1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Slides:

Advertisements

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.

University of WashingtonComputing & Communications Recent Computer Security Incidents Terry Gray Director, Networks & Distributed Computing 03 October.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

By: Sharad Sharma, Somya Verma, and Taranjit Pabla.

W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.

Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.

“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

MyDoom By: Philippe Bissohong. Background ► MyDoom  Novarg, Mimail.R and Shimgapi ► Computer worm, unlike a virus it attacks a network.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

Security at NCAR David Mitchell February 20th, 2007.

Senior Project Ideas: Blind Communication & Internet Measurements Mehmet H. Gunes.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith.

What do you know about your network Or maybe you don’t know who’s really there.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Defending against Hitlist Worms using NASR Khanh Nguyen.

How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

By: Shannon O’Hara The internet is born! 1971 People communicate over a network for the first time. is invented! A program to send messages.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Very Fast containment of Scanning Worms

Computer Worms & Viruses

Code-red worm Attack on Computers.

Information Security Session October 24, 2005

Taking Down the Internet

Brad Karp UCL Computer Science

CSE551: Introduction to Information Security

Introduction to Internet Worm

Sapphire/Slammer Worm

Presentation transcript:

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer

2 Sapphire Worm ● Fastest computer worm in history ● Doubled size every 8.5 seconds ● 90% of vulnerable hosts within 10 minutes ● aka Slammer ● January ● Microsoft's SQL Server – Flaw was discovered in July 2002 – Patch was releasaed before it was announced ● hosts

3 Why? ● Patch was released half a year before outbreak ● Service is generally not publicly used (port 1434) ● If users were not so ignorant, this worm had never existed – Firewalls were known before – Also their benefit – Vulnerability was known – All effected systems did not apply patch

4 Saphire: A Random Scanning Worm ● Exponential rapidly ● Random constant spread (RCS) modle ● Spread initially conformed to the RCS, before it began to saturate ● Bandwith-limited (only one way communication) – Send and never care – latency limited ● Send and wait for response (RTT) ● 30,000 scans/second

5 Pseudo Random Number Generator (PRNG) ● X' = (X * a + b) mod m – Very efficient – Reasonable good distributional properties ● Implementation flaws – One worm didn't scan the full network – However, all worms together still reached the full network

6 Spread and Operator Response ● 55 million scans per second across the Internet in under 3 minutes ● Destination port was fix (UDP port 1434) – Not widely used – Easy to block ● Constant scan rate – Easy to identify

7 Conclusions ● Speed is not dependent on protocol ● Smaller population as a target and therefor thread – 20,000 nodes in under one hour ● What would happen if it stopped scanning after 10 minutes? – Hard to identify attack – Hard to identify infected machines ● World got aware of the thread (at least for some time) – One could think it was a lesson, but history proves us wrong (How many worms do you get per day?)

8 ?