Granular Packet Inspection

Introduction
Deep Packet Inspection (DPI) is a capability to look within the application payload of a packet or traffic stream and make decisions based on the content of that data, in the network. This is achieved using signature-matching technology. Known attack signatures are used to determine future attacks.

Distributed Denial-of-service attacks overwhelm critical resources with a flood of attack traffic. To accomplish this, an attacker must be able to generate high-rate packet floods; this is usually done by recruiting a large number of machines through a remote compromise and instructing them to flood the target. Early DDoS attacks employed small number of compromised machines that generated large UDP or ICMP packets at a maximum rate, aiming to overwhelm a target’s bandwidth. These limited number of sources used spoofing techniques to appear as a larger number of IP addresses. Recent attacks are more sophisticated. The attack traffic today is usually legitimate service request traffic (such as HTTP requests), and is sent from tens of thousands of compromised BotNet machines.

Because the traffic appears legitimate and is critical to business operation, it is very difficult to detect and filter attack packets while allowing access to legitimate user traffic. Further, since each attack machine sends traffic at a low rate, its behavior is not suspicious and therefore it is difficult to identify and blacklist such machines. DDoS attacks are a realistic threat to businesses, regardless of their size.

It is therefore necessary to inspect the intent of the attack rather than the content.
While most IPS appliances work on content inspection or deep packet inspection, for DDoS, using content inspection is futile.

Granular Packet Rate Inspection and Why Is It Important for DDoS Mitigation
If BotNets mimic legitimate users using scripts and content inspection cannot be used for discrimination between real traffic and attack traffic then what can be used. The answer lies in the methods the attackers use to launch such attacks.

To understand intent under a flood, one has to understand behavioral anomalies at micro and macro levels. Behavioral anomalies represent deviation from the past behavior. It is therefore important to gather information over past behavior and store it so that one can predict what the future behavior should be. This requires understanding the average, trends and seasonality of the traffic in a very granular way.

To achieve attack mitigation using behavioral anomaly, you must first understand the attack types used by BotNets. They can be broadly categorized in two kinds:

Non-Service attacks:
These are attacks that happen on ports, protocols or other network parameters not primarily used by the network. E.g. attacks such as SQL-slammer overloaded a rarely-used port.

Service attacks:
These are attacks that are actually trying to mimic the legitimate users. E.g. if a website uses HTTP protocol, the attacks would target the open TCP port 80 and valid URLs.

First kind of attacks can be simply blocked by behaviorally blocking non-service ports/protocols etc. E.g. if your network rarely sees fragmented traffic and you suddenly get an overload of fragments, you can rate limit the fragmented packets to a rate that you had seen in the past. Same can be done for non-service protocols such as ICMP, UDP etc. and non-service ports. They may even be blocked for the duration of attacks at the perimeter to avoid collateral damage. Granular thresholds help here. Directionality helps here. E.g. if you get x Mbps inbound traffic normally and y Mbps outbound, the rate-limiting can be different in two directions. Partitioning of network helps here to isolate issues. E.g. one of your subnets sees SSL traffic while the other does not, you can have different thresholds for rates of SSL traffic.

Second kind of attacks is tricky to stop using simple granular threshold on ports or protocols etc. You need more behavioral techniques.

BotNets attacks are primarily scripted attacks – that means they are bot-programs which are launching attacks. The behavior of these scripts is very different from a human clicking links on browsers or typing URL names. The rates are unusual. The rate of connection establishment for a single IP address is much higher for a scripted attack. Similarly one or more of the following behavioral rates are abnormal during such attacks:

Total number of concurrent connections/destination IP address
Total number of concurrent connections/source IP address
Total number of SYN packets/second per partitioned network
Rate of packets/second/source
Rate of packets/second/destination
Rate of TCP connection establishment

Such behavioral anomalies can be caught using granular inspection which monitors individual IP addresses, protocols, ports, etc. Baseline thresholds adjusted over time for seasonality for such granular characteristics can be used to block abnormal behavior.

IntruGuard’s Granular Inspection Technology
IntruGuard's custom hardware design monitors thresholds for all traffic it sees on Layers 2, 3 and 4. It measures packet rates, state transitions, fragments, checksum, flags, new connections, and address pairs, etc. Thresholds can be set on any of these network parameters to rate limit traffic for particular systems or applications.

First dimension of Granularity: Compartmentalization of Business/Network
To partition networks logically, the IG200/2000 devices provide support for up to “eight gateways in one”. Through the use of Virtual Identifiers (VID), the appliances can segment the traffic into up to eight zones. These zones can each be a server, subnet or network, whether on-site or remote. This allows one gateway to secure eight network segments and thus leverage the cost over a large infrastructure. When the gateway is placed in front of a router and firewall this can substantially reduce duplicated these other network elements. VLAN tags, IP, or MAC addresses identify zones.

The logical portioning allows these VID zones to have their own set of parameters and policies. Each of the 200,000 plus parameters and their corresponding thresholds are automatically monitored to spot malicious traffic. As different zones should be expected to have unique traffic patterns, the use of VIDs improves accuracy and prevents false positives.

