Multipath TCP IDS Evasion and Mitigation

  • Zeeshan AfzalEmail author
  • Stefan Lindskog
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9290)


The existing network security infrastructure is not ready for future protocols such as Multipath TCP (MPTCP). The outcome is that middleboxes are configured to block such protocols. This paper studies the security risk that arises if future protocols are used over unaware infrastructures. In particular, the practicality and severity of cross-path fragmentation attacks utilizing MPTCP against the signature-matching capability of the Snort intrusion detection system (IDS) is investigated. Results reveal that the attack is realistic and opens the possibility to evade any signature-based IDS. To mitigate the attack, a solution is also proposed in the form of the MPTCP Linker tool. The work outlines the importance of MPTCP support in future network security middleboxes.


IDS evasion Multipath transfers TCP Snort Middleboxes 



The work was carried out in the High Quality Networked Services in a Mobile World (HITS) project, funded partly by the Knowledge Foundation of Sweden. The authors are grateful for the support provided by Catherine Pearce of Cisco.


  1. 1.
    Advanced Reference Archive of Current Heuristics for NIDS: Arachnids event signatures export for snort (2000–2001).,
  2. 2.
    Afzal, Z.: MPTCP-Linker (2015).
  3. 3.
    Afzal, Z., Lindskog, S.: Automated testing of IDS rules. In: Proceedings of the 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 1–2. IEEE, April 2015Google Scholar
  4. 4.
    Armitage, G., Williams, N., et al.: FreeBSD kernel patch to enable Multipath TCP (2014).
  5. 5.
    Bonaventure, O.: Apple seems to also believe in Multipath TCP (2013).
  6. 6.
    Braun, M.B., Paasch, C., Gont, F., Bonaventure, O., Raiciu, C.: Analysis of MPTCP Residual Threats and Possible Fixes. Internet Draft draft-ietf-mptcp-attacks-02, IETF (2014).
  7. 7.
    Detal, G.: MPTCP-enabled kernel for the nexus 5 (2014).
  8. 8.
    Detal, G., Paasch, C., Bonaventure, O.: Multipath in the middle (box). In: Proceedings of the 2013 Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 1–6. ACM (2013)Google Scholar
  9. 9.
    Ford, A., Raiciu, C., Handley, M., Bonaventure, O., et al.: TCP extensions for multipath operation with multiple addresses. Experimental RFC 6824, IETF (2013).
  10. 10.
    Giovanni, C.: Fun with packets: Designing a stick (2002).
  11. 11.
    Han, H., Shakkottai, S., Hollot, C., Srikant, R., Towsley, D.: Multi-path TCP: a joint congestion control and routing scheme to exploit path diversity in the internet. IEEE/ACM Trans. Networking 14(6), 1260–1271 (2006)CrossRefGoogle Scholar
  12. 12.
    Honda, M., Nishida, Y., Raiciu, C., Greenhalgh, A., Handley, M., Tokuda, H.: Is it still possible to extend TCP? In: Proceedings of the 11th ACM SIGCOMM Internet Measurement Conference (IMC), pp. 181–194. ACM (2011)Google Scholar
  13. 13.
    Huitema, C.: Multi-homed TCP. Internet Draft draft-huitema-multi-homed-01, IETF (1995).
  14. 14.
    Langley, A.: Probing the viability of TCP extensions (2008).
  15. 15.
    Lopez, E.: Multipath TCP middlebox behavior. Internet Draft draft-lopez-mptcp-middlebox-00, IETF (2014).
  16. 16.
    Manev, P.: Rule2alert (2014).
  17. 17.
    Münz, G., Weber, N., Carle, G.: Signature detection in sampled packets. In: Proceedings of the Workshop on Monitoring, Attack Detection and Mitigation (MonAM). IEEE (2007)Google Scholar
  18. 18.
    Mutz, D., Vigna, G., Kemmerer, R.: An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), pp. 374–383. IEEE (2003)Google Scholar
  19. 19.
    Nodejitsu: http-server (2014).
  20. 20.
    Paasch, C., Barré, S., et al.: Multipath TCP implementation (v0.88) in the Linux kernel (2013).
  21. 21.
    Patton, S., Yurcik, W., Doss, D.: An achilles heel in signature-based IDS: squealing false positives in SNORT. In: Proceedings of 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (2001)Google Scholar
  22. 22.
  23. 23.
    Pearce, C., Thomas, P.: Multipath TCP: breaking today’s networks with tomorrow’s protocols. In: Black Hat USA, August 2014Google Scholar
  24. 24.
    Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on Systems Administration, pp. 229–238 (1999)Google Scholar
  25. 25.
    Stallman, R.: GNU General Public License, version 2 (1991)Google Scholar
  26. 26.
    Stewart, R.: Stream control transmission protocol. RFC 4960, IETF (2007).
  27. 27.
    The Snort Team: Snort official website.
  28. 28.
    Thomas, P.: mptcp-abuse (2014).
  29. 29.
    Wischik, D., Handley, M., Braun, M.B.: The resource pooling principle. ACM SIGCOMM Comput. Commun. Rev. 38(5), 47–52 (2008)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Karlstad UniversityKarlstadSweden

Personalised recommendations