An Efficient TCP Reassembler Mechanism for Layer7-aware Network Intrusion Detection/Prevention Systems

Exploiting layer/ context is an effective approach to improving the accuracy of detecting malicious messages in network intrusion detection/prevention systems (NIDS/NIPSs). Unfortunately layerl-aware NIDS/NIPSs pose crucial implementation issues because they require full TCP/IP reassembly without losing (1) complete prevention, (2) performance, (3) application transparency, or (4) transport transparency. To the best of our knowledge, none of the existing approaches meet all of these requirements. Our store-through does this by forwarding each out-of-order or IP-fragmented packet immediately after copying it even if it has not been checked yet. Although the forwarded packet might turn out to be a part of an attack, the store-through can successfully defend against the attack by blocking one of the subsequent packets. Testing of a prototype in linux kernel 2.4.30 demonstrated that the overhead of our mechanism is negligible compared with that of a simple IP forwarder even with the presence of out-of-order packets.