Very Fast containment of Scanning Worms Artur Zak ------------------------------------------------ Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI

Abstract Worms – malicious, self-propagating programs. Represent threat to large networks. Containment – one form of defense; limit a worm’s spread by isolating it in a small subsection of the network.

Worm Containment (virus throttling) Needs to be Automated. Worms propagate more rapidly than human response. Works by detecting that a worm is operating in the network and then block the infected machines from contacting further hosts.

Mechanism Requirements Break the network into many cells Within each cell a worm can spread unimpeded. Between cells, containment limits infections by blocking outgoing connections from infected cells. Must have very low false positive rate. Blocking suspicious machines can cause a DOS if false positive rate is high.

Scanning Worms Operate by picking “random” address and attempt to infect the machine. Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses

Scanning Worms Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection attempts. Containment looks for a class of behavior rather than specific worm signature. Able to stop new worms.

Epidemic Threshold Worm-suppression device must necessarily allow some scanning before it triggers a response. Worm may find a victim during that time.

Epidemic Threshold The epidemic threshold depends on: The sensitivity of the containment response devices The density of vulnerable machines on the network The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.

Sustained Scanning Threshold If worm scans slower than sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained scanning threshold as possible. For this implementation threshold set to 1 scan per minute.

Scan Suppression Scan Suppression – responding to detected portscans by blocking future scanning attempts. Portscans have two basic types: Horizontal – search for identical service on large number of machines. Vertical – examine an individual machine to discover running services.

Implementation Scan detection and suppression algorithm derived from Threshold Random Walk (TRW) scan detection. The algorithm operates by using an oracle to determine if a connection will fail or succeed.

Implementation Scan detection algorithm easier than TRW. Suitable for both hardware and software implementation. Simplified algorithm caused increased false negative rate. No changes in the false positive rate.

Hardware Implementation Constraints: Memory access speed. During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations. (4 accesses for full duplex). Use SRAM to solve the problem. (more expensive)

Hardware Implementation Approximate cache: a cache for which collisions cause imperfections. Store amounts of data that normally exceeds memory volume. Bloom filter is a type of approximation cache.

Connection Cache

Address Cache Lookup

Attacking the Containment Attacker an create false positive Trigger responses which wouldn’t otherwise occur. False positive create a DOS target.

Attacking the Containment False Negative: The worm slips by even thought containment is active. Scan at a rate slower than sustained scanning threshold. Requires complicated code by worm writers.