Second dimension of Granularity: Directionality
Traffic in network has directionality and each direction has different behavior. IntruGuard appliances allow you to set independent parameters in two dirctions. E.g. incoming rate of packets on port 80 and outgoing rate are usually different and should be controlled differently.

Third dimension of Granularity: Time
Traffic in network has seasonality and growth over time. IntruGuard appliances allow you to set threshold once and they adjust the thresholds adaptively and continuously based on the time of the day and week.

Fourth dimension of Granularity: Granular Packet Rate Thresholds
The IG200 and IG2000 monitor network parameters to analyze subtle changes in the behavior of network traffic rate to recognize and prevent attacks. Due to the Microfine Granularity implemented on silicon, the IG200/2000 is able to differentiate between attack traffic and legitimate traffic and maintain service during denial of service attacks and respond like a circuit-breaker within 2 seconds.

What makes IG200/2000 stand out from other solutions is the fine granularity of the traffic models built by this device, and a fast, hardware-level traffic monitoring and filtering. IG200/2000 builds a baseline model of legitimate network traffic at levels 2, 3 and 4, measuring byte and packet counts, state transitions, fragments, flag distribution, IP address distribution, new connection establishment rate, and numerous other parameters. Counters for each parameter are implemented on chip – thus the measurement occurs at the packet forwarding rate of 200Mbps/2Gbps., Such design introduces no monitoring overhead, no filtering bottleneck, and high-granularity counters are supported. For example, traffic to one Million source IP and one Million destination IP addresses can be traced, as well as for any of 65536 ports on source or destination hosts, and for any of 256 possible protocol numbers.

The main advantage of the IG200/2000 over competitor products is a fine granularity of counters used for traffic parameter monitoring. This granularity is important because it supports building of a complex and detailed legitimate traffic model facilitating detection of sophisticated attacks that attempt to mimic legitimate traffic. Since the attacker cannot learn or infer the baseline model, the generated attack will inevitably breach some of the fine thresholds set by the IG200/2000, regardless of attack sophistication. At the same time, fine granularity supports precise traffic filtering, minimizing collateral damage to legitimate traffic during an attack

A network administrator can set up thresholds on individual monitored parameters or their combinations, to describe allowed fluctuations in network traffic. Since threshold specification is a complex task at such a granularity and with a given wealth of parameters, the IG200/2000 provides an automatic traffic baselining and threshold setup upon installation. An administrator then only needs to tweak and approve the suggested thresholds. The initial traffic base-lining lasts from 2 to 14 days, during which period IG200/2000 determines traffic parameter ranges and thresholds, and builds the legitimate traffic baseline model taking into account weekly seasonality. The learning, however, does not stop there and baseline models are continuously adjusted to reflect new traffic trends.

The IG200/2000 detects DDoS attacks and filters them using a combination of detection and response mechanisms. Attacks that generate traffic floods are by comparing the current traffic measurements with a predicted trend for each monitored parameter. The predicted trend is derived from the baseline, taking into account a historical weighted average of the packet and byte counts with a certain parameter value (thus later measurements carry more importance), the traffic trend (dynamics of the parameter change) and the traffic seasonality. If a measured value exceeds the predicted value by more than the threshold set for this parameter, an attack will be detected. The IG200/2000 deploys three types of thresholds for each parameter with a goal of precisely distinguishing attacks from legitimate traffic increase that results from more users accessing the protected network. The minimum and maximum thresholds are set as hard limits at the baselining stage; their values are recommended by the IG200/2000 for each parameter and can be adjusted by an administrator. The estimated threshold is generated periodically by the IG200/2000 based on the observed traffic trend, and frequently falls between the minimum and the maximum threshold. When a traffic parameter exceeds its minimum threshold, the smaller of the estimated and maximum thresholds will be used for filtering. An administrator can control the extent to which an estimated threshold may exceed the baseline by setting one of the five threat levels – higher threat levels lead to a tighter threshold setup.

Additional Prevention Mechanisms

In addition to deploying a behavior modeling approach for attack detection, the IG200/2000 can detect anomalous traffic at the packet and the connection level. This is accomplished by IG200/2000 acting as a packet filter and a stateful firewall, in addition to its rate-based intrusion prevention functionality. These techniques include:

SYN Proxy
Connection Limiting
Aggressive Aging
Source Rate Limiting
Dynamic Filtering
Active Verification through Legitimate IP Address Matching
Anomaly Recognition
Protocol Analysis
Rate Limiting
White-list, Black-list, Non-tracked sources
State Anomaly Recognition
Stealth Attack filtering
Dark address scan prevention

Conclusion
While deep packet inspection is useful for secure perimeters, it is not sufficient to handle DDoS attacks. Granular packet inspection done in silicon combined with behavioral modeling can provide the network security administrator with the right tools to thwart new generation of attacks. IntruGuard’s solutions have the necessary architecture and implementation ease to handle these attacks.