Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms.
IP, Wireless The world is the network. From Ethernet up Ethernet uses 6 byte addresses Source, destination, data, and control stuff Local networks only.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
CIS 450 – Network Security Chapter 3 – Information Gathering.
15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Worms, Viruses, and Cascading Failures in networks D. Towsley U. Massachusetts Collaborators: W. Gong, C. Zou (UMass) A. Ganesh, L. Massoulie (Microsoft)
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Security at NCAR David Mitchell February 20th, 2007.
Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Universal Identifier UNIVERSAL IDENTIFIER Universal network = globally accepted method for identifying each computer. Host identifier = host is identify.
1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Firewalls Original slides prepared by Theo Benson.
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network Devices and Firewalls Lesson 14. It applies to our class…
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Very Fast containment of Scanning Worms Presented by Vinay Makula.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE
Internet Quarantine: Requirements for Containing Self-Propagating Code
Very Fast containment of Scanning Worms
Very Fast Containment of Scanning Worms
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Copyright Silicon Defense There will Always be Vulnerabilities Murphy’s Law, the fitness of evolving species and the limits of software reliability. R. Brady, R. Anderson, and R. Ball Paper: Shows that under continued random testing at constant rate, vulnerabilities decline at rate 1/t. In some sense, testing finds the fewest possible vulnerabilities that will get the software past the test. Software size is probably growing faster than t! So there will always be worms…

Copyright Silicon Defense Code Red Spread

Copyright Silicon Defense Theory of Random Scanning Worms a = e vS(t-T) /(1+e vS(t-T) ) a is proportion infected t is time Gives sigmoidal graph centered on T 1/vS is time to increase by factor e. v is vulnerability density (8x10 -5 for CRI, 1% would be really big) S is effective scan rate (~6Hz for CRI, ~10kHz for Slammer on well connected networks. Probably get to 50kHz for TCP scans)

Copyright Silicon Defense Sapphire/Slammer 170 Gbps!

Copyright Silicon Defense Enterprise environment Where the real damage can be done –Many companies control critical equipment Firewalls: –Worms often get in, but few starts –Nimda style dedicated firewall crossing function Enterprise address space consists of disjoint smaller pieces (eg two class B nets) –Worm has to find them –Random IP address very unlikely to be in net –Slows it down

Copyright Silicon Defense Subnet scanning Differentially choose a destination address near the source address Code Red II: Choose a random address from –Class B: p = 3/8 –Class A: p = 1/2 –Internet: p = 1/8 Worm can exploit pieces of network it finds Code Red II proportions not optimal

Copyright Silicon Defense Optimal Class B search (v = 0.1%)

Copyright Silicon Defense Optimal Class B search proportion

Copyright Silicon Defense Flash Worm Also theory: due to Silicon Defense Scan all vulnerable servers first Build a map of worm spread Optimize map for routing picture (BGP) Launch worm Worm carries address map with it Limited by bandwidth Tens of seconds to saturation on Internet 100ms to saturate on internal network Topological Worms are similar –Use information on host instead of precomputed map –Slower, less efficient than flash but no prep Flash/Topological not reliably containable at present

Copyright Silicon Defense Worm Containment: Goal Epidemic Threshold: E(Number of Children) < 1 Bad! Good ? Sum(i=0,infinity,a i ) = 1/(1-a) a<1

Copyright Silicon Defense Worm Containment Approaches Host based vs Network based For scanning worms –Block scans –Anything that will block scans will do in principle –HP, IBM, Silicon Defense have dedicated technology –Epidemic threshold = an average scan sees < 1.0 vulnerable machines

Copyright Silicon Defense Basic Facts of Life with Worms Spread faster than any human response –Signatures need not apply Cannot reliably detect novel worm on the first connection through us –Detect unknown badness in arbitrary app. data –Just as hard as getting applications right Depend instead on correlating multiple wormlike anomalies to get reliable detect Doesn’t work well inbound - need outbound Need complete deployment

Copyright Silicon Defense Inbound vs Outbound Containment This is why we need complete deployment to contain - otherwise just lowering v (slowing things down but not containing them).

Copyright Silicon Defense CounterMalice approach Inline device in network Divide network into cells Filters out scans (doesn’t handle Flash etc) Contacting many destinations is odd Contacting many dead destinations is odder If can cut off after T scans, then… E(C) = TvP N < 1

Copyright Silicon Defense Containment Simulation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.