978-1-4577-0351-5/11/$26.00 c 2011 IEEE Defeating NIDS evasion in Mobile IPv6 networks Michele Colajanni, Luca Dal Zotto, Mirco Marchetti, Michele Messori Department of Information Engineering University of Modena and Reggio Emilia Modena, Italy {michele.colajanni, luca.dalzotto, mirco.marchetti, michele.messori}@unimore.it Abstract— The diffusion of mobile devices and technologies supporting transparent network mobility can have detrimental effects on network security. We describe how an attacker can lever- age mobility in IPv6 networks to perpetrate known attacks while evading detection by state-of-the-art Network Intrusion Detection Systems (NIDSs). We then propose a new defense strategy based on the exchange of state information among distributed NIDSs. We demonstrate the effectiveness of the pro- posed solution through a prototype implementation, evaluated experimentally in a Mobile IPv6 network. Keywords-network intrusion detection; NIDS state migra- tion; mobility-based NIDS evasion; Mobile IPv6; I. I NTRODUCTION The number and the computational power of Internet- enabled mobile devices are increasing rapidly. Netbooks, smartphones and tablet PCs allow users to be always con- nected, thus encouraging the diffusion of new services as well as mobile versions of existing services, ranging from social networking to mobile banking. For these reasons, the adoption of network technologies that support transparent node mobility (i.e., the ability to roam between different net- works without interrupting open connections) is increasing as well. One of the most promising solutions is the mobility extension of IPv6 (Mobile IPv6 [1]), which is expected to become the network layer of Internet and coming 4G networks (e.g. LTE-Advanced [2]). While transparent node mobility offers new important opportunities, it also introduces new security risks. In partic- ular, we have recently observed that an attacker can exploit transparent node mobility to perform “stealth” network attacks, that are not detectable even by stateful and state- of-the-art Network Intrusion Detection Systems (NIDS) [3]. The first contribution of this paper is the description of several strategies that an attacker can implement to evade NIDSs in networks that support the Mobile IPv6 protocol. These evasion techniques are not caused by flaws in any NIDS implementation [4]–[6]. They are the direct consequence of node mobility and of specific characteristics of Mobile IPv6, such as Route Optimization. Moreover, they are immediately applicable in all the networks that support this protocol. The second contribution of this paper is the design of a new NIDS cooperation strategy based on the exchange of state information [7] among distributed, stateful NIDSs. The proposed solution prevents an attacker from exploiting node mobility to evade detection and does not require any modification to the Mobile IPv6 protocol nor to the hardware and software of mobile nodes. We demonstrate the viability of the proposed solution by implementing a prototype based on open source software, whose effectiveness and performance are experimentally evaluated in a realistic network scenario. The strategies that allow an attacker to evade NIDS de- tection in Mobile IPv6 networks are described in Section II. Our solution for defeating mobility-based NIDS evasion is presented in Section III. The implementation details of the prototype used for experimental evaluation are discussed in Section IV. The network testbed and the experimental results are presented in Section V. Section VI compares our work with previous papers in the fields of NIDS evasion and parallel and distributed NIDS architectures. Section VII concludes the paper and outlines future works. II. NIDS EVASION IN MOBILE IPV6 NETWORKS Mobility-based evasion, described for the first time in [3], is a NIDS evasion technique that allows an attacker to avoid detection by exploiting network mobility. In this paper we consider three different mobility-based evasion scenarios in Mobile IPv6 networks: mobile attacker and fixed victim, mobile victim and fixed attacker and mobile victim and mobile attacker, described in Sections II-A, II-B, and II-C, respectively. In all these scenarios we assume that: • both the Home Network and the Foreign Network are monitored by a state-of-the-art stateful NIDS; • the attacker tries to exploit a remote vulnerability of the victim by sending a malicious payload to it; • it is possible to divide the malicious payload in (at least) two portions; • a NIDS is not able to detect the attack by analyzing only a portion of the malicious payload. Experimental results described in Section V show that all these assumptions can be easily met in realistic network topologies and with real network-based attacks. We remark that all the evasion strategies described below are not caused