injected 3WH packets) at will by an attacker.

One poor implementation strategy relies solely on client SYN packets to resynchronize the connection. If a SYN packet is received sometime after the TCB is opened, the IDS resets the appropriate sequence number to match that of the newly received SYN packet. An attacker can inject fake SYN packets at will; all she needs to do is send a SYN packet with a completely invalid sequence number, and the IDS will be desynchronized. Legitimate data being exchanged on the connection will no longer (as far as the IDS is concerned) have valid sequence numbers, and the IDS, discarding the valid data, will be blinded.

One simple way to address this problem is to only accept the first SYN packet seen on a connection. Presumably, this will be the legitimate three-way handshake packet, and not a forged desynch attempt.

This does not work. There are three major problems with this approach: the IDS remains vulnerable to desynch attacks on connections that start before the program does (it never examines the original 3WH, so no legitimate SYN will ever appear on the connection), the IDS has no reliable way to determine whether any given SYN is in fact the first SYN to appear on the connection (packet drops complicate this), and, most importantly, an attacker can permanently desynchronize the connection by inserting an invalid SYN packet before the legitimate connection starts.

A better approach is to rely on SYN+ACK packets to resynchronize. As long as the attacker can't forge a valid looking SYN+ACK packet from the server, the IDS can make the assumption that SYN+ACKs from the server are legitimate and represent real connection handshakes.

There are problems associated with this too. If the IDS is observing a stream of data, for which it has not yet detected a three-way handshake, it does not necessarily know which host is the client and which is the server. The observation of a 3WH determines which end is the client and which is the server. An attacker can forge a SYN+ACK packet that makes it appear like her end of the connection is the server; if the IDS cannot determine correctly whether that is the case, it will be desynchronized.

Ignoring SYN Packets A TCP monitor need not resynchronize on 3WH packets; SYN packets can be ignored entirely, and data be used as the basis for sequence number initialization. If this is implemented in a naive fashion, any forged data packet can potentially desynchronize the connection. A smarter implementation might only consider (for synchronization purposes) data packets that originate from local hosts, assuming that the attacker cannot forge packets appearing to come from these hosts.

5.4 TCP Stream Reassembly

The most difficult task for a network intrusion detection system to accomplish is the accurate reconstruction of the actual data being exchanged over a TCP connection. TCP provides enough information for an end-system to determine whether any piece of data is valid, and where that data belongs in the context of the connection. Even so, the 4.4BSD code to manage this process is over 2000 lines long, and is some of the most involved in the entire TCP/IP protocol implementation.
The end-points of a connection have a distinct advantage over an observing monitor --- if they miss data, the other side of the connection will automatically retransmit it after some period of time. Both participants of the connection can actively manipulate the other, to ensure that their data is exchanged correctly.

The TCP session monitor does not have this luxury. If it misses a packet, it cannot (practically) request retransmission --- moreover, it cannot easily detect whether a missing piece of data is due to out-of-order packet arrival or a dropped packet. Because the IDS is strictly a passive participant in the connection, it is quite easy for it to miss data.

This problem is made even more acute by the fact that proper reassembly of a stream of TCP packets requires accurate sequence number tracking. If an IDS misses enough packets, it can potentially lose track of the sequence numbers. Without some recovery mechanism, this can permanently desynchronize the connection. The techniques used by an IDS to recover from packet loss (and resynchronize with the connection) can also be attacked.

5.4.1 Basic Reassembly Problems

Some ID systems do not use sequence numbers at all. Instead, they insert data into the ``reassembled'' stream in the order it is received. These systems do not work. An attacker can blind such a system simply by accompanying her connection with a constant stream of garbage data; the output of the monitor's TCP driver will be meaningless.
These systems do not work even on normal TCP streams. The arrival of TCP segments out of order is a normal occurrence (happening whenever the route between TCP endpoints changes and reduces the latency of the path between them)[18]. Unfortunately, when this happens, the ID system does not correctly re-order the packets. The output of the system is again inaccurate. Of course, an attacker could also send her stream of data out of order; the end-system will correctly reassemble, and the effectively crippled IDS will see meaningless data.

5.4.2 Challenges To Reassembly

Even if the system does check sequence numbers, there is no assurance that a given segment (even with correct sequence numbers) will be accepted by the endsystem to which it is addressed. Several issues can cause a TCP implementation to drop properly sequenced data. The simplest of these are the IP and TCP insertion problems, but other, higher-level issues present problems as well.
One major problem the IDS must cope with is each end-system's advertised window. The ``window'' of a connection represents the number of bytes of data it will accept, preventing the other end of the connection from sending too much data for it to buffer. Data sent past the window is discarded. In addition, the time at which the IDS detects the change in the window is different from the time at which the end-system detects the change and reacts to it. Packets that arrive within the period of time that the IDS and the end-system are inconsistent can cause problems. An IDS that does not account for this in some manner is potentially vulnerable to an insertion attack.

The information available to the IDS from captured packets provides one useful indication of end-system state --- the acknowledgment sequence number. The acknowledgment number represents the next sequence number an end-system expects to see. Presumably (end-system TCP bugs can break this assumption), any valid piece of data will eventually be acknowledged by an ACK message.

It may be apparent at this point that an IDS can reliably monitor a stream simply by waiting for acknowledgment before acting on a piece of data. This is not as easy at it may seem. The acknowledgment number is cumulative; it represents the next expected piece of data within the context of the entire connection. Every segment sent is not necessarily directly acknowledged --- even though an acknowledgment is generated in response to it. Several segments worth of data can be acknowledged by one ACK; an IDS cannot simply wait for an acknowledgement to each individual packet it sees.



Another great problem in IDS stream reassembly is the fact that an attacker can send several identically sequenced packets with varying data. The header information will not change from packet-to-packet (except the checksum), and each packet will alter end-system state in exactly the same manner, but only one of the packets will actually be processed by the destination host. Unfortunately, only the end-system knows which one was actually processed. There is not enough information exchanged on the wire for a IDS to determine which packet was valid.

Worse still, an insertion attack against an IDS coupled with this ambiguity can allow an attacker to determine which packets will be accepted by the IDS, by sending segments that the end-system will reject without acknowledging, and then sending valid packets after some brief delay. The IDS will most likely accept the bad data and move the sequence space forward, causing it to ignore the valid data and potentially desynchronizing the IDS from the actual connection. This is very similar to the TCP hijacking attack described by Laurent Joncheray[14].

