Transport and application protocol scrubbing

Abstract

This paper describes the design and implementation of a protocol scrubber, a transparent interposition mechanism for explicitly removing network attacks at both the transport and application protocol layers. The transport scrubber supports downstream passive network-based intrusion detection systems; whereas the application scrubbing mechanism supports transparent fail-closed active network-based intrusion detection systems. The transport scrubber's role is to convert ambiguous network flows into well-behaved flows that are unequivocally interpreted by all downstream endpoints. As an example, this paper presents the implementation of a TCP/IP scrubber that eliminates insertion and evasion attacks-attacks that use ambiguities to subvert detection-on passive network-based intrusion detection systems, while preserving high performance. The application protocol scrubbing mechanism is used as a substrate for building fail-closed active network based intrusion detections systems that can respond to attacks by eluding or modifying application data flows in real-time. This paper presents the high performance implementation of a general purpose transparent application-level scrubbing toolkit in the FreeBSD kernel.