CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms Worm Resilience Avoiding Containment Defenses
CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 Introduction Controlling 1 million hosts can cause enormous damage –DDoS Attack –Stealing and modifying data –Can be leveraged for cyber-warfare Worms can be used to gain such control in a very short period of time Is much more dangerous –why?
CS-495 Advanced Networking Remote Control Distributed control –Each worm knows about other worms *it* has infected –Analysis: High connectivity, Average degree= 4 –Without a single point of communication, updates can be passed Programatic Updates –Worms as “computing capsules” –Can send arbitrary code !
CS-495 Advanced Networking Random Scanning Not the most effective, but is easiest to implement Efficiency depends on the quality of random number generator Potential for repeats and invalid addresses
CS-495 Advanced Networking Permutation Scanning Random scanning inefficient lot of overlap All worms share a common pseudo – random permutation / use cipher + key to generate addresses. Worms start scanning after their point in permutation 32 bit block cipherkey Permutation scanning Index IP Address
CS-495 Advanced Networking Worm Scanning methods Hit List Scanning –“getting off the ground” very fast –Say first 10,000 hosts –Pre-select 10,000-50,000 vulnerable machines –First worm carries the entire hit list –Hit list split in half on each infection –Can establish itself in few seconds
CS-495 Advanced Networking Combining techniques Combination of hit-list scanning and permutation scanning produces “Warhol” worm Capable of attacking most vulerable targets in < 15mins Uses hit list to improve initial spread, then switches to permutation scanning to ensure high infection rate. Future worms will be faster and better (hence more dangerous) – introducing Flash worms
CS-495 Advanced Networking Flash Worms Fastest Method Entire internet in 10s of seconds Obtain hit-list of vulnerable servers in advance 2 hours for entire IP space on OC-12 link (622 mbps) List would be big ( ~ 48 MB ) Divide into n blocks –Infect first of each block and hand over the block to the new worm –Repeat for each block Alternative: Store pre-assigned chunks on a high BW server Two limitations –Large list size –Latency Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link
CS-495 Advanced Networking Worm spread using a hit list For 3 million hosts, just 7 layers deep ( n = 10)
CS-495 Advanced Networking Design of Flash Worms Flash worm concepts derived from 2 prominent worms –Slammer worm (Jan 2003)– fastest scanning worm to date. Infects via UDP –Witty worm (2000) Authors uses information from these 2 worms to model their potential flash worm characteristics
CS-495 Advanced Networking Flash worms: what are they? Most effort are directed against random scanning worms: guess and attack Flash worms: precompiled list of vulnerable addresses to infect Flash worms interesting because: –Fastest possible worms –Spread map can be calculated offline, can be used to explore worse case performance of containment defenses
CS-495 Advanced Networking UDP Flash Worms Key issue in single packet flash worm design is the time between packets from a host is small compared to the time to cross the Internet Computation of average latency distribution in different regions motivates a shallow and broad infection tree Attacker should launch from a host with high data capacity and good connection to the Internet.
CS-495 Advanced Networking UDP Flash Worms The UDP worm will contain the address list to be infected after code Worm injector will copy a subset of the address list into each copy of worm before sending it out Given author assumptions about the worm and network conditions, the worm can infect 1 million hosts in less than 1 second. Worm will not be limited by congestion in network core (total bandwidth required by worm will only be O(10 Gbps) according to authors.
CS-495 Advanced Networking UDP Flash Worms
CS-495 Advanced Networking TCP Flash Worms TCP worms are larger and slower than UDP worms, but more services to exploit 2 Types of TCP worms –Small worms, where k (no of packets) < Window –Large worms, where k > W Packet loss will affect worm speed – esp large worms No direct guidance due to absence of “ack clocking” from TCP slow start, so might overflow buffers Solution: round robin through connection to avoid overflowing senders Author believes a TCP worm can be not much larger than Slammer
CS-495 Advanced Networking TCP Flash worms Small worms Window Small worm (smaller than window) Window Large worm (larger than window) Large worms Whilst large worms can make transmission faster by disregarding window size and send the whole worm (provided the receiver can receive fast enough), packet loss will degrade performance of worm because window will not move forward
CS-495 Advanced Networking TCP Flash Worms TCP worms are slower than UDP worms because of TCP latency But TCP worms are still fast, author simulation show 99% compromise after 3.3s
CS-495 Advanced Networking TCP Flash Worms
CS-495 Advanced Networking Worm Resilience Address list is imperfect –Why? Unreliable diagnostic, aging 2 Situations: –False negative –False positive False positives can hamper worm spread –Especially true for deep and narrow spread trees –Broad / shallow trees are more resilient –Binary spread trees are too fragile (what if a node close to source is invulnerable?)