5.4.3 Overlap

Like IP fragments, TCP segments can arrive out of order and in varying sizes. As in IP fragmentation, this can cause new data to overlap old data. As always, if the IDS does not resolve this problem in a manner consistent with the hosts it's watching, it will not accurately reassemble the stream of data. The rules for handling TCP segment overlap are quite similar to those of reassembling fragmented IP datagrams. In some cases, end-systems will resolve the conflict in favor of the old data; in others, the conflict is resolved in favor of the new data. There is, again, a great potential for bugs here, and, as in IP reassembly, a bug on either the end-system or the IDS is exploitable by the attacker. Figure 14 details the overlap resolution behavior of various operating systems.
Using overlapping TCP segments, it is possible for an attacker to create a stream of packets that will assemble to a completely innocuous string if sent alone, or to an attack signature if it's accompanied by a single overlapping segment. Playing with segment overlap allows the attacker to literally rewrite the packet stream on the destination host, and, unless the IDS resolves overlap in exactly the same manner as the end-system, it will not see the attack.

5.4.4 Endpoint TCP Overlap Bugs

As in IP fragmentation overlap resolution, there is a large potential for inconsistency of implementation between vendors in TCP reassembly code. As an example, Windows NT resolves conflicts in out-of-order TCP segments consistently in favor of the old data, and 4.4BSD resolves conflicts as indicated in the RFC, occasionally in favor of the new data. As with fragmentation reassembly, unless the IDS knows how each system on the network reassembles streams containing conflicting segments, it will be unable to accurately monitor certain types of end-systems.
5.4.5 Summary of Reassembly Issues

These issues do not present a great problem for most connections; most of the TCP segments in a normal connection arrive in-order, and there aren't any fake TCP segments injected into the stream specifically to confuse the IDS. However, in the real world, an attacker trying to evade an IDS will attempt to make the TCP stream as hard to monitor as possible, and will stretch the limits of the protocol to do this.
Vulnerabilities in IDS TCP reassembly code are insidious because they are not immediately obvious; a specific problem may manifest itself only when the IDS is given some pathological sequence of inputs. The majority of the time, the IDS may appear to be reassembling TCP streams perfectly. Testing IDS TCP implementations for problems is time consuming and expensive; it's easy for a vendor to skip this testing almost entirely.

5.5 TCB Teardown

The TCB teardown policies of an IDS determine the point at which the system ceases recording data from a connection. TCB teardown is necessary because the state information required to track a connection consumes resources; when a connection ceases to exist, it no longer makes sense to dedicate resources to tracking it. A system that did not destroy old TCBs at some point would be trivially defeatable, simply by flooding it with meaningless connections until it ran out of resources to track future connections.
In TCP, connections close after they're explicitly requested to do so. Two TCP messages (RST and FIN) exist specifically to terminate a connection. Barring sudden crashes on both endpoints, TCP connections are only terminated by the exchange of these messages. Because TCP explicitly provides notification of terminated connections, it may be logical to design an IDS that uses these messages to decide when to close a connection TCB.

This is not enough to adequately manage the per-connection resource problem. TCP connections do not implicitly ``time out''. A connection can be alive without the exchange of any data indefinitely. TCP provides a mechanism to ensure that both hosts are alive, by periodically exchanging messages, but this mechanism is not commonly used and takes far too long to recognize dormant connections to be of practical use. Without some method to time out arbitrary dormant connections, the IDS remains attackable simply by flooding it with connections that do not explicitly terminate.

The problem with TCB teardown is that an IDS can be tricked into tearing down a connection that is still active, and thereby force the system to lose state. Within the context of a pattern matching engine, this means that the stream of input abruptly terminates. An attacker that can induce the incorrect termination of the TCB tracking her can prevent pattern matching from working by abruptly halting pattern matching before the complete attack signature passes across the network.

On the other hand, an IDS that fails to tear down a TCB for a connection that really has closed is also vulnerable; as soon as the connection is legitimately closed, its parameters can be re-used for a new connection with completely different sequence numbers (technically, the systems must wait for a period of time before reusing connection parameters [12] --- not all operating systems enforce this). In the absence of synchronization recovery techniques, this can completely blind the IDS to entire connections.

Because an ID system's TCB teardown policies can be attacked, their design is relevant to our discussion. We've identified a few options that can contribute to how an IDS ceases to track connections, and will discuss their ramifications here. This is by no means an exhaustive summary of all the possible options.

5.5.1 Using TCP Connection Teardown Messages

One possible way for an IDS to determine when to stop tracking a connection is to listen for TCP control messages that indicate the connection is being shut down. Doing so allows an IDS to quickly recover resources for connections that have actually terminated, and also prevents desynchronization for new connections using the same parameters. Unfortunately, because some connection termination request messages may be under the control of an attacker, there is significant risk involved in trusting these messages.
TCP provides two connection teardown messages. The first message allows for ``orderly'' connection teardown, where both sides of the connection acknowledge the end of the connection and ensure that their data is completely sent before the connection closes. The second message abruptly terminates a connection due to error.

FIN Processing TCP provides orderly teardown via the FIN message. A system sending a FIN message is indicating that it has finished sending data, and is ready to close the connection. FIN messages are acknowledged, and each side of the connection sends a message to shut it down.

In the presence of inside-outside filtering, FIN messages are reliable indicators of terminated connections. A connection is not completely terminated until both sides send a FIN message, and acknowledge the other side's message. An attacker cannot fake the FIN shutdown of a connection without forging packets that appear to come from the server.

RST Processing It's not enough for an IDS to rely on FIN messages to terminate connection TCBs. TCP provides a method to abruptly notify the other end of a connection that the connection has been closed, using the Reset (RST) message. RST segments are not acknowledged; the only way to know if an RST message has been accepted by an end-system is to see if it continues sending data on the connection. The only way to do this practically within an IDS is to time the connection out after seeing an RST; however, this means that an IDS can potentially mistakenly shut down a connection that is alive but dormant.

The RST problem is more severe due to end-system TCP bugs. Technically, an RST message is only valid if it is correctly sequenced --- RST messages with spurious sequence numbers (which can be created by an attacker in an effort to illicitly tear down connections) should be ignored. Not all operating systems check the sequence number on RST messages.

5.5.2 Relying on Timeouts for TCB Teardown

An alternative to using TCP connection teardown messages is to simply time connections out when they become dormant for some threshold time period. This prevents the IDS from being fooled by false TCP teardown messages, and potentially simplifies the IDS TCP code.
There is a cost to this simplicity --- systems that rely on timeouts for TCB teardown can easily be circumvented. In what has been termed the ``Sneakers'' attack (after the famous suspense movie, where Robert Redford evades a sophisticated alarm system by employing a similar technique), the attacker renders the sum of her movements undetectable to the IDS by waiting for the IDS to time out between packets.

