CTCP: a transparent centralized TCP/IP architecture for network security

Many nework security problems can be solved in a centralized TCP (CTCP) architecture, in which an organization's edge router transparently proxies every TCP connection between an internal host and an external host on the Internet. This paper describes the design, implementation, and evaluation of a CTCP router prototype that is built on the Linux kernel. By redirecting all packets targeting at nonexistent or nonopen-to-public ports to a CTCP socket which pretends to be the original receivers, CTCP could confirm the real identification of the packet sources, collect suspicious traffic from them, and make an illusion that the scanned target ports are all open, thus renders port scanning an useless effort. Under CTCP architecture, external hosts only interacts with a secure CTCP router; therefore, any OS fingerprinting attempt and DoS/DDoS attack targeting at TCP/IP implementation bugs could be thwarted. Moreover, By further checking traffic originating from confirmed scanners, the CTCP router can actually identify buffer overflow attack traffic. Finally, the CTCP router solves the TCP connection hijacking problem by introducing an additional check on the sequence number filed of incoming packets. Despite providing a rich variety of protection, the CTCP architecture does not incur much overhead. On a 1.1 GHz Pentium-3 machine with gigabit Ethernet interfaces, the throughput of the CTCP router is 420.3 Mbits/sec, whereas the throughput of a generic Linux router on the same hardware is only 409.1 Mbits/sec.

[1]  Sangyeun Cho,et al.  Decoupling local variable accesses in a wide-issue superscalar processor , 1999, ISCA.

[2]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[3]  David R. Ditzel,et al.  Register allocation for free: The C machine stack cache , 1982, ASPLOS I.

[4]  Andy Oram,et al.  Understanding the Linux Kernel, Second Edition , 2002 .

[5]  Farnam Jahanian,et al.  Defeating TCP/IP Stack Fingerprinting , 2000, USENIX Security Symposium.

[6]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[7]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[8]  Franck Veysset,et al.  New Tool And Technique For Remote Operating System Fingerprinting , 2002 .

[9]  Laurent Joncheray A Simple Active Attack Against TCP , 1995, USENIX Security Symposium.

[10]  Dan Boneh,et al.  Proceedings of the 11th USENIX Security Symposium , 2002 .

[11]  E. A. W. Dante , 1990 .

[12]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[13]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[14]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[15]  Karl N. Levitt,et al.  Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[16]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[17]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[18]  Tzi-cker Chiueh,et al.  Aggregate TCP congestion control using multiple network probing , 2000, Proceedings 20th IEEE International Conference on Distributed Computing Systems.