Finding and Containing Enemies Within the Walls with Self-securing Network Interfaces (CMU-CS-03-109)

Self-securing network interfaces (NIs) examine the packets that they move between network links and host software, looking for and potentially blocking malicious network activity. This paper describes how self-securing network interfaces can help administrators to identify and contain compromised machines within their intranet. By shadowing host state, self-securing NIs can better identify suspicious traffic originating from that host, including many explicitly designed to defeat network intrusion detection systems. With normalization and detection-triggered throttling, selfsecuring NIs can reduce the ability of compromised hosts to launch attacks on other systems inside (or outside) the intranet. We describe a prototype self-securing NI and example scanners for detecting such things as TTL abuse, fragmentation abuse, “SYN bomb” attacks, and random-propagation worms like Code-Red. We thank the members and companies of the PDL Consortium (including EMC, Hewlett-Packard, Hitachi, IBM, Intel, Network Appliance, Panasas, Seagate, Sun, and Veritas) for their interest, insights, feedback, and support. We thank IBM and Intel for hardware grants supporting our research efforts. This material is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-01-1-0433. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force Research Laboratory or the U.S. Government.

[1]  Wild Ryde David Watson , 1940, Glasgow Medical Journal.

[2]  Jon Postel,et al.  Transmission Control Protocol , 1981, RFC.

[3]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[4]  P. Mockapetris,et al.  Development of the Domain Name System , 1988, CCRV.

[5]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[6]  Joe Morris,et al.  Centralized Administration of Distributed Firewalls , 1996, LISA.

[7]  G.J. Minden,et al.  A survey of active network research , 1997, IEEE Communications Magazine.

[8]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[9]  Stefan Axelsson Research in Intrusion-Detection Systems: A Survey , 1998 .

[10]  Brian N. Bershad,et al.  SPINE: An Operating System for Intelligent Network Adapters , 1998 .

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Dan M. Nessett,et al.  The Multilayer Firewall , 1998, NDSS.

[13]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[14]  Bernhard Plattner,et al.  A scalable high-performance active network node , 1999 .

[15]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[16]  David Wetherall,et al.  Active network vision and reality: lessions from a capsule-based system , 1999, SOSP.

[17]  David Wetherall,et al.  Active network vision and reality: lessons from a capsule-based system , 1999, OPSR.

[18]  Stefan Savage,et al.  TCP congestion control with a misbehaving receiver , 1999, CCRV.

[19]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[20]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[21]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[22]  Ben Y. Zhao,et al.  An Infrastructure for Fault-tolerant Wide-area Location and Routing , 2001 .

[23]  Angelos D. Keromytis,et al.  The price of safety in an active network , 2001, Journal of Communications and Networks.

[24]  David Friedman,et al.  Building firewalls with intelligent network interface cards , 2001 .

[25]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[26]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[27]  Antony I. T. Rowstron,et al.  Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-to-Peer Systems , 2001, Middleware.

[28]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[29]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[30]  David Wetherall,et al.  Active network vision and reality: lessons from a capsule-based system , 2002, Proceedings DARPA Active Networks Conference and Exposition.

[31]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[32]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[33]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[34]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[35]  Gregory R. Ganger,et al.  Self-Securing Network Interfaces: What, Why and How (CMU-CS-02-144) , 2002 .

[36]  Larry L. Peterson,et al.  Defensive programming , 2002, OSDI.