End-to-end Internet packet dynamics
SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
Packet reordering is not pathological network behavior
IEEE/ACM Transactions on Networking (TON)
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Introduction to algorithms
On making TCP more robust to packet reordering
ACM SIGCOMM Computer Communication Review
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Measurement and classification of out-of-sequence packets in a tier-1 IP backbone
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
TCP-Splitter: A TCP/IP Flow Monitor in Reconfigurable Hardware
HOTI '02 Proceedings of the 10th Symposium on High Performance Interconnects HOT Interconnects
TCP-PR: TCP for Persistent Packet Reordering
ICDCS '03 Proceedings of the 23rd International Conference on Distributed Computing Systems
RR-TCP: A Reordering-Robust TCP with DSACK
ICNP '03 Proceedings of the 11th IEEE International Conference on Network Protocols
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Denial of service via algorithmic complexity attacks
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
The effect of packet reordering in a backbone link on application throughput
IEEE Network: The Magazine of Global Internetworking
Fast hash table lookup using extended bloom filter: an aid to network processing
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Detecting evasion attacks at high speeds without reassembly
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Virtually Pipelined Network Memory
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Towards high-performance flow-level packet processing on multi-core network processors
Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Counter braids: a novel counter architecture for per-flow measurement
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Predicting the Resource Consumption of Network Intrusion Detection Systems
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Packet reordering in high-speed networks and its impact on high-speed TCP variants
Computer Communications
TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems
IEICE - Transactions on Information and Systems
Bunker: a privacy-oriented platform for network tracing
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
High-bandwidth network memory system through virtual pipelines
IEEE/ACM Transactions on Networking (TON)
NetShield: massive semantics-based vulnerability signature matching for high-speed networks
Proceedings of the ACM SIGCOMM 2010 conference
Carousel: scalable logging for intrusion prevention systems
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Memory-efficient TCP reassembly using FPGA
Proceedings of the Second Symposium on Information and Communication Technology
Re-examining the performance bottleneck in a NIDS with detailed profiling
Journal of Network and Computer Applications
Scap: stream-oriented network traffic capture and analysis for high-speed networks
Proceedings of the 2013 conference on Internet measurement conference
Hi-index | 0.00 |
There is a growing interest in designing high-speed network devices to perform packet processing at semantic levels above the network layer. Some examples are layer-7 switches, content inspection and transformation systems, and network intrusion detection/prevention systems. Such systems must maintain per-flow state in order to correctly perform their higher-level processing. A basic operation inherent to per-flow state management for a transport protocol such as TCP is the task of reassembling any out-of-sequence packets delivered by an underlying unreliable network protocol such as IP. This seemingly prosaic task of reassembling the byte stream becomes an order of magnitude more difficultto soundly execute when conducted in the presence of an adversary whose goal is to either subvert the higher-level analysis or impede the operation of legitimate traffic sharing the same network path. We present a design of a hardware-based high-speed TCP reassembly mechanism that is robust against attacks. It is intended to serve as a module used to construct a variety of network analysis systems, especially intrusion prevention systems. Using trace-driven analysis of out-of-sequence packets, we first characterize the dynamics of benign TCP trafficand show how we can leverage the results to design a reassembly mechanism that is efficient when dealing with non-attack traffic. We then refine the mechanism to keep the system effective in the presence of adversaries. We show that although the damage caused by an adversary cannot be completely eliminated, it is possible to mitigate the damage to a great extent by careful design and resource allocation. Finally, we quantify the trade-off between resource availability and damage from an adversary in terms of Zombie equations that specify, for a given configuration of our system, the number of compromised machines an attacker must have under their control in order to exceed a specified notion of "acceptablecollateral damage."