The Sneakers attack is particularly troublesome because, as we noted previously, the IDS must employ some form of connection timeout TCB teardown, as dormant TCP connections can remain established for far longer than the IDS can devote resources to track them. If an attacker can induce this timeout, either by waiting long enough or by filling the IDS with enough interesting (but meaningless) connections that it is forced to garbage-collect older connections, she can potentially evade the IDS by causing it to lose state. Additionally, systems which completely ignore TCP teardown messages can be desynchronized when the connection is legitimately closed. Even though the connection has ceased to exist, the IDS maintains a TCB for it until it times out. If a new connection occurs using the same parameters before the connection times out on the IDS, the system will be desynchronized, due to the use of different sequence numbers on the new connection.

This attack can be carried out without any specialized code; an attacker simply uses ``telnet'' to create a connection, closes the connection, and re-opens it. If the sequence numbers on her machine change enough between the two connections, a vulnerable IDS will not be able to track the second connection.

6 Denial of Service Attacks

Denial of service attacks against ID systems are severe because, by their very nature, passive ID systems ``fail open'' --- unlike a good firewall, access to the network isn't cut when a monitor system becomes unresponsive. A basic goal, then, for an attacker is to cause the IDS to fail without losing access to the machines being attacked.
Some denial of service attacks exist due to buggy software. An IDS that crashes when it receives a certain bad packet, or a series of bad control messages, or anything else that can be cued by a remote attacker, can be defeated instantly. Fortunately, these kinds of bugs are quickly and easily fixed by vendors. Unfortunately, finding all such bugs requires painstaking software audits. It is also interesting that some ID systems can themselves be used to launch denial of service attacks on other systems. An ID system that includes a countermeasure capability, such as the ability to set packet filters in reaction to an attack, can be fooled via false positives (due to forged attacks) to react to attacks that haven't actually occurred.

6.1 Resource Exhaustion

There are many different types of denial of service attacks that are valid against ID systems. The attacks we'll discuss here all involve resource exhaustion --- the attacker identifies some point of network processing that requires the allocation of some sort of resource, and causes a condition to occur that consumes all of that resource. Resources that can be exhausted by an attacker include CPU cycles, memory, disk space, and network bandwidth.
The CPU processing capabilities of an IDS can be exhausted because the IDS spends CPU cycles reading packets, determining what they are, and matching them to some location in saved network state (for example, an IP fragment needs to be matched to the other fragments of the datagram it represents). An attacker can determine what the most computationally expensive network processing operations are, and force the IDS to spend all its time doing useless work.

ID systems require memory for a variety of things. TCP connection state needs to be saved, reassembly queues need to be maintained, and buffers of data need to be created for pattern matching. The system requires memory simply to read packets in the first place. As the system runs, it allocates memory as needed to perform network processing operations (for example, the receipt of an IP fragment means that the ID system will need to obtain memory to create and maintain an IP fragment queue for that packet). An attacker can determine which processing operations require the ID system to allocate memory, and force the IDS to allocate all its memory for meaningless information.

At some point, most ID systems will need to store logs of activity on disk. Each event stored consumes some amount of disk space, and all computers have a finite amount of disk space available. An attacker can create a stream of less events and, by having them continually stored, eventually exhaust all disk space on the IDS, which will then be unable to store real events.

Finally, network ID systems track activity on the networks they monitor. For the most part, they are capable of doing this only because networks are very rarely used to their full capacity; few monitor systems can keep up with an extremely busy network. The ID system, unlike the end-systems, must read everyone's packets, not just those sent specifically to it. An attacker can overload the network with meaningless information and prevent the ID system from keeping up with what's actually happening on the network.

Other resources exist as well, depending on the design of the system. For instance, in systems that set router filters in response to attacks, we must consider the fact that the router has a limited capacity for storing filter entries; at some point, the router's filter storage will be completely consumed, and the system will be unable to add new entries. An ID system that doesn't take this into account can be defeated by forcing it to spend the router's filter storage on reactions to fake attacks.

The basic problem with resource consumption on an IDS is that the system must simulate the operation of all the machines it's watching, in order to track what's actually occurring on them. The end-systems themselves only need to concern themselves with network traffic that directly involves them. The IDS, which is spending more resources coping with the network than any other system on the network, is thus inherently more prone to resource starvation attacks than the end-systems.

This problem is exacerbated by the fact that most network ID systems operate in ``promiscuous'' mode, reading all traffic off the wire, regardless of its destination. Resources can be consumed on the IDS by the processing of traffic that isn't even destined for a real machine; apart from the network bandwidth consumed by this traffic, no other system on the network will be affected by this. Again, performance on the IDS is degraded to an greater extent than on the end-systems it's trying to track, making it more difficult for the IDS to keep up and giving the attacker an edge.

6.1.1 Exhausting CPU Resources

An attacker's goal in exhausting an ID system's computational capability is to prevent it from keeping up the network. A CPU-starved IDS will not process captured packets quickly enough and, as these packets fill the buffering capacity of the operating system, captured data starts being dropped.
An example of why this occurs is useful. On 4.4BSD Unix, packet capture is accomplished through the ``Berkeley Packet Filter'' (BPF) device. BPF interacts directly with low level network drivers (such as the Ethernet interface driver), taking snapshots of packets before they're handed up to the IP layer for processing. As packets are captured by BPF, they are stored in a kernel buffer, where they stay until an application reads them out.

If an application doesn't read data out of the buffer faster than the buffer is filled up by newly captured packets, space for queuing up captured packets runs out. When this happens, captured packets are necessarily dropped before the application ever has a chance to examine them.

An attacker can prevent an ID system from keeping up with packet capture by forcing it to spend too much time doing useless work. In order to do this, the attacker must identify operations that she can force the IDS to perform that consume large amounts of processing time.

In many ID systems, this is easy; inefficient algorithms are used to process, save, and look up state about network traffic. The attacker can cause the system to process information that forces these algorithms to work in their worst-case conditions.

A concrete example of this is IP fragmentation. As IP fragments arrive, they must be stored, until all the related fragments arrive. To facilitate reassembly, most systems store fragments in the order that their data will appear in the final packet. This means that, as each fragment arrives, the system needs to locate the correct fragment storage area, and then find the right place in that area to store that specific fragment.

Many systems use a simple ordered list to store incoming fragments. As new fragments arrive, the system must locate the correct list for that packet, and then do a full linear lookup to determine whether the new fragment was already received and, if not, where in the list the fragment should go. As new fragments arrive, this list gets longer, and the time required to look up fragments in the list increases. An attacker can force this process to operate in its worst case by sending large amounts of traffic using the smallest possible fragments --- large amounts of CPU cycles will be consumed tracking tiny IP fragments.

