TCP/IP illustrated (vol. 1): the protocols
TCP/IP illustrated (vol. 1): the protocols
TCP/IP illustrated (vol. 2): the implementation
TCP/IP illustrated (vol. 2): the implementation
Dummynet: a simple approach to the evaluation of network protocols
ACM SIGCOMM Computer Communication Review
Automated packet trace analysis of TCP implementations
SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
Building Internet Firewalls
Defeating TCP/IP stack fingerprinting
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
The Phoenix framework: a practical architecture for programmable networks
IEEE Communications Magazine
Cooperating security managers: a peer-based intrusion detection system
IEEE Network: The Magazine of Global Internetworking
Hi-index | 0.00 |
This paper describes the design and implementation of protocol scrubbers. Protocol scrubbers are transparent, active interposition mechanisms for explicitly removing network scans and attacks at various protocol layers. The transport scrubber supports downstream passive network-based intrusion detection systems by converting ambiguous network flows into well-behaved flows that are unequivocally interpreted by all downstream endpoints. The fingerprint scrubber restricts an attacker's ability to determine the operating system of a protected host and the fingerprint we stored in real time database. As an example, this paper presents the implementation of a TCP scrubber that eliminates insertion and evasion attacks -- attacks that use ambiguities to subvert detection -- on passive network-based intrusion detection systems, while preserving high performance. The TCP scrubber is based on a novel, simplified state machine that performs in a fast and scalable manner. The fingerprint real time database scrubber is built upon the TCP scrubber and removes additional ambiguities from flows that can reveal implementation-specific details about a host's operating system.