CSE551: Introduction to Information Security Active Worm CSE551: Introduction to Information Security CSE551 Handout on DDoS and Worm
Worm vs. Virus Worm Virus A program that propagates itself over a network, reproducing itself as it goes Virus A program that searches out other programs and infects them by embedding a copy of itself in them CSE551 Handout on DDoS and Worm
Active Worm VS. [D]DoS Propagation method Goal: congestion, resource appropriation Rate of distribution Scope of infection CSE551 Handout on DDoS and Worm
Historical Analysis Morris Worm (1988, http://www.worm.net/worm-src/worm-src.html) Code Red v.2 (2001, nearly 8 infections/sec.) Nimbda (2001, netbios, UDP) SQL Slammer (2003, UDP) CSE551 Handout on DDoS and Worm
Recent Worms July 13, 2001, Code Red V1 July 19, 2001, Code Red V2 Aug. 04, 2001, Code Red II Sep. 18, 2001, Nimba … … Jan. 25, 2003, SQL Slammer More recent SoBigF, MSBlast … … CSE551 Handout on DDoS and Worm
How an Active Worm Spreads Autonomous No need of human interaction infected machine scan probe transfer copy Infected CSE551 Handout on DDoS and Worm
Scanning Strategy Random scanning Hitlist scanning Probes random addresses in the IP address space (CRv2) Hitlist scanning Probes addresses from an externally supplied list Topological scanning Uses information on the compromised host (Email worms) Local subnet scanning Preferentially scans targets that reside on the same subnet. (Code Red II & Nimda Worm) CSE551 Handout on DDoS and Worm
Techniques for Exploiting Vulnerability fingerd (buffer overflow) sendmail (bug in the “debug mode”) rsh/rexec (guess weak passwords) CSE551 Handout on DDoS and Worm
Active Worm Defense Modeling Infection Mitigation CSE551 Handout on DDoS and Worm
Worm Behavior Modeling Propagation model mirrors epidemic: V is the total number of vulnerable nodes N is the size of address space i(t) is the percentage of infected nodes among V r is the scanning speed of a infected node CSE551 Handout on DDoS and Worm
Infection Mitigation Patching Filtering/intrusion detection (signature based) TCP/IP stack reimplementation, bound connection requests CSE551 Handout on DDoS and Worm
Summary Worms can spread quickly: 359,000 hosts in < 14 hours Home / small business hosts play significant role in global internet health No system administrator slow response Can’t estimate infected machines by # of unique IP addresses DHCP effect appears to be real and significant Active Worm Defense Modeling Infection Mitigation CSE551 Handout on DDoS and Worm