Some protocol parsing can be expensive by itself. An IDS that needs to somehow analyze encrypted traffic may spend a large amount of time simply decrypting packets (encryption and decryption can be extremely expensive operations). While the demand for this kind of processing is not now very great, it will increase as technologies such as IP-sec[11] are deployed.

6.1.2 Exhausting Memory

ID systems require memory to operate. Different types of protocol processing have differing memory requirements. An attacker that can force an IDS to consume all available memory resources can render the system nonfunctional; the system may simply quit abruptly when it runs out of memory, or it may thrash trying to squeeze more space out of slow virtual memory systems, causing the same effects as CPU exhaustion.
An attacker trying to exhaust memory on an IDS examines the system, trying to determine the points at which the system allocates memory. The attacker attempts to isolate network processing events that cause the system to allocate memory for a long duration of time; the attacker then induces this processing by sending packets that the IDS will be forced to process in that manner. After being flooded with such packets for some time, the IDS will run out of memory to process the incoming packets.

Some ID systems employ ``garbage collection'' to automatically reclaim memory that is not being actively used. Unfortunately, used incorrectly, garbage collection can present its own problems. A garbage collection system that isn't aggressive enough in reclaiming memory will not be able to keep up with demand, and will only slow down memory exhaustion attacks. A garbage collection system that is too aggressive will consume memory that is needed for real processing, causing the system to incorrectly process network traffic.

Examples of attackable memory allocations include TCP TCB creation (the attacker creates a flurry of connections to various hosts on the ID system's network, or, using packet forgery, creates a flood of entirely fake connection) and TCP reassembly (the attacker sends large amounts of traffic in streams of out-of-order data that will need to be reassembled, forcing the system to consume memory not only for the data but also for reassembly queues).

6.1.3 Exhausting Network Bandwidth

Perhaps the simplest way to starve an IDS of resources is simply to create too much raw network traffic for the system's low-level network interface to keep up with. As each packet arrives, the interface must copy the packet off the wire and into a buffer, interrupt the system, and cause the system to copy the packet into the kernel. The interface is capable of handling only a limited amount of traffic before it is overwhelmed by the load and starts dropping incoming packets.
Although modern network interfaces operate efficiently enough to keep up with drastically high network loads, older hardware cannot do so. The point at which old ISA-bus based network interfaces become saturated is drastically lower than the point at which the network media itself becomes saturated. If an attacker creates enough traffic, she can prevent such interfaces from keeping up without saturating the network itself.

Targeted packet floods can also work in some circumstances. On switched networks, it's possible to create large amounts of traffic that will only be seen by certain systems. If an attacker can create a flood of packets that will only be switched to the IDS, she can flood the IDS while maintaining the ability to communicate with the machines she's attacking.

This type of attack is closely related to CPU exhaustion, and, indeed, many times the system will run out of CPU cycles long before the network interface is saturated. Regardless of which component of the system fails first, the effect is the same for the attacker; the IDS cannot keep up with the network, and misses significant packets.

6.2 Abusing Reactive ID Systems

In some circumstances, the IDS itself can become an instrument of denial of service attacks. If the IDS has a ``reactive'' countermeasure capability, and is vulnerable to attacks that create false positives, it can be forced to react to attacks that don't actually exist. The countermeasures employed can be subverted to completely block access for legitimate traffic, or to shut down valid connections. In these cases, the reactive capabilities of network ID systems are actually doing more harm than good.
The most basic problem with reacting to attacks discovered by monitoring IP traffic is that the IP addresses are not always trustworthy. An attacker can forge traffic appearing to come from almost any IP address, and, if this traffic appears to contain an attack, the ID system may react to it. In some circumstances, this is very easy to do.

For example, many attacks occur over ``connectionless'' protocols, for which the attacker doesn't need to see the responses to her packets. Instead, she simply creates and blindly sends forged packets, and the IDS is fooled into believing that the attack is coming from somewhere that it isn't. Good examples of this include ICMP ping floods, SYN floods, ``death'' packets (such as the ping-ofdeath attack involving large ICMP echo requests), and UDP packet storms.

Even attacks that involve TCP connections can be faked if the IDS doesn't correctly identify the three-way handshake. If the IDS doesn't require a handshake at all before recording data, TCP attacks can be faked as easily as ping floods; even if it does, the specific manner in which it tracks handshakes can be attacked for the same effect.

The essential issue here is that the attacker can trigger alarms about events occurring from fake addresses. The IDS, which has no idea what the ``real'' source of the attack was, reacts falsely to the forged events by restricting connectivity to the faked addresses. The addresses used by the attacker can be specifically chosen to maximally affect overall connectivity (for example, the attacker can cut off access to all the network's DNS servers).

The amount of damage that can be caused by such attacks depends on the manner in which the IDS reacts to attacks in general. Some ID systems limit themselves to shutting down TCP connections that appear to be vehicles of attack; these systems can be abused to shut down legitimate connections (by forging traffic that makes it appear that an attack is being performed using those connections), but cannot easily be abused to impact overall connectivity, unless specific TCP connections are vital for the network's connectivity (for instance, BGP4 routing).

Other systems have more effective ways to react to attacks; they modify router filters on the fly to cut all traffic from sites that appear to be originating attacks. These systems pay for that extra power by being vulnerable to more damaging denial-of-service subversions; an attacker that can cause the IDS to recognize false attacks can cut all access of to critical network resources by strategically forging addresses.

Regardless of what countermeasures are actually employed, it is important to realize that such facilities are dangerous as long as an attacker can forge attacks. Some types of attacks may never be a legitimate basis for deployment of countermeasures, simply due to the fact that they can be performed blindly using forged addresses. Other attacks can only be safely reacted to if the IDS has a rock-solid network processing implementation.

7 Methodology

We support our assertions regarding vulnerabilities in ID systems with the results of extensive tests against actual, commercially available intrusion detection systems. The purposes of these tests were to ascertain characteristics of each subject' s TCP/IP implementation, and to provide concrete examples of actual attacks that could be performed against them. Our tests were designed to be easily repeatable, and to illustrate in the most obvious possible manner the deficiencies of each tested system.
7.1 Overview

Each of our tests involve injecting packets onto a test network, on which the subject ID system was running. By tracking the subject's administrative console output, we were able to observe many characteristics of the system's underlying TCP/IP implementation. To this extent, all of our tests involved consideration of the subject as a ``black box''. All our tests involved the TCP protocol. In most cases, the tests involved interactions between our injected packets and a third host, representing a hypothetical ``target'' of attack. In each test, this target host was the explicit addressee of all of our packets. The presence of the target host allowed us to easily create ``real'' TCP connections for the subject IDS to monitor.
In addition, the target host also acted as a ``control'' for our experiments. The target's reactions to our injected packets allowed us to observe empirically the behavior of a ``real'' TCP/IP implementation, and contrast that behavior to the deduced behavior of the subject IDS.

All of our tests involved mimicking a ``PHF'' webserver attack. The PHF attack exploits a specific Unix CGI script (``phf'') to attempt to gain access to a webserver. We used PHF because the attack is detected by all our subject ID systems, and because the attack is easily reproduced using standard TCP network tools (like ``telnet''). In order to reproduce a PHF attack, we sent the string ``GET /cgi-bin/phf?'' to the target host.

In each test, we created network conditions that could make it appear as if a PHF attack was being attempted. In each test, the specific packets injected into the network differed subtly. The subject ID system reacted to each test by either reporting or not reporting a PHF attack. By considering the ID system's output and the specific types of packets used for the test, we were able to deduce significant characteristics of the subject IDS.

Before conducting complicated or subtle tests against the subject, we conducted a series of ``baseline'' tests. The purpose of these tests was to ensure that the subject IDS was configured properly and was functioning at the time our tests were conducted, and that the IDS did in fact detect a PHF attack based on our PHF reproduction string.

In almost all test cases, a process on the target host ran which accepted incoming TCP connections on the HTTP port and printed any input obtained from the machine's TCP stack. By examining the output of this process, we were able to deduce whether the subject IDS should have detected the attack based on the network conditions we created.

7.2 Tools Used

The primary tool we employed in our tests was CASL, a specialized scripting language developed at Secure Networks, Inc. that allows for programmable generation and capture of raw packets. Each of our tests used a CASL script to inject packets onto the network, and, in most cases, read and parse the responses. A more detailed overview of CASL is provided in [15].
Our target host ran FreeBSD 2.2, an implementation of 4.4BSD. The 4.4BSD TCP/IP stack is one of the best documented and most easily obtainable IP implementations available, and FreeBSD is by far the most popular BSD implementation. FreeBSD 2.2 was, at the time of our testing, the most recent ``stable'' release of the operating system.

For each test, we used Hobbit's ``netcat'' tool[16] to listen on TCP port 80 and print the input from the target host's TCP stack. Hobbit's tool is an all-purpose, bare-bones diagnostic program that is widely available, popular, and documented; in its ``listening'' mode, the tool simply accepts an incoming connection, and prints each character of data the TCP driver presents to it.

As we ran each test, we observed the specific packets being transmitted on the network using LBL ``tcpdump''[19]. Tcpdump is a low-level network diagnostic tool that passively monitors networks in promiscuous mode, and prints summaries of each captured packet. We ran the ``tcpdump'' tool from the test platform on the first execution of each specific test script. Tcpdump provided us with IP-level packet traces to accompany our test results, which made it easier to discern exactly what was happening on the network during each of our tests.

Our test network was non-switched 10BaseT Ethernet. The hosts on the network included the IDS, the target host, and the test platform. The network was dormant at the time we conducted our tests.

7.3 Test Execution

Each of our tests involved a CASL script, run from an interpreter on the test platform, which generated and injected packets addressed to the target host. We define each of these tests in terms of the script's name, its specific network interactions, the IDS characteristic it attempts to ascertain, and its validity to the 4.4BSD TCP/IP driver (that is, whether our target host completely and accurately reconstructed the PHF string our test attempted to send).
A test that was not ``valid'' to 4.4BSD should not have resulted in the detection of a PHF attack by the subject IDS. We suggest that the subject IDS should not detect attacks in ``invalid'' tests, and should reliably detect attacks within the valid ones.

In cases where the IDS failed to detect an attack in either type of test, we re-initialized the IDS and re-ran the test multiple times. Before concluding that a subject IDS was not detecting our attack signatures, we re-ran the baseline test to confirm its operational integrity, and immediately ran the considered test.

7.4 Test Definitions








7.5 Summary

Because our tests are scripted, they are well-defined, easily repeated, and fast. After defining and perfecting the test suite, we were able to completely test new ID systems in a matter of minutes. The majority of our testing time was spent defining new tests. Running the individual tests against ID systems took negligible time.
We are in the process of releasing the scripting tool that we used for the tests to the public. When this process has completed, we intend to make the suite of IDS test scripts we've developed available to the public as well. It is our hope that our work can define a framework within which arbitrary network ID systems can quickly be evaluated.

Our test suite is by no means complete; we provide these test results to support the points in our paper, not to define a complete evaluation process for ID systems. With the tools to conduct these tests in the hands of the community, we hope that our tests can be extended to define a more complete test suite.

8 Results

We applied our tests to four of the most popular network intrusion detection systems on the market. In each case, our tests identified serious, exploitable problems in the manner that the IDS reconstructed data transmitted on the network. The results of our tests are not surprising, and we believe that they support the basic points we make in this paper.
In many cases, the ID systems we tested had general problems that precluded them from passing entire collections of specific tests. For example, none of the systems we tested correctly handled IP fragmentation; thus, the systems incorrectly handled all the specific fragmentation tests. We ran every test we could against each ID system.

One of the systems we tested, WheelGroup's NetRanger system, is available only with its associated hardware. We were unable to test this system on our own network, but rather had to obtain the cooperation of an organization already using the product. This prevented us from running many of our tests against this product; NetRanger was the second system we tested, and we added many tests after our first (and only) exposure to the system. One of our tests (``tcp-1'') also required us to have access to the local network the test machine was on --- we did not have this access for NetRanger.

Another system we test, Network Flight Recorder's NFR system, is not an intrusion detection system per se, but rather a network monitoring engine that can be used to build an intrusion detection system (among many other things). Our results are significant to the usage of NFR as an automated network IDS, but not necessarily to the product as a whole.

It's important to note that the number of ``failed'' tests each product has is not necessarily an indication of the relative quality of the product. The number of tests each IDS passes is biased heavily based on the presence of specific bugs. Our test suite was not designed to provide a ``score'' for each product, but rather to highlight specific characteristics about them.

8.1 Specific Results

The systems we tested were Internet Security Systems' ``RealSecure'' (version 1.0.97.224 for Windows NT), WheelGroup Corporation's ``NetRanger'' (version 1.2.2), AbirNet's ``SessionWall�3'' (version 1, release 2, build v1.2.0.26 for Windows NT), and Network Flight Recorder's ``NFR'' (version beta-2). We present the overall results from our tests for every IDS in Figure 15. Each individual IDS is described after the table, along with an interpretation of the results.
For each test, a plus sign (`+') indicates that the IDS saw a PHF attack as a result of the packets our test injected. A minus sign (`-') indicates that the IDS reported no attack after we ran our test. A question-mark (`?') indicates that we were unable to perform the test on that product.



