Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Slides:

Advertisements

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Connecting LANs: Section Figure 15.1 Five categories of connecting devices.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

Intrusion Detection Systems and Practices

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

EDUCAUSE Security 2006 Internet John Brown University.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Propagation and Containment Presented by Jing Yang, Leonid Bolotnyy, and Anthony Wood.

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Chapter 5: Implementing Intrusion Prevention

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Role Of Network IDS in Network Perimeter Defense.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Very Fast Containment of Scanning Worms Written By: Nicholas Weaver, Stuart Staniford, Vern Paxson Presentation By: Nathan Johnson A.K.A Space Monkey and.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Very Fast containment of Scanning Worms Presented by Vinay Makula.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Very Fast containment of Scanning Worms

Very Fast Containment of Scanning Worms

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

Introduction to Internet Worm

Presentation transcript:

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern Paxson

Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Scanning Worms What is scanning worm? --- Operate by picking “random” address and attempt to infect the machine. Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection attempts.

Scanning Worms How to mitigate the spread of worms? Prevention  Reduce size of vulnerable population  Insufficient to counter worm threat  Why?? … single vulnerability in a popular software system can translate to millions of vulnerable hosts Treatment  Once a host is infected, clean it up immediately (Antivirus Software, Patches)  Reduce vulnerable hosts and rate of infection  Limitation … long time to develop cleanup code, and too slow to have a significant impact  People don’t install patches Containment

Protect individual networks and isolate infected hosts Examples: firewalls, content filters, automated blacklists Most Promising Solution Can be completely automated Containment does not require participation of each and every host on the internet

Containment Properties Reaction time Detection of malicious activity Propagation of the containment information to all hosts participating the system Activating any containment strategy. Containing Strategy Address blacklisting Maintain a list of IP addresses that have been identified as being infected. Drop all the packets from one of the addresses in the list. Advantage: can be implemented easily with existing filtering technology. Disadvantage: must be updated continuously to reflect newly infected hosts

Containment (contd.) Content filtering Requires a database of content signatures known to represent particular worms. Requires additional technology to automatically create appropriate content signatures. Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation Deployment scenarios Ideally, a global deployment is preferable. Practically, a global deployment is impossible. May be deploying at the border of ISP networks

Worm Containment Defense against scanning worms Works by detecting that a worm is operating in the network and then blocking the infected machines from contacting further hosts; Leverage the anomaly of a local host attempting to connect to multiple other hosts. Containment looks for a class of behavior rather than specific worm signature --- able to stop new worms.

Worm Containment Break the network into many cells Within each cell a worm can spread unimpeded. Between cells, containment limits infections by blocking outgoing connections from infected cells. Must have very low false positive rate. Blocking suspicious machines can cause a DOS if false positive rate is high. Need for complete deployment within an enterprise Integrated into the network’s outer switches or similar hardware elements

Epidemic Threshold Worm-suppression device must necessarily allow some scanning before it triggers a response. Worm may find a victim during that time. The epidemic threshold depends on: The sensitivity of the containment response devices The density of vulnerable machines on the network --- NAT and DHCP The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.

Sustained Scanning Threshold If worm scans slower than sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained scanning threshold as possible. For this implementation threshold set to 1 scan per minute.

Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Hardware Implementation Constraints: Memory access speed On duplex gigabit Ethernet, can only access DRAM 4 times Memory size Attempt to keep footprint under 16MB The number of distinct memory banks

Hardware Implementations Approximate caches --- collisions cause imperfections (bloom filter) Fixed memory available Allow collisions to cause aliasing Err on the side of false negative Attacker behavior Predicting the hashing algorithm --- keyed hash function Simply overwhelming the cache

Hardware Implementations Efficient small 32 bit block ciphers Prevent attackers from controlling collisions Permute the N-bit value Separate the resulting N-bit value into an index and a tag

Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Scan Suppression Responding to detected portscans by blocking future scanning attempts. Portscans have two basic types: Horizontal – search for identical service on large number of machines. Vertical – examine an individual machine to discover running services.

Scan Suppression Protect the enterprise, forget the Internet Preventing scans from Internet is too hard If inside node is infected, filter sees all traffic Cell (local area network) is “ outside ”, Enterprise larger internet network is “ inside ” Can also treat entire enterprise as cell, Internet as outside Interne t Inside Scan detectors Outside

Scan Suppression Derived from Threshold Random Walk (TRW) scan detection. The algorithm operates by using an oracle to determine if a connection will fail or succeed. By modeling the benign traffic as having a different probability of success than attack traffic, TRW can make a decision regarding the likelihood that a particular series of connection attempts from a given host. Assumption: benign traffic has a higher probability of success than attack traffic

Scan Suppression Strategies: Track connections and addresses using approximate caches; Replace the old addresses and old ports if the corresponding entry has timed out; Track addresses indefinitely as long as we do not have to evict their state from our caches; Detect vertical as well as horizontal TCP scans, and horizontal UDP scans; Implement a “ hygiene filter ” to thwart some stealthy scanning techniques without causing undue restrictions on normal machines.

Connection Cache Recording if we ’ ve seen a packet in each direction Aliasing turns failed attempt into success (biases to false negative) Age is reset on each forwarded packet Every minute, back ground process purges entries older than D conn

Address Cache Track “ outside ” addresses Counter keeps difference between successes and failures Counts are decremented every D miss seconds

Algorithm Pseudo-code

Parameters and Tuning Parameters: T: miss-hit difference that causes block C min : minimum allowed count C max : maximum allowed count D miss : decay rate for misses D conn : decay rate for idle connections Cache size and associativity

Evaluation For 6000-host enterprise trace: 1MB connection cache, 4MB 4-way address cache = 5MB total At most 4 memory accesses per packet Operated at gigabit line-speed Detects scanning at rates over 1 per minute Low false positive rate About 20% false negative rate Detects scanning after attempts

Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Cooperation Divide enterprise into small cells Connect all cells via low-latency channel A cell ’ s detector notifies others when it blocks an address ( “ kill message ” ) Blocking threshold dynamically adapts to number of blocks in enterprise: T ’ = T(1 – θ) X, for very small θ Changing θ does not change epidemic threshold, but reduces infection density

Cooperation – Effect of θ

Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

False positives Forge packets (though this does not prevent inside systems from initiating connections) False negatives Use a non-scanning technique (topological, meta-server, passive and hit-list) Scan under detection threshold Use a white-listed port to test for liveness before scanning

Attacking Cooperation Attempt to outrace containment if threshold is permissive Flood cooperation channels Cooperative collapse: False positives cause lowered thresholds Lowered thresholds cause more false positives Feedback causes collapse of network

Attacking Worm Containment Detecting containment Try to contact already infected hosts Go stealthy if containment is detected Circumventing containment Embed scan in storm of spoofed packets Two-sided evasion: Inside and outside host initiate normal connections to counter penalty of scanning Can modify algorithm to prevent, but lose vertical scan detection

Conclusion Develop containment algorithms suitable for deployment in high-speed, low-cost network hardware; Devise the mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection.