Why Does Mptcp Have To Make Things So Complicated : Cross Path Nids Evasion And Countermeasures

Abstract : A recent enhancement to Transmission Control Protocol (TCP) is Multipath TCP (MPTCP), a new transport layer protocol that enhances TCP to be capable of communicating over multiple paths by establishing several subflow connections between endpoints. Each subflow behaves in the same way that a traditional, single-path, TCP connection would. Previous work has demonstrated that adversaries can perform cross-path data fragmentation to evade Network Intrusion Detection Systems (NIDS) when the NIDS is unable to integrate related subflows into a single MPTCP data stream. We present a general solution to enable current penetration testing tools to perform MPTCP cross-path fragmentation attacks. On the defensive side, we demonstrate that existing transport layer proxies can be used in conjunction with an MPTCP kernel to transparently convert a multipath connection into a single-path connection that can be analyzed by a NIDS. We also investigate extending Snort to perform MPTCP stream reassembly and create a prototype Snort plugin for accomplishing this functionality.