"Why Does Mptcp Have To Make Things So Complicated ": Cross Path Nids Evasion And Countermeasures

Abstract

A recent enhancement to Transmission Control Protocol (TCP) is Multipath TCP (MPTCP), a new transport layer protocol that enhances TCP to be capable of communicating over multiple paths by establishing several subflow connections between endpoints. Each subflow behaves in the same way that a traditional, single-path, TCP connection would. Previous work has demonstrated that adversaries can perform cross-path data fragmentation to evade Network Intrusion Detection Systems (NIDS) when the NIDS is unable to integrate related subflows into a single MPTCP data stream. We present a general solution to enable current penetration testing tools to perform MPTCP cross-path fragmentation attacks. On the defensive side, we demonstrate that existing transport layer proxies can be used in conjunction with an MPTCP kernel to transparently convert a multipath connection into a single-path connection that can be analyzed by a NIDS. We also investigate extending Snort to perform MPTCP stream reassembly and create a prototype Snort plugin for accomplishing this functionality.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 01, 2016
Accession Number
AD1029760

Entities

People

  • Henry A Foster

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • C4I
  • Cyber
  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Command And Control
  • Communication Channels
  • Computer Network Security
  • Computer Networks
  • Computer Programming
  • Computer Programs
  • Computers
  • Data Transmission
  • Denial Of Service Attack
  • Detection
  • Detectors
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Network Protocols
  • Operating Systems
  • Transport Protocols

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Electrical Engineering
  • Thin Film Deposition Science.