CS-495 Advanced Networking Worm Resilience Making Flash worms resilient –Shallow spread tree Flash worms? Add acknowledgements – have infected nodes send back copy of worm to initial host –If no ack, substitute address Acks are not good for deep spread trees –Too slow / must gather acks effectively Solution: Double infection –Have each intermediate node infect one of its siblings as well
CS-495 Advanced Networking Worm Resilience To compute probability r that a given node ends up uninfected, the authors propose this equation Graphs are shown on the next page
CS-495 Advanced Networking Worm Resilience It is readily apparent that a shallow tree is less fragile than a deep, binary tree, where an invulnerable host can prune entire branches of the tree.
CS-495 Advanced Networking Worm Resilience
CS-495 Advanced Networking Worm Resilience K independent K-way trees –In K-way tree, non-leaf nodes use a fraction 1/K of the total nodes –K independent internal sets –Can start worms using such trees simultaneously to increase resilience Cost: increased code complexity Graphs show that they are more effective than the binary tree scheme (except the 2 way tree compared to doubling up infections)
CS-495 Advanced Networking Worm Resilience
CS-495 Advanced Networking Worm Resilience Note that the 2-2 way tree’s performance is worse than doubling up. This might be because it is less likely to get 2 invulnerable hosts at the same level than to get 2 invulnerable hosts (one one each tree) on each path to a host.
CS-495 Advanced Networking Multitree Approach Implications Multitree approach may not increase bandwidth required by worm, except for single packet UDP worm (increase bandwidth by factor of K) Multitree approachDoes not slow the worm – it might actually make it faster by offering the benefits of a shallower tree But may make worm easier to detect
CS-495 Advanced Networking Avoiding Containment Defenses Methods of avoiding containment –Slowing the worm –Reduce the degree K at each node –Add redundancy to route around defenses Flash worm using binary tree / low-K tree will avoid scan-detection algs (no of victims contacted below threshold for detection) Avoids dark-address detectors because addresses contacted will mostly be valid
CS-495 Advanced Networking Avoiding Containment Defenses 2 possible detectors: –EarlyBird detector –Honeyfarm detector EarlyBird searches for statistical anomalies in common content pattern freq Honeypot will detect worms by letting worm to propagate to it. But detection is not enough – it must respond to infection by stopping the spread –EarlyBird is too slow to stop worm –Honeypot cannot tell rest of network of worm fast enough
CS-495 Advanced Networking Implications One solution for Flash Worm writers –Ignore containment defenses –Make worm fast and reliable –Don’t avoid detection (by slowing worm etc) Consider systems with defense as resistant, counter using resilience mechanisms Best chance defender has is to hide list of vulnerable addresses from any potential attackers (ie no good solution)
CS-495 Advanced Networking Related work Study of fast worms that spread via IM clients Sizable buddy lists and short latency for sending messages 6-157s to saturate 500, 000 machines, based on author assumptions
CS-495 Advanced Networking Conclusions Flash worms can spread extremely quickly, provided that they have a good hit list UDP worms infects in < 1s TCP worms infects in a few seconds Shallow trees are resilient to list errors, but less resilient to containment defenses Deep trees are harder to contain, but is less resilient to list errors Deep trees can tolerate modest proportions of list errors and containment defenses
CS-495 Advanced Networking Exploiting P2P systems for infection Large set, all running same software Only single exploit now needed More favorable for infection: –Interconnect with large number of peers –Transfer large files –Not mainstream protocols –Execute on desktops, not servers Potentially immense size