Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Slides:

Advertisements

Similar presentations

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 26 IPv6 Addressing.

Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

IP Addressing and Subnetting

FIREWALLS Chapter 11.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

Copyright 2009 Kenneth M. Chipps Ph.D. Host Addressing Last Update

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Fast Filter Updates for Packet Classification using TCAM Authors: Haoyu Song, Jonathan Turner. Publisher: GLOBECOM 2006, IEEE Present: Chen-Yu Lin Date:

The Google File System. Why? Google has lots of data –Cannot fit in traditional file system –Spans hundreds (thousands) of servers connected to (tens.

Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn

CSE5803 Advanced Internet Protocols and Applications (7) Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 19 Network Layer Logical Addressing © 2012 by McGraw-Hill Education. This is proprietary material.

Introduction to Honeypot, Botnet, and Security Measurement

Jan 29, 2008CS573: Network Protocols and Standards1 NAT, DHCP Autonomous System Network Protocols and Standards Winter

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

TCP/IP Addressing & Subnetting Unit objectives Discuss TCP/IP addressing and determine the IP address class and default subnet mask Discuss subnetting.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

Chapter 22 Next Generation IP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Chapter 4, slide: 1 CS 372 – introduction to computer networks* Friday July 23, 2010 Announcements: r Midterms are graded. r Lab 4 is posted. Acknowledgement:

Scalable Web Server on Heterogeneous Cluster CHEN Ge.

Chapter 6 VLSM and CIDR.

SYSTEM ADMINISTRATION Chapter 8 Internet Protocol (IP) Addressing.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Layer 3: Internet Protocol.  Content IP Address within the IP Header. IP Address Classes. Subnetting and Creating a Subnet. Network Layer and Path Determination.

Privacy Extensions for Stateless Address Autoconfiguration in IPv6(RFC 3041) 1.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Security Vulnerabilities in A Virtual Environment

Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.

Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

CS470 Computer Networking Protocols

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Introduction to Active Directory

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Single-Area OSPF Routing Protocols.

Renesas Electronics America Inc. © 2010 Renesas Electronics America Inc. All rights reserved. Overview of Ethernet Networking A Rev /31/2011.

Defending against Hitlist Worms using NASR Khanh Nguyen.

IP ADDRESSING Lecture 2: IP addressing Networks and Communication Department 1.

1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)

1 IP Routing table compaction and sampling schemes to enhance TCAM cache performance Author: Ruirui Guo, Jose G. Delgado-Frias Publisher: Journal of Systems.

Exact Propagation Modeling of Permutation-Scanning Worms Parbati Kumar Manna Dr. Shigang Chen Dr. Sanjay Ranka University of Florida.

+ Lecture#4 IPV6 Addressing Asma AlOsaimi. + Topics IPv4 Issues IPv6 Address Representation IPv6 Types.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Single-Area OSPF Routing & Switching.

Instructor Materials Chapter 7: EIGRP Tuning and Troubleshooting

Internet Quarantine: Requirements for Containing Self-Propagating Code

IP: Addressing, ARP, Routing

4 Network Layer Part I Computer Networks Tutun Juhana

Net 323: NETWORK Protocols

Chapter 8: Single-Area OSPF

Lecture 4a Mobile IP 1.

Host and Small Network Relaying Howard C. Berkowitz

Introduction to Internet Worm

Presentation transcript:

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim from IPv4 to IPv6 Conclusion

Fast-propagate Worms VS IPv6 (1) Facts – Almost all fast-propagate worms use some form of Internet scanning – The larger address space is, the less efficient scanning is – IPv6 has a huge address space Optimistic vision – Worms may experience significant barriers to propagate fast in IPv6

Fast-propagate Worms VS IPv6 (2) Facts – Some design features of IPv6 automatically decrease its huge address space – A variety of techniques can be employed by a worm to improve its propagation efficiency – Other progress of the future Internet can eliminate the current bottleneck of worms’ fast propagation Pessimistic vision – Fast-propagate worms will remain one of the main threats to the Internet in IPv6