8.2 Overviews of Specific ID Systems

8.2.1 ISS RealSecure

ISS RealSecure is an automated network intrusion detection system. We performed our tests on the Windows NT version of the product, although it is available for Unix platforms as well.
RealSecure appears to have two independent network monitor components. The first of these handles signature recognition within captured packets; the second provides a ``realtime playback'' capability that allows administrators to watch the information being exchanged in a TCP connection in real-time.

We found significant differences between the playback facility and the signature recognition facility. Unlike RealSecure's signature recognition engine, the playback system does not appear to sanity check TCP packets before presenting their contents to the user. No sequence number checking was performed in session playback, and out-of-order packets were displayed out of order. An attacker can trivially obscure her actions in RealSecure session playback simply by accompanying her connection with a stream of meaningless, unsequenced TCP packets for the connection; she can also confuse administrators by sending all her packets out of order.

The most significant problem with RealSecure, as with all the other systems we tested, was that it did not handle IP fragmentation reassembly at all. An attacker can completely evade RealSecure by fragmenting every packet she sends across the network.

RealSecure also appeared to have serious problems with TCP reassembly when duplicate segments appeared on the network. RealSecure never detected an attack in any of the tests we ran that involved sending multiple TCP segments with the same sequence number, even though those tests resulted in valid reassembly of the test string on the target host.

RealSecure does not appear to pay attention to TCP RST messages. We were able to desynchronize RealSecure by closing a connection with a client RST message, and then immediately reconnecting using the same parameters.

RealSecure recognized attacks in streams even after their connection was reset. RealSecure also does not appear to pay attention to TCP SYN messages; we were able to desynchronize RealSecure from our connections by preceding them with arbitrary data segments with random sequence numbers.

Finally, RealSecure was vulnerable to all of our insertion attacks. It did not appear to check IP or TCP checksums, nor did it verify that the ACK bit was set on TCP data segments.

8.2.2 WheelGroup NetRanger

NetRanger is an automated network intrusion detection system by WheelGroup Corporation. NetRanger interfaces a passive network monitor with a packet filtering router, creating a ``reactive'' IDS; the ability to respond in realtime to attacks by ``shunning'' addresses (filtering them at the router) is a major feature of the system.
We had very limited access to the NetRanger system. The hardware requirement (and price) of this system made it impractical for us to obtain our own copy for testing; rather, we relied on the cooperation of an organization already using the product. Because of this, our tests were performed over the global Internet, and we were only able to perform certain tests (due to timing issues). Our test results for NetRanger still showed major problems.

Like all the systems we reviewed, NetRanger (in the version we tested) is completely unable to handle fragmented IP packets. An attacker can evade NetRanger completely by fragmenting all her packets.

We were able to evade NetRanger by injecting duplicate sequenced segments with different data into our connection stream (the ``tcp-8'' test). NetRanger did not detect data in a SYN packet, so an attacker can evade many of NetRanger's checks by putting crucial data in her initial SYN packet.

We were able to desynchronize NetRanger from our connections by preceding the connection with fake, randomly sequenced data. NetRanger failed to detect attacks in a connection, using the same parameters, that followed this.

Finally, NetRanger was vulnerable to one of our insertion attacks (it doesn't appear to validate TCP checksums). NetRanger did appear to reliably verify IP checksums.

Many of our tests were not performed against NetRanger. We can't conjecture as to whether NetRanger is vulnerable to the attacks those tests measure. Hopefully, these tests can be run against NetRanger in the future.

8.2.3 AbirNet SessionWall�3

SessionWall is an automated network intrusion detection system by AbirNet. We tested the Windows NT version of AbirNet SessionWall-3. Although AbirNet appears to have realtime connection playback capabilities, we were unable to get it working in the evaluation copy we used for our tests.
Of all the ID systems we tested, AbirNet appeared have the most strict network monitoring system. SessionWall-3 did not record data for connections that weren't marked by a three-way handshake. It stopped recording when a connection was torn down with an RST packet. This prevented our TCB desynchronization tests from disrupting the system; however, the strictness of SessionWall's implementation may be attackable as well (insertion of RST packets, for instance, could be used for evasion attacks).

SessionWall validated IP and TCP checksums, and did not accept data without the ACK bit set. It did not appear to wait for acknowledgment before accepting data, however.

We were able to desynchronize SessionWall-3 from our connections by injecting fake SYN packets into our stream; the SYNs were ignored by the endpoint, but SessionWall apparently resynchronized to them and lost pattern matching state. Like NetRanger, SessionWall-3 also failed to detect data in SYN packets. SessionWall did not reassemble overlapping TCP segments in a manner consistant with 4.4BSD, and is thus vulnerable to an evasion attack.

Like all the systems we reviewed, SessionWall-3 is completely unable to handle fragmented IP packets. An attacker can evade SessionWall-3 by fragmenting all her packets.

8.2.4 Network Flight Recorder

NFR is a network monitoring engine by Network Flight Recorder. Unlike the other systems we tested, NFR is not an automated network intrusion detection system; rather, NFR provides a network monitoring component that can be used in a variety of applications. NFR is user-programmable and extensible, and available in source code.
We reviewed NFR because its engine could be used as an automated network intrusion detection system. This is not the intent of the product, and our results do not have significant bearing on NFR's non-security uses. Additionally, because NFR is completely programmable (the product is really an interpreter for a network programming language), it is possible for users of the product to address many of the concerns we bring up in our paper without modifying the underlying engine.

NFR was able to handle IP fragmentation; we verified this in an independent testing process that confirmed NFR's ability to reassemble a fragmented UDP packet (we were able to perform this test because of NFR's available source code). Unfortunately, NFR was unable to handle pattern matching in a TCP stream that was sent in fragmented IP packets; it therefore ``failed'' all of our fragmentation tests.

NFR, in version beta-2, was vulnerable to all our insertion attack tests. It did not verify IP or TCP checksums, and accepted data without the ACK bit set. NFR detects data in SYN packets.

NFR does not immediately tear down a connection TCB when an RST is seen. We were able to desynchronize NFR by sending spurious SYN packets in our connections, but were unable to successfully desynchronize it with any of our other tests. NFR did not reassemble overlapping TCP segments consistantly with 4.4BSD, and is thus vulnerable to an evasion attack.

