Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Slides:

Advertisements

Similar presentations

Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

By: Colby Shifflett Dr. Grossman Computer Science /01/2009.

Propagation and Containment Presented by Jing Yang, Leonid Bolotnyy, and Anthony Wood.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Networks Worms Research and Engineering Challenges Stefan Savage Department of Computer Science and Engineering University of California, San Diego Joint.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

Lecture 14 Internet Measurements. 2 Web of interconnected networks Grows with no central authority Autonomous Systems optimize local communication efficiency.

CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Internet Measurements. 2 Web of interconnected networks Grows with no central authority Autonomous Systems optimize local communication efficiency The.

Lecture 14: Internet Measurement CS 765: Complex Networks.

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

Lecture 17 Internet Measurements. 2 Web of interconnected networks Grows with no central authority Autonomous Systems optimize local communication efficiency.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Role Of Network IDS in Network Perimeter Defense.

Internet Measurements. 2 Web of interconnected networks Grows with no central authority Autonomous Systems optimize local communication efficiency The.

WINS Monthly Meeting 06/05/2003 WINS Monthly Meeting 06/05/2003.

Lecture 2: Internet Measurement CS 790g: Complex Networks.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)

Internet Quarantine: Requirements for Containing Self-Propagating Code

Very Fast containment of Scanning Worms

Filtering Spoofed Packets

Worm Origin Identification Using Random Moonwalks

CS4622 Team 4 Worms, DoS, and Smurf Attacks

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

Introduction to Internet Worm

Presentation transcript:

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage

Worm Security  Prevention Stop the worms from propagating by eliminating security holes from software; infeasible Stop the worms from propagating by eliminating security holes from software; infeasible  Treatment Remove the worm from the infected host Remove the worm from the infected host  Containment Stop the worm from spreading Stop the worm from spreading

Worm Containment  How effectively can any containment approach counter a worm epidemic on the Internet? Time to detect Time to detect Identification and containment Identification and containment Deployment Deployment

Background  History of Worms First appeared in 1988 First appeared in 1988 Few studies done on worms Few studies done on worms  Worm containment approaches La Brea La Brea Intercept worm and place it in artificial persistent connection stateIntercept worm and place it in artificial persistent connection state Unclear how effective it isUnclear how effective it is Per-host “throttling” Per-host “throttling” Reduce the rate of “new” connections allowedReduce the rate of “new” connections allowed If universally deployed, can reduce worm spreadIf universally deployed, can reduce worm spread Firewall filters Firewall filters Detect worms then cut off communications using firewalls to block portsDetect worms then cut off communications using firewalls to block ports NBAR NBAR Developed by CiscoDeveloped by Cisco Allows routers to block TCP sessions based on presence of certain strings in the sessionAllows routers to block TCP sessions based on presence of certain strings in the session

Modeling Worms  Classic SI model

SI Model  Susceptible (S), Infected (I), population (N), contact rate (beta)  dI/dt = beta*I*S/N  dS/dt = -beta*I*S/N  Solving: (T as a constant of integration) i(t) = (e^(beta*(t-T)))/(1+e^(beta*(t-T))) i(t) = (e^(beta*(t-T)))/(1+e^(beta*(t-T)))  Grows exponentially until majority are infected  Well known in public health community

Modeling Containment  Reaction Time The time R in which the system can react to contain the worm The time R in which the system can react to contain the worm  Containment Strategy Address Blacklisting Address Blacklisting Block traffic from malicious source IPsBlock traffic from malicious source IPs Reaction relative to each hostReaction relative to each host Content Filtering Content Filtering Block traffic based on contentBlock traffic based on content Reaction time from first infectionReaction time from first infection  Deployment Scenario Analyzed a few different deployment scenarios in the model Analyzed a few different deployment scenarios in the model  Finite Time Period Restricted to looking at first 24 hours after worm appears Restricted to looking at first 24 hours after worm appears

Idealized Deployment  Simulation Parameters  Code-Red Case Study  Generalized Worm Containment

Simulation Parameters  360,000 vulnerable hosts  Probe rate of 10 per second  Probes randomly from time t = 0  Hosts notified of infected hosts at t + R

Code-Red Case Study  Address blacklisting Containment with R < 20 minutes Containment with R < 20 minutes Larger R allows spread Larger R allows spread All susceptible hosts infected in 24 hours if R > 2 hours All susceptible hosts infected in 24 hours if R > 2 hours  Content Filtering Containment with R < 2 hours Containment with R < 2 hours Worm propagates until t = R, then stops Worm propagates until t = R, then stops

Modeling the Worm  Graphs Reaction time to the percentage of vulnerable hosts infected in the 24 hour time- period analyzed

Generalized Worm Containment  Content Filtering vs. Address Blacklisting  Highly aggressive worms Extremely challenging, even for content filtering Extremely challenging, even for content filtering 1000 probes/sec requires R = 2 min 1000 probes/sec requires R = 2 min

Practical Deployment  Far more limited  Network Model  Deployment Scenarios  Code-Red Case Study  Generalized Worm Containment

Network Model  Identify ASes on the Internet  Identify vulnerable hosts and their locations  Model AS paths between vulnerable hosts

Deployment Scenarios  Models levels of AS deployment of containment

Code-Red Case Study  Uses same parameters as idealized model  Reaction time = 2 hours

Generalized Worm Containment  Much smaller containment with network model  100 top ISPs model  50% customers model Worse results than 100 top ISPs Worse results than 100 top ISPs  Infeasible to contain even modest probe rates under these models

Deployment Scenarios

Conclusion  Very challenging to build containment systems  Order of minutes needed to respond effectively  In the future, worms will be more aggressive  Will require a great amount of effort and engineering to fight the spread of Worms.