CTCP: Centralized TCP Router

Faculty: Tzi-cker Chiueh

Group Members:

• Fu-Hau Hsu
• Fanglu Guo
• Lakshmi Kumar TV
• Ashish Raniwala

Project Description:

Many solutions to network security problems can be more easily developed in a centralized TCP (CTCP) architecture, in which an organization's edge router transparently proxies every TCP connection between an internal host and an external host on the Internet. This project designs and implements two CTCP router prototypes, one inside the Linux kernel and the other at the user space. By responding to probe packets directly, the CTCP router thwarts all OS fingerprinting attempts. By redirecting traffic targeting at non-existing hosts or non-open-to-public ports to a CTCP socket, the CTCP router defeats most port-scanning attempts. By interacting with remote hosts that attempt to connect to non-existent hosts or ports, the CTCP router is able to identify attacking hosts. By further checking payloads inside packets coming from supposedly attack hosts, the CTCP router can actually indetify buffer overflow attacks in real time. Finally, the CTCP router solves the TCP connection hijacking problem by introducing an additional check on the sequence number field of incoming packets.

Motivation:

Following are some of the major motivations for the CTCP architecture -

• Security: CTCP enhances the security of the IT infrastructure of an organization in three different ways -
1. Obviating the need to maintain most secure versions of TCP/IP implementations on internet-connected hosts.
2. Actively performing traffic normalization for external data traffic entering/exiting the organization (thus discourages footprinting attempts, and defeating invasion attacks on network intrusion detection systems.)
3. Providing a suitable infrastructure for writing Honeypots applications at user-level.
• Performance: Another motivation behind CTCP is to improve the performance of short-lived TCP connections by congestion state sharing, i.e. utilizing congestion window information from recent connections to going to same subnets [ATCP]
• QoS:  CTCP allows flow aggregation, which could reduce the amount of state in the backbone routers, and thus provide support for hierarchical QoS.
• Power Management / TCP Performance in Wireless LANs: Traffic prediction at the access points is one of the key requirements for deciding the sleep-times of wireless devices with limited battery power. CTCP architecture gives complete user-level control of traffic at TCP level making it easier to modify for specific implementations.

Results:

On a 1.1Ghz Pentium-3 machine with giagbit Ethernet interfaces, the throughput of the kernel-based CTCP router is 420.3 Mbits/sec, whereas the throughput of a generic Linux router on the same hardware is only 409.1 Mbits/sec when providing all the protection the CTCP router is designed for.

Publication:

• Fu-Hau Hsu, and Tzi-cker Chiueh, ``CTCP: A Transparent Centralized TCP/IP Architecture for Network Security,'' June, 2004. , Annual Computer Security Application Conference (ACSAC 2004), Tucson, Arizona, Dec., 2004.
• Fu-Hau Hsu, Tzi-cker Chiueh, Jiawu Chen, and Ashish Raniwala, ``A Network Defense Platform Based on Transparent TCP Proxying,'' Submitted to DSN 2005.

Related Work:

• Prashant Pradhan, Tzi-cker Chiueh, Anindya Neogi , SUNY-Stony Brook. Aggregate TCP Congestion Control Using Multiple Network Probing. ICDCS 2000.
• M. Handley, C. Kreibich and V. Paxson. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. in Proc. USENIX Security Symp 2001.
• Ajay Bakre, B.R. Badrinath. I-TCP: Indirect TCP for Mobile Hosts.15th International Conference on Distributed Computing Systems
• Vern Paxson. Network Research Group, LBNL. Bro: A System for Detecting Network Intruders in Real-Time.
• Snort - The Open Source Network Intrusion Detection System.
• Google Web Directory on "Proxy"
• SOCKS - IETF standard proxy protocol
• Linux Transparent Proxy
• SANS institute. Anatomy of a statefull Firewall.
• David A. Maltz, Pravin Bhagwat TCP Splicing for Application Layer Proxy Performance
• Pietikainen, P. Hardware-Assisted Networking Using Scheduled Transfer Protocol on Linux.
• Arsenic: A User-Accessible Gigabit Ethernet Interface. IEEE INFOCOM 2001 1 Ian Pratt and Keir Fraser Computer Laboratory University.
• Honeypots
• Lance Spitzner. Honeypots, Book News, Inc.
• The Honeynet Project, Lance Spitzner, Bruce Schneier. Know Your Enemy
• Kevin D. Mittnick, William L. Simon. The Art of Deception
• Restricted Project Webpage