TCP/IP Reassembly in Network Intrusion Detection and Prevention Systems

TCP/IP Reassembly in Network Intrusion Detection and Prevention Systems

Xiaojun Wang (Dublin City University, Dublin, Ireland) and Brendan Cronin (Dublin City University, Dublin, Ireland)
Copyright: © 2014 |Pages: 14
DOI: 10.4018/IJISP.2014070104
OnDemand PDF Download:
No Current Special Offers


Deep Packet Inspection (DPI) in Network Intrusion Detection and Prevention Systems (NIDPS) typically involves the matching of packet payloads against attack signatures in the form of fixed strings and regular expressions. As an attack pattern may span multiple IP fragments or TCP segments, accurate DPI requires that the traffic is reassembled prior to analysis of the payload data stream. Although hardware acceleration of the TCP layer, including reassembly, is well known in the form of TCP Offload Engines for Network Interface Cards, only limited research has been conducted into reassembly architectures suited to the particular requirements of DPI systems. The challenging requirements include the tracking and fragment/segment reordering of a potentially very large number of streams in addition to dealing with subtle ambiguities in IP fragmentation and TCP segmentation using target based reassembly or traffic normalization. In this article, the authors present a combined hardware and software architecture which harnesses the resources of the latest FPGA technology to improve on existing research proposals.
Article Preview


Network Intrusion Detection and Prevention Systems (NIDPS), either standalone or integrated into firewalls, are important elements of network security. Their role is to monitor internet traffic for malicious content and, on detection, generate an alert message and/or block the offending traffic. In signature-based systems, Deep Packet Inspection (DPI) is used to examine the data streams of each connection for the presence of attack patterns listed in a database of rules known as the rule set. Signatures are typically in the form of fixed strings or regular expressions, or a combination of both. However, in order to correctly analyze network traffic, the NIDPS must first reassemble any IP fragments or TCP segments before performing DPI on the reconstructed data stream.

Performing TCP/IP tracking and reassembly in software at high traffic speeds places a very heavy work load on the processor due to the amount of memory copying and the potentially huge number of flows that need to be tracked. TCP Offload Engine (TOE) technology is available to reduce the load on server CPUs by shifting TCP layer processing to the Network Interface Card (NIC). Several commercial hardware IP cores are available as building blocks for ASIC and FPGA designs, e.g. from Intilop Corp. (2013) and PLDA (2012). However, these solutions are aimed at end host systems and are not suitable for performing connection tracking and reassembly in DPI solutions on intermediate hosts.

Most existing research proposals on TCP/IP reassembly for NIDPS are either fully software based (Novak & Sturges, 2007) or fully hardware based (Necker et al., 2002; Schuehler & Lockwood, 2004). In this article we describe a hybrid architecture which splits the processing between a slow path and a fast path, as shown in Figure 1. The fast path handles the most frequent tasks that can take advantage of the parallelism of hardware logic, while the slow path handles the less frequent but more involved tasks that are more suitable for software implementation. The outlined architecture is based on the Xilinx Zynq-7100 System on Chip (SoC) with built-in hard dual-core ARM processor, but is equally applicable to any suitable FPGA or ASIC device with an internal or external CPU and sufficient internal memory.

Figure 1.

Hybrid software-hardware processing



IP fragmentation occurs in a network node if the size of the packets exceeds the Maximum Transmission Unit (MTU) of the outgoing interface. IP Fragmentation at intermediate nodes is usually avoided by using the technique of Path MTU Discovery (PMTUD) that determines the minimum MTU for the entire path from source to destination node. As the UDP protocol does not perform payload fragmentation, the most common occurrence of IP fragmentation is in the case of UDP traffic on source nodes. The TCP protocol, however, does perform fragmentation, which is known as TCP segmentation, if the data size is greater than the Maximum Segment Size (MSS). The MSS value is negotiated during connection establishment and its value usually ensures that fragmentation is avoided at the IP layer.

TCP/IP reassembly is a complex task due to the possibility of out-of-order, overlapping and duplicate fragments or segments. An added complication for an intermediate node, such as an NIDPS, is that there are subtle differences in how various operating systems (OS) perform reassembly due to different interpretations of the standards. In order to avoid the possibility of evasion or insertion attacks (Ptacek & Newsham, 1998), an NIDPS must either perform target-based reassembly (Novak & Sturges, 2007) or traffic normalization/scrubbing (Malan et al., 2000).

Complete Article List

Search this Journal:
Open Access Articles
Volume 16: 4 Issues (2022): Forthcoming, Available for Pre-Order
Volume 15: 4 Issues (2021): 3 Released, 1 Forthcoming
Volume 14: 4 Issues (2020)
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing