Very Fast containment of Scanning Worms Presented by Vinay Makula

Introduction Computer Worms: malicious, self propagating programs Containment: limit a worm’s spread by isolating it in a small subsection of the network

Worm Containment Detecting infected machines and preventing them from contacting further hosts Implementation aspects: Breaking network into small pieces called cells Lowering false positives

Scanning Worms Operate by picking random addresses, attempting to infect them Linear scanning (Ex. Blaster) Fully random (Ex. Code Red) Bias toward local addresses (Ex. Code Red II & Nimda) Permutation scanning

Scanning Worms Properties: Most scanning attempts result in failure Infected machines will institute many connection attempts Containment: Seeks a class of behavior rather than specific worm signatures

Epidemic Threshold Worm-suppression device must necessarily allow some scanning before it triggers a response Worm may find a victim during that time

Epidemic Threshold The epidemic threshold depends on: The sensitivity of the containment response devices The density of vulnerable machines on the network The degree to which the worm is able to target its efforts into the correct network, and even into the current cell

Sustained Scanning Threshold If worm scans slower than sustained scanning threshold, the detector will not trigger In this implementation threshold set to 1 scan per minute.

Scan Suppression Respond to detected portscans by blocking future scanning attempts Two types of Portscans: Horizontal – search for identical service on large number of machines Vertical – examine an individual machine to discover running services

Threshold Random Walk (TRW) The algorithm operates by using an oracle to determine if a connection will fail or succeed A successfully completed connection will drive the random walk upwards A failure to connect drives the random walk downwards

Scan detection algorithm Advantages Suitable for both hardware and software implementation No changes in the false positive rate Disadvantages Increased false negative rate Worms can still evade detection

Hardware Implementation Constraints: Memory access speed During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations or 4 accesses for full duplex Use SRAM to solve the problem but it is more expensive

Hardware Implementation Memory size SRAM currently only hold a few tens of megabytes DRAM can hold up to a gigabyte Try to keep memory size small (5MB) so that both are options

Approximate Cache The information we’d like to store can exceed the fixed volume of memory Hence use approximate cache: for which collisions cause imperfections Advantages: Keep the memory bounded Allow for very simple lookups

Attacking the Cache Predicting the hash Create collisions to evict or combine data to cause false positives or negatives Flooding the Cache Massive amounts of normal data to hide the true attack

Approximation of TRW Track connections and addresses using approximate caches Track success and failure of connection attempts to New address New address to old ports Old ports at old addresses Track addresses indefinitely

The Structure

The structure Connection Cache: It tracks whether the connection has been established in either direction Address Cache: It keeps tracks of detected addresses, and records in “count” the difference between number of failed and successful connections

Condition 1

Condition 2

Condition 3

Blocking and special cases If count is greater than a predefined threshold, it is blocked Only already existing connections are maintained Dropped unless session already exists TCP RST, RST+ACK, SYN+ACK, FIN, FIN+ACK

Evaluation A gigabit link connects 6000 hosts connected to the internet The link sustains Mbps and 8-15K packets/sec In a day: 20M external connection attempts 2M internally initiated connection attempts Main trace: Lasted 72 minutes 44M packets were generated of which, external hosts, and 131K internal addresses Captured using Tcpdump

Evaluation All outbound connections over a threshold of 5 were flagged by the algorithm

Evaluation Additional alerts on the outbound traffic generated when sensitivity was increased

Cooperation Every containment device knows how many blocks the other containment devices currently have Each device use the above information to adjust its response threshold

Cooperation Reduces Threshold by where θ controls how aggressively to reduce T and X is the number of other blocks in place

Attacking the Containment Attacker can create false positives Trigger responses which wouldn’t otherwise occur False positive create a DOS target Attacker can create false negatives to slip by the defenses

Inadvertent False positives Two types: Resulting from artifacts of the detection routines Resulting from benign scanning

Malicious False negatives Instead of the worm scanning, it propagates through different means: topological, passive etc. Worms can operate below scanning threshold to avoid detection Scan for liveliness of the port Obtaining multiple network addresses

Malicious False positives Attacker can spoof packets to frame other hosts in the same cell Spoofing can be prevented using MAC addresses Setup HTTP proxies and mail filtering to detect and block malicious content

Attacking the algorithm Exploit the approximate cache’s hash and permutation function Exploit the vulnerability of a two-sided evasion technique

Two-sided evasion Requires two computers, one on each side of the containment device, generating normal traffic on a multitude of ports A worm could use this evasion technique, making up for each failed attempt by creating a successful connection between cooperating machines

Related Work Network Security Monitor Snort Bro Leckie Forescout Mirage Networks

Future Work Implementing the system in hardware and deploying it Integrating the algorithm in into software based IDS Obtain complete enterprise-trace Developing optimal communication strategies

Conclusions Demonstrated a highly sensitive scan detection and suppression algorithm suitable for worm containment Able to detect scanning for fewer than 10 attempts for a highly sensitive machine and for a normal machine in 30 attempts Cooperation between containment devices provides an improved performance