Motivation Importance – Since IPv6 is the basement for next generation Internet, it is important to see whether its huge address space really makes it immune to fast-propagate worms Usefulness – There is still sometime for IPv6’s widely deployment, so design changes are still possible Worthiness – There still has not been comprehensively analysis of fast- propagate worms in IPv6

Goal IPv6 design features analysis – Identify the bad design choices and design tradeoffs that speed up worms’ propagation – Figure out what modifications can prevent them from being taken advantage of Possibility of fast-propagate worm in IPv6 – Based on a reasonable IPv6 design, can a worm still compromise all the vulnerable hosts even before human actions are ready to taken? The achievement of both goals are interleaved in the project

Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

Model Used Random constant spread (RCS) model – Also called susceptible-infected (SI) model – No treatment or removal – Reasonable because fast worm propagation is usually beyond human time scale

Representative Of Current Worm Quickest worm in the wild – Sapphire – Doubled every 8.5 seconds – Infected more than 90 percent of vulnerable hosts within 10 minutes – Based on random scanning – Attack via 404-byte UDP packet – Size of total vulnerable population: 75,000 – Scan rate: 4,000 scans per second

Sapphire in IPv4 Both the results from the formula and simulations match the real data collected during Sapphire’s spread – the infected population doubles in size every 8.5 (±1) seconds and scanning rate reaches its peak within 3 minutes

Sapphire in IPv6 We assume Sapphire spreads in a /64 IPv6 sub-network, which is the smallest sub-network in IPv6 – it will take 30 thousand years to compromise most of the vulnerable hosts

IPv6 Is Keeping Ahead If IPv6 is perfectly designed If no other techniques can speedup worms’ propagation – Fast-propagate worm is impossible in IPv6

Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

Analysis Of RCS Model Original unknown parameters in RCS model: β and T T is related to the initially infected hosts Four real factors that affect worms’ performance based on RCS model – Scan rate: r – Size of total vulnerable population: N – Real address space: P – Initially infected hosts: I 0

Taxonomy Based On RCS Model A variety of IPv6 design features and scanning techniques can speedup worms’ propagation in IPv6 Most of their effects can be mapped to the four factors of RCS model Some of them can not be fitted into RCS model – RCS model should be extended or simulations should be done

Features/mechanisms Fitted Into RCS Model (1) Increase the scan rate: r – High bandwidth network, such as Gigabit Ethernet Increase the total vulnerable population: N – Sophisticated hybrid worms that attack several vulnerabilities – Target vulnerability in the core of widely deployed systems cased by monoculture

Features/mechanisms Fitted Into RCS Model (2) Reduce the real address space: P – Subnet scanning – Routing worms – The standard method of deriving the EUI field of IPv6 address from the 48-bit MAC address – Densely allocated IPv6 addresses Increase the initial infected hosts: I 0 – Pre-generated hit list (Due to the annoying length of the 128-bit IPv6 address, every host in IPv6 networks may have a DNS name. So a DNS attack can reveal many host addresses)

Features/mechanisms Beyond RCS Model Find host addresses during the spread besides scanning – Topological scanning – Passive worms Minimize duplication of scanning efforts – Permutation scanning

Increase The Scan Rate: r UDP-based attack – bandwidth limited rather than latency limited Gigabit Ethernet: scan rate can exceed 300,000 scans per second – reduce Sapphire’s spread time to 4 hundred years 10 Gigabit Ethernet: scan rate can exceed 3,000,000 scans per second – reduce Sapphire’s spread time to 40 years

Increase The Total Vulnerable Population: N The effect of doubling N equals the effect of doubling r Blaster targeted a vulnerability in core Windows components, creating a more widespread threat than the server software targeted by previous network-based worms, and resulting in a much higher density of vulnerable systems According to IDC, Microsoft Windows represented 94 percent of the consumer client software sold in the United States in 2002

Reduce The Real Address Space: P (1) Subnet scanning – focus on a /64 IPv6 sub-network The standard method of deriving the EUI field of IPv6 address from the 48-bit MAC address – further reduce the address space to 48 bit Assume a Gigabit Ethernet – 300,000 scans per second

