Check out the new USENIX Web site. next up previous
Next: Crash attacks Up: Attacks on the monitor Previous: Attacks on the monitor

Overload attacks

We term an attack as an overload if the goal of the attack is to overburden the monitor to the point where it fails to keep up with the data stream it must process. The attack has two phases, the first in which the attacker drives the monitor to the point of overload, and the second in which the attacker attempts a network intrusion. The monitor would ordinarily detect this second phase, but fails to do so--or at least fails to do so with some non-negligible probability--because it is no longer tracking all of the data necessary to detect every current threat.

It is this last consideration, that the attack might still be detected because the monitor was not sufficiently overwhelmed, that complicates the use of overload attacks; so, in turn, this provides a defensive strategy, namely to leave some doubt as to the exact power and typical load of the monitor.

Another defensive strategy is for the monitor to shed load when it becomes unduly stressed (see [CT94] for a discussion of shedding load in a different context). For example, the monitor might decide to cease to capture HTTP packets, as these form a high proportion of the traffic. Of course, if the attacker knows the form of load-shedding used by the monitor, then they can exploit its consequent blindness and launch a now-undetected attack.

For Bro in particular, to develop an overload attack one might begin by inspecting Figure 1 to see how to increase the data flow. One step is to send packets that match the packet filter; another, packet streams that in turn generate events; and a third, events that lead to logging or recording to disk.

The first of these is particularly easy, because the libpcap filter used by Bro is fixed. One defense against it is to use a hardware platform with sufficient processing power to keep up with a high volume of filtered traffic, and it was this consideration that lead to our elaborating the goal of ``no packet filter drops'' in § 1. The second level of attack, causing the engine to generate a large volume of events, is a bit more difficult to achieve because Bro events are designed to be lightweight. It is only the events for which the policy specifies quite a bit of work that provide much leverage for an attack at this level, and we do not assume that the attacker has access to the policy scripts. This same consideration makes an attack at the final level--elevating the logging or recording rate--difficult, because the attacker does not necessarily know which events lead to logging.

Finally, to help defend against overload attacks, the event engine generates a net_stats_update event every T seconds. The value of this event gives the number of packets received, the number dropped by the packet filter due to insufficient buffer, and the number reported dropped by the network interface because the kernel failed to consume them quickly enough. Thus, Bro scripts at least have some basic information available to them to determine whether the monitor is becoming overloaded.

next up previous
Next: Crash attacks Up: Attacks on the monitor Previous: Attacks on the monitor

Vern Paxson
Sat Dec 6 01:53:24 PST 1997