Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003

Worms – what are they? Self-propagating code that spreads via the network –Can have malicious payload –Or not slammer worm Not viruses – which require some sort of user action to propagate

Recent Example Code red v2 (July 19 th, 2001) –360,000 hosts compromised in 14 hours Doubled in size every 37 minutes –Peak infection rate of 2000 hosts/min –Costs of recovery ~ $2.6 billion –Exploited buffer overflow in MS IIS Patch had been released

Recent Example Saphire/Slammer worm – Jan 25, 2003 –Fastest spreading worm yet –Affected at least 75,000 hosts 90% compromised in first 10 minutes Doubled in size every 8.5 seconds (first minute) –Peak scanning rate of 55 million scans/sec after 3 minutes –No malicious payload 1 UDP packet Overloaded networks Took database servers out of operation Cancelled airline flights, Out-of-service ATMs, interference with elections –Exploited buffer overflow in MS SQL Server or MSDE Patch had been released July 24 th, 2002

Recent Example

Worms – Framework for understanding Biological Model –SI Model from study of infectious diseases –Describes rate of growth of epidemics in finite systems 2 equations describe behavior of population: Or, equivalently: Solving this equation gives: (for some constant of integration T)

Biological model – accuracy Figure: Hourly probe rate data for inbound port 80 at the Chemical Abstracts Service, for Code Red I's reemergence on August 1st. The x-axis the time of day on August 1 st (Central US Time). The y-axis shows the monitored probe rate. Code Red 1 (re-emergance) Figure: The early moments of the DShield dataset, matched against the behavior of a random-scanning worm Slammer/Saphire

Worm – scanning strategies Model presented assumes random scanning for other hosts to infect. Other, more efficient scanning techniques possible –Localized –Hit-list –Permutation –Warhol worm

Localized Scanning—Code Red II A single stage scanning worm that chose random IP addresses and attempted to infect them. Also used a localized scanning strategy where it was more likely to attempt to infect addresses relatively close to it. With probability 3/8 it chooses a random IP from with the class B address space of the infected network, ½ for class A, and 1/8 from the whole internet. Very successful strategy. Allows the worm to spread very rapidly within a internal network with multiple hosts having the same vulnerability.

Multi-vector worms--Nimda Worms are not restricted to a single method of propagation. Nimda used five methods. Infecting web servers from infected client hosts via probing for vulnerabilities. Bulk ing of itself to addresses found on the host. Copied itself across open network shares. Adding code to web pages to infect clients that browsed the pages. Scanning for backdoors left by Code Red II.

Hit-list Scanning Worms spend most of their time “getting off the ground”. They spread exponentially but that means the majority of the attack only affects the first tens of thousands of victims. Hit-list scanning overcomes this problem by compiling a list of potentially vulnerable hosts before the worm is released. The worm scans the list and divides the list in two when a new host is infected. Lists can be created using several methods: stealthy scans, distributed scans from zombies, DNS searches, web crawlers, public surveys, and listening for advertisements.

Permutation Scanning Random scanning is naturally inefficient and can not detect when all potential hosts have been attacked. Permutation allows a worm to detect when a host is already infected, is self-coordinated, comprehensive, and looks like it is conducting a random scan. Worms share a common pseudo random permutation of the IP address space generated by a 32-bit block cipher and a preselected key. An infected machine starts scanning just after their position in the permutation. When the worm sees an infected machine is chooses a new random start point.

Warhol Worm Combination of a hit-list and permutation scanning. “Capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes.”