9 Discussion

Our tests revealed serious flaws in each system we examined. Every IDS we examined could be completely eluded by a savvy attacker. We have no reason to believe that skilled attackers on the Internet don't already know and aren't already exploiting this fact. Many of the problems we tested for were minor, and easily fixed. The very presence of such vulnerabilities leads us to believe that ID systems have not adequately been tested.
The ability to forge packets, and the ability to ``insert'' packets into ID systems, makes it fairly trivial for an attacker to forge ``attacks'' from arbitrary addresses. The ability to react to attacks by reconfiguring packet filters was a major advertised feature of many of the systems we tested. Our work shows that this capability can be leveraged against the system operators by an attacker; these facilities may do more harm than good.

Several of the problems we outline in this paper have no obvious solution. Without adding a secondary source of information for the IDS, allowing it to conclusively identify which packets have been accepted by an end-system, there appear to be ways to create connections that cannot be tracked by passive ID systems. Since the network conditions an attacker needs to induce to elude an IDS are abnormal, an IDS may be able to detect that an attack is occurring; unfortunately, this will be all that an IDS will be able to say.

Regardless of whether a problem is obviously solvable or not, its presence is significant to both IDS users and designers. Users need to understand that the manner they configure the IDS (and their network) has a very real impact on the security of the system, and on the availability of their network. Designers need to understand the basic problems we identify with packet capture, and must begin testing their systems more rigorously.

Finally, the security community (buyers of network ID systems, designers of such systems, as well as interested third parties like us) as a whole can do much to enhance the reliability and security of intrusion detection systems. Additional, independent third-party analysis and testing of ID systems will, to a large extent, define how secure these systems will be in the future.

9.1 Implications to Operators

There are several things that can be done by IDS operators to enhance the overall security of the system as a whole. Additionally, IDS operators need to understand that the outputs of their systems must be read critically; ``session playback'' data may not represent what's actually occurring in a session, and the source addresses of attacks may not be valid at all.
One critically important step that must be taken before an IDS can be effectively used is to set up ``spoof protection'' filters, which prevent attackers on the Internet from injecting packets with addresses forged to look like ``internal'' systems into the network. Bidirectional packet forgery can completely confuse network intrusion detection systems.

It's important to understand that an attacker that successfully breaks into an IDS-protected network probably controls the IDS. An attacker with direct access to the network she's attacking can forge valid-looking responses from systems she's attacking. These forged packets can prevent the IDS from obtaining any coherent picture of what's happening on the network. As soon as an IDS records a ``successful'' attack on the network, administrators should assume that all bets are off, and further attacks are occurring without the knowledge of the IDS.

An attacker can fool ``session playback'' facilities into playing arbitrary data back to the operators. Session playback may not accurately represent what's happening inside of a connection. Real-time connection monitoring (when based on an ID system's reconstruction of what's happening in a TCP stream, rather than on printing and recording every packet on the wire) should not be trusted.

Finally, it's of critical importance that ID system operators do not configure their system to ``react'' to arbitrary attacks. An attacker can easily deny service to the entire network by triggering these reactions with faked packets; ID systems that reconfigure router filters are particularly vulnerable to this, as an attacker can forge attacks that appear to come from important sites (like DNS servers), and cause the IDS to cut off connectivity to these sites. One possible step that can be taken to mitigate the risk of countermeasure subversion is to allow the system to be configured never to react to certain hosts.

None of the systems we tested appeared to allow this type of configuration. Of course, if an attacker can spoof connections from the ``untouchable'' hosts, she can exploit this to evade countermeasures entirely.

Attacks that can be trivially forged (ping floods, UDP-based attacks, etc.) should not be reacted to; an attacker can, simply by forging packets, cause countermeasures to be deployed that might disrupt the network. Systems that aren't strict about reconstructing TCP sessions (ie, that don't wait for threeway handshakes before recording data) present the same vulnerability for TCP connections as well.

9.2 Implications to Designers

This paper has particularly great relevance to designers of intrusion detection systems, as it outlines in detail many attacks that such systems need to be resistant to. In that sense, this entire paper presents conclusions relevant to IDS designers. However, there are some overall issues that need to be addressed by IDS vendors.
Most of the problems we outline in this paper occur only when very abnormal series of packets are injected onto the network. Overlapping IP fragments or TCP segments are not common; connections consisting entirely of overlapping segments are almost certainly attacks. Even if it's not possible to reliably reconstruct information contained in such streams, it is possible to alert administrators to the presence of the abnormal packets.

Of course, this doesn't work as a design strategy; the value of an IDS is drastically reduced when all it can tell an administrator is ``I've detected an attack against this host, but can't tell you specifically what it is.'' Nevertheless, some information is better than the complete lack of information available now.

The most important issue that vendors need to address is testing. Some of the problems we discovered were so basic (the conditions leading to these problems occur frequently even in normal traffic) that it appeared as if no indepth testing had been performed at all. We found severe flaws in systems that attempted to address problems --- for instance, a program that reassembled fragments, but could not perform signature recognition in packets that had been fragmented.

Testing network intrusion detection systems is not simple. In order to test a network IDS, carefully coordinated streams of forged packets need to be injected onto a network; tools that are capable of doing this in a manner flexible enough to test ID systems are products in and of themselves. Our work defines the beginning of a framework within which ID systems can be tested, and, hopefully, the availability of our tools will increase the ability of vendors to test their systems.

9.3 Implications to the Community

The number of attacks against network ID systems, and the relative simplicity of the problems that were actually demonstrated to be exploitable on the commercial systems we tested, indicates to us that network intrusion detection is not a mature technology. More research and testing needs to occur before network intrusion detection can be looked to as a reliable component in a security system.
Much of this research must be done independently of the vendors. No credible public evaluations of network intrusion detection systems currently exist. The trade press evaluates security products by their features and ease of use, not by their security. Because network intrusion detection is so fragile, it's important that they receive more scrutiny from the community.

Our paper defines methods by which network intrusion detection systems can be tested. It is obvious that our tests can be extended, and that our methodology can be improved. Everyone stands to benefit from such work, and it is hoped that our work can serve as a catalyst for it.

One issue that drastically impacted our ability to test ID systems was the availability of source code. Only one product we reviewed made source code available. Because intrusion detection is so susceptible to attack, we think it's wise to demand source code from all vendors. Products with freely available source code will obtain more peer review than products with secret source code. If our work makes anything clear, it's that marketing claims cannot be a trusted source of information about ID systems.

