Information Technology Reference
In-Depth Information
the system to avoid recording a set of packets. Since query processing is done
oine and does not need the strict real time response of an IDS, such attacks
can be countered more effectively in ForNet. Of course, we assume the adversary
has full knowledge of the inner workings of various ForNet components, such as
the data being stored at the Forensic Servers, algorithms used by SynApps and
query processors, security primitives in place, and their use by security manager.
We now describe possible attacks on various components of ForNet.
Forensic Server:
Forensic Server needs to be protected very well, like the DNS
servers, as it contains valuable network evidence. Data corruption on Foren-
sic Server may lead to discarding results produced by the server. In order to
minimize the damage data shall be recorded to a read-only medium frequently.
In addition a rogue Forensic Server can exploit the trust relationships in the
ForNet hierarchy and attack other servers by sending rogue queries. Appropri-
ate resource allocation strategies shall be in place to rectify resource starvation
attacks on Forensic Servers.
Query Processor:
Since the Forensic Server processes queries from remote servers
an adversary can send numerous queries to a server and consume its resources
or on the other hand send a complicated query to bog down its resources.
Storage Unit:
Needless to say a simple denial of service attack would be to
send lot of data that will pass through the network filter and be processed
and stored by the storage unit in order to fill-up the storage unit. This attack
is especially effective when the SynApps are setup to overwrite current data or
retire it periodically to secondary or tertiary storage. An attacker can potentially
flush useful data by sending in enormous amount of spurious trac to a SynApps.
Data retirement policies shall be designed with care to counter such attacks. For
example, keeping a representative sample of the retired data shall alleviate the
effects of such an attack.
Synopsis Engine:
The synopsis engine uses various algorithms to represent net-
work data succinctly. An adversary with the knowledge of how an algorithm
works can trick the algorithm into recording lesser or no evidence at all. For
example, an attacker can fool a sampling algorithm into sampling lesser evi-
dence by “hiding” a few attack packets among a lot of bogus packets that are
eventually discarded by the end-host but are considered valid by the sampling
algorithm. An attacker can for example create lot of packets with small TTL
such that they would never reach end-hosts, or packets with invalid headers that
will be discarded by end-hosts, or simply increase the number of packets via IP
fragmentation and hide the real attack packets among them. Creating such a
cloak requires an attacker to generate numerous packets. An increase in packet
arrival rate can easily be detected by SynApps. For example, a simple synop-
sis technique, like the counting Bloom filters, can keep track of the history of
packet arrival rate per host. When the arrival rate exceeds a certain threshold
the SynApps can sample the excess data knowing it may be part of an attack.