Worms – how to stop them From epidemiology – 3 factors determine the spread of an infectious pathogen –Vulnerability of population –Length of infectious period –Rate of infection

Worms – how to stop them (2) FactorInterventionExample Vulnerability of population (size of vulnerable population) Prevention- Patch software - Engineer software with fewer vulnerabilities (don’t use gets() ) - Increase heterogeneity of software on internet (get rid of Microsoft, and all popular networked software) Length of infectious periodTreatment- software patches (after outbreak) – but human timescales are too slow (16 days for most hosts to eliminate code red vulnerability) - automatic patches ( virus software model) Rate of infectioncontainment-firewalls, content filters, automated routing blacklists -Coordination among pervasive systems -Slow or stop spread of infection

Containment Approach Paper (“Internet Quarantine: Reqmts for Containing Self Propagating Code” )seeks to establish how well any containment approach can hope to perform against worms Looks at 3 main parameters –Reaction time –Containment strategy Address blacklisting –Requires continuous updates Content filtering –Requires effective signatures –Deployment

Containment strategies – Simulation Results Idealized deployment –Every node on network has containment software Info distributed instantly Code Red v2 style worm –360,000 vulnerable hosts out of 2^32 –10 probes/sec per infected host

Containment strategies – Simulation Results  Percentage of infected hosts after 24 hours.

Containment strategies – Simulation Results Practical deployment Use real internet topology of AS connectivity Look at 2 deployment strategies –Filter at customer edge networks –Filter in exchange point routers of major (highest outdegree) Ass Same worm All customer networks in XX% of  ASs implement containment filtering

Containment strategies – Simulation Results Reaction times required for effective worm containment Notice that near-total containment is virtually impossible with aggressive worms in either deployment scenario

Worm Defenses One possible approach –Peer-to-peer defense network

Cooperative Response Strategies for Large Scale Attack Mitigation D. Norjiri, J. Rowe, K. Levitt UC Davis

Cooperative Peer-to-peer Strategies Direct cooperation occurs only between a limited number of friend organizations. Organizations receiving an alert report act according to their own local policy—there are no central authorities. “When a site detects suspicious worm-like behavior, its initial cooperation strategy is to share the information with its friend organizations…sharing produces a propagating mitigating response whose rate of spread is similar to that of the worm itself.”

Simulated Models of Mitigation Strategies Investigate the global properties when complex decision making by cooperating members is involved. Topology: Thousands of vulnerable hosts and hundreds of cooperating members are simulated. Members share worm reports. When the number of worm reports exceed some threshold a member’s response device protects its collection of vulnerable hosts from infection. Response devices are directly connected.

Response Devices Two states: normal and alerted. Normal: receives alerts and raises alert level but does not send alerts. Alerted: Blocks worm infection attempts using ingress and egress filtering and shares alerts with neighbors. In the abscense of worm activities the device backs off its alert level and can return to normal. Model parameters: 1) average number of vulnerable hosts protected by device, 2) number of cooperating friends, 3) threshold for state change, 4) back-off rate, 5) alert severity.

False Alarms Always a problem with security systems including this model. See figure 6. Assume that 5% of all members incorrectly report a worm attack to their friends. With a lower alert threshold as many as 75% of all members begin blocking ‘worm’ attacks. Reducing the sensitivity reduces the poor operation of false positives but increases the risk of succumbing to attack.

Conclusion Mathematical model shows that large scale worm attacks can be slowed by unleashing a controlled “white worm” that propagates at a faster rate. Simulations model more complex response and shows that some defense benefits can be achieved when cooperating directly with peers. Slow, stealthy worms and false positives are not well received.

Closing thoughts/Questions Containing worms difficult – especially in partial deployment –All or most IP-IP paths should be filtered Containment/Prevention/Treatment? What’s best? How do we contain multi-vector worms? How do we deal with stealthy, slow spreading worms? A more malicious Slammer – how much damage could it do?

References BGP picture: Vern Paxson, Stuart Staniford, and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium (Security '02).How to 0wn the Internet in Your Spare Time David Moore, Colleen Shannon, Geoffrey Voelker and Stefan Savage, Internet Quarantine: Requirements for Containing Self-Propagating Code, to appear in Proceedings of the 2003 IEEE Infocom Conference, San Francisco, CA, April 2003Internet Quarantine: Requirements for Containing Self-Propagating Code D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, technical report, February 2003The Spread of the Sapphire/Slammer Worm