References

[1] S. Staniford�Chen, ''Common Intrusion Detection Framework,'' http://seclab.cs.ucdavis.edu/cidf/
[2] H. S. Javits and A. Valdes ``The SRI Statistical Anomaly Detector,'' In Proceedings of the 14th National Computer Security Conference, October 1991.
[3] S. Staniford�Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip and D. Zerkle, ``GrIDS -- A GraphBased Intrusion Detection System for Large Networks,'' In The 19th National Information Systems Security Conference, 1996.
[4] K. L. Fox, R. R. Henning, J. H. Reed and R. P. Simonian, ``A Neural Network Approach towards Intrusion Detection,'' In Proceedings of the 13th National Computer Security Conference, October 1990.
[5] P. A. Porras and A. Valdes, ``Live Traffic Analysis of TCP/IP Gateways,'' To appear in Internet Society's Networks and Distributed Systems Security Symposium, March 1998.
[6] N. F. Puketza, K. Zhang, M. Chung, B. Mukherjee and R. A. Olsson , ``A Methodology for Testing Intrusion Detection Systems,'' IEEE Transactions on Software Engineering, vol. 22, pp. 719-729, October 1996.
[7] M. StJohns, ``Authentication Server,'' RFC 931, TPSC, January 1985.
[8] W. R. Stevens, TCP/IP Illustrated, Vol 1. Addison�Wesley, Reading, MA, 1994.
[9] J. Postel, ``Internet Protocol � DARPA Internet Program Protocol Specification,'' RFC 791, USC/Information Sciences Institute, September 1981.
[10] J. Postel, ``Internet Protocol � DARPA Internet Program Protocol Specification.'' RFC 791, USC/Information Sciences Institute, Section 3.2, line 1099, September 1981.
[11] R. Atkinson, ``Security Architecture for the Internet Protocol.'' RFC 1825, Naval Research Laboratory, August 1995.
[12] J. Postel, ``Transmission Control Protocol � DARPA Internet Program Protocol Specification,'' RFC 793, USC/Information Sciences Institute, September 1981.
[13] V. Jacobson, R. Braden and D. Borman, ``TCP Extensions for High Performance,'' RFC 1323, LBL, ISI, Cray Research, May 1992.
[14] L. Joncheray, ``A Simple Attack Against TCP,'' In 5th USENIX UNIX Security Symposium, June 1995.
[15] Secure Networks, Inc., Custom Attack Simulation Language (CASL), User manual, 1998.
[16] Avian Research, netcat, Available for download at ftp://avian.org/src/hacks/nc110.tgz
[17] V. Paxson, ``Bro: A System for Detecting Network Intruders in Real�Time,'' In 7th Annual USENIX Security Symposium, January 1998.
[18] V. Paxson, ``End�to�End Internet Packet Dynamics,'' In ACM SIGCOMM '97, September 1997, Cannes, France.
[19] Lawrence Berkeley National Laboratory, tcpdump, Available for download at ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
Thanks

This work would not have been possible without the assistance of many people. Several people gave us valuable input and criticism, and some of our tests would not have been possible without the cooperation of companies running ID systems. We'd like to express our sincere appreciation for this help. This work was made possible by Secure Networks, Inc. We'd like to thank Alfred Huger, Oliver Friedrichs, and Jon Wilkins for their assistance with this project.

We obtained valuable comments from several of the vendors we reviewed. We'd specifically like to thank Marcus Ranum of Network Flight Recorder, Mike Neumann of EnGarde, and Elliot Turner of MimeStar for their comments and critiques of our technical work.

Vern Paxson of LBL published, as this document was being finished, a paper regarding the design of his real-time network intrusion detection system, ``Bro''[17]. His paper details several attacks against network ID systems (many of which we did not catch ourselves). We'd like to thank Mr. Paxson for his extremely valuable input on our own work.

Of course, we appreciate greatly the fact that Network Flight Recorder made their source code available to the public for review. This was a courageous and honorable thing to do (especially in a market as competitive as this), and NFR's approach to source code release is a model that should be followed by other vendors.

Finally, this paper would not have been possible without the assistance of Jennifer Myers at EnterAct, L.L.C., who effectively rewrote our technical results into a coherant document.

About CASL

Our tests were made possible by the development of a security tool called CASL. CASL is a network protocol exploration tool designed to allow security auditors to quickly and easily simulate network events at a very low level. With a minimal amount of effort, CASL can effectively be used to forge any kind of IP packet. With slight programming ability, CASL can be used to perform complex protocol interactions with other networked hosts.

CASL was inspired by tools like Darren Reed's well-known ``ipsend'' utility, which allowed experimenters to forge a large number of IP packets. However, CASL expands significantly on these types of tools. Some of the benefits of CASL over its predecessors include:

A complete programming language, with most typical high-level language control constructs (e.g., ``if'', ``while'', and ``for'' statements), and designed to be as easy to learn and use as shell-script languages, but with network programming functionality rivaling that of ``C'' code.
The ability to create arbitrary packets --- not just the ones we thought up as we designed the program! Unlike some tools, which allow users to to create arbitrary packets by including ``raw'' data (presumably built with some other tool), CASL allows users to lay out the format of new packet types with an expressive and simple ``record'' syntax, allowing protocol header fields to be laid out bit-by-bit and byte-by-byte.
The ability to input packets, reading promiscuously off the wire, and quickly extract information from them. Network reads use familiar ``tcpdump'' expressions to select packets, and any number of packets can be read in and examined simultaneously.
CASL is a self-contained, free-standing program that doesn't depend on other network or programming tools to operate. It can be installed quickly, and a CASL script will work on any supported platform. The tool is small, and consumes a fairly low amount of resources; CASL programs can easily share a system with other large applications, and don't consume the large amounts of memory and CPU that general-purpose languages (like Perl and Tcl) tend to.

We designed this tool to meet the needs of two very different audiences: on one hand, CASL is expressive and powerful enough to be a useful tool for experienced, fluent ``C'' programmers; on the other, it's simple enough to be picked up by a nonprogrammer as quickly as Bourne shell scripting. A CASL script can be little more than a 5 line packet template for users who simply want to forge packets, or it can be tens or hundreds of lines of functional code, with loops, variables, conditionals, subroutines, and other high-level-language capabilities.

We are making CASL available for free for noncommercial use, in the hopes that it can be used to further the state of the art in security research. For more information about CASL, contact Secure Networks Inc.

About Secure Networks, Inc.

Secure Networks, Inc. is a security research and development company located in Calgary, Alberta, Canada. In addition to extensive publically available security research results, Secure Networks also sells security assessment tools. You can find out more about our work at http://www.secnet.com. Secure Networks is reachable via email at ``info@secnet.com'', and via telephone at 403-262-9211.