Reduce The Real Address Space: P (2) Densely allocated IPv6 Addresses – may reduce the real address space to 32 bit or even 16 bit, which means a few seconds are enough for the worm to compromise all the vulnerable hosts Analysis of IPv6 design features – The auto-configuration design feature of IPv6 scarifies 16 bit address space in the EUI field, which can dramatically speedup worms’ propagation – a new design choice which allows auto-configuration while maintaining the whole address space – Addresses should never be allocated densely in IPv6 – a random distribution can take advantage of the whole address space

Increase The Initially Infected Hosts: I 0 (1) Due to the annoying length of the 128-bit IPv6 address, every host in IPv6 networks may have a DNS name. So a DNS attack can reveal many host addresses Assume 1,000 initially infected hosts

Increase The Initially Infected Hosts: I 0 (2) Analysis of IPv6 design features – Assignment of a DNS name to each host make the 128-bit IPv6 address tolerable, but it increases the harm of a DNS attack – Not only public servers, addresses of normal hosts can also be revealed in a DNS attack – Safe DNS servers are critical in IPv6 to prevent fast worm propagation

More Practical Scenario (1) Scan rate r: 300,000 scans per second (assume Gigabit Ethernet) Total population M: 20,000 (reasonable in a /64 IPv6 enterprise network) Total vulnerable population N: 10,000 (due to monoculture) Real address space P: 48 (due to auto-configuration requirement) Initial infected hosts I0: 501 (assume a 1000-host address list, 500 of them are vulnerable)

More Practical Scenario (2) By taking advantage of the IPv6 design features and scanning mechanisms which can be fitted into RCS model, a couple of days are needed to infect the whole sub-network Not fast enough – can only compromise 20% of vulnerable hosts within a day

Topological Scanning (1) Every host in IPv6 has a DNS name DNS cache in Windows XP – CacheHashTableSize – Default: 0xD3 (211 decimal) – CacheHashTableBucketSize – Default: 0xa (10 decimal) – In a default case, the DNS cache in Windows XP has 211 * 10 = 2110 entries Extension of RCS model – RCS_EX1 model – Assume DNS cache remains the same during the whole worm spread process – Parameter F: number of addresses can be found in a newly infected host

Topological Scanning (2) Assume F = 50

Topological Scanning (3) Extension of RCS_EX1 model – Assume a hybrid worm, which can reveal host addresses from all machines it touches but only control a portion of them via another vulnerability – RCS_EX2_1 model – DNS cache is updated when a host is touched more than once – RCS_EX2_2 model

Topological Scanning (5) F’ – Number of addresses updated when a host is touched again, assume it is 10

Topological Scanning (4) Extension of RCS_EX2 model – Combine RCS_EX2_1 model and RCS_EX2_2 model – RCS_EX3 model

Topological Scanning (6)

Permutation Scanning Permutation scanning can dramatically decrease the duplication of scanning efforts Permutation scanning is somewhat controversial to topological scanning – duplicate touches can reveal new host addresses due to cache update Combination of permutation scanning and topological scanning – worm maintains a thread on infected machines to wait for cache update Simulation is on-going

Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

Things To Be Taken Care Of During Interim Never use easy-to-remember IPv6 address – It is common to derive IPv6 address directly from IPv4 address when a IPv4 network is newly updated to a IPv6 network – This easy update limits real IPv6 address space to the original IPv4 address space IPv6 networks are not isolated when most of the Internet is still IPv4 – 6to4 automatic SIT tunnel (2002::/16 prefix) enables IPv4 hosts to connect to IPv6 networks (such as 6Bone) without external IPv6 support – Gate ways are established for communication among three global prefixes (2002::/16 for 6to4, 2001::/16 for Internet6, 3fff::/16 for 6Bone) – Many current operation systems support 6to4 SIT autotunnel

Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

Fast-propagate worm is definitely possible in IPv6, at least in /64 enterprise networks Factors that speedup the propagation – A variety of scanning techniques, some of them are theoretical and have not been found in the wild nowadays – Bad design choices in IPv6 – can be eliminated easily Densely allocated IPv6 addresses Easy-to-remember IPv6 addresses – Tradeoffs in IPv6 design – can hardly be eliminated unless innovative methods are developed to meet both requirements in a tradeoff Derivation of 64-bit EUI field from 48-bit MAC address Each host has a DNS name