Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Worms Crawl In The Worms Crawl Out 15-744 David Andersen.

Published byGladys Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "The Worms Crawl In The Worms Crawl Out 15-744 David Andersen."— Presentation transcript:

1 The Worms Crawl In The Worms Crawl Out 15-744 David Andersen

2 Credits ● Parts of these slides are heavily inspired by Stefan Savage's NDSS 2005 talk ● (Some bits are stolen verbatim) ● See – http://www.cs.ucsd.edu/~savage/papers/InternetOutbreak.NDSS05.pdf for original, much prettier, slides http://www.cs.ucsd.edu/~savage/papers/InternetOutbreak.NDSS05.pdf

3 Threat Model Traditional ● High-value targets ● Insider threats Worms & Botnets ● Automated attack of millions of targets ● Value in aggregate, not individual systems ● Threats: Software vulnerabilities; naïve users

4 ... and it's profitable ● Botnets used for – Spam (and more spam) – Credit card theft – DDoS extortion ● Flourishing Exchange market – Spam proxying: 3-10 cents/host/week – 25k botnets: $40k - $130k/year – Also for stolen accounts, compromised machines, credit cards, identities, etc. (be worried)

5 Why is this problem hard? ● Monoculture: little “genetic diversity” in hosts ● Instantaneous transmission: Almost entire network within 500ms ● Slow immune response: human scales (10x-1Mx slower!) ● Poor hygiene: Out of date / misconfigured systems; naïve users ● Intelligent designer... of pathogens ● Near-Anonymitity

6 Example Outbreak: SQL Slammer (2003) ● Single, small UDP packet exploit (376 b) ● First ~1min: classic random scanning – Doubles # of infected hosts every ~8.5sec – (In comparison: Code Red doubled in 40min) ● After 1min, starts to saturate access b/w – Interferes with itself, so it slows down – By this point, was sending 20M pps – Peak of 55 million IP scans/sec @ 3min ● 90% of Internet scanned in < 10mins ● Infected ~100k or more hosts

7 Digression: Fast Worms ● How fast could a really fast worm spread? ● Localized scanning: Preferential scanning of “nearby” hosts – Host density not uniform ● Multi-vector worms: Can find more vulnerable hosts ● Hit-list scanning: Pre-identify many “seed” machines; divide & conquer – Scanning; DNS; spiders; surveys; passive

8 Fast Worms, Cont'd. ● Permutation Scanning – Don't scan purely randomly; divide scan space intelligently among worms – Simple permutation -> coordinated behavior ● How fast? – Easy: A couple of minutes for the entire 'net – Pre-scanning: 10s of seconds? – Pre-scanning, UDP, insane effort: < 2sec? ● (follow-on paper to the one we're reading) ● Exponential growth is a pain...

9 An Ounce of Prevention? ● Get rid of the vulnerabilities (testing, modeling, proving, engineering, etc.) – Soundness, completeness, usability... ● Permute vulnerabilities (e.g., address space randomization) – makes it harder to compromise ● Block traffic (firewalls): helps, but many worms slipped inside firewalls. Only takes one vulnerable computer wandering between in & out or multi- homed, etc. We keep trying, but worms keep worming

10 Hygiene ● Keep vulnerable hosts off network – Must scan / etc., before connecting – Some commercial products do this ● Helps, but not entire problem – 0-day worms – Incomplete vuln. databases – etc.

11 Containment ● Slow down scan rate – Allow hosts limited # of new contacts/sec. – Can slow worms down, but they do still spread ● Quarantine – Detect worm, block it

12 Reactive “Immune System” ● Reaction time: How long to detect & react? ● Containment strategy: How the behavior is (1) identified; and (2) stopped ● Deployment strategy: Who participates? End- hosts? Routers?

13 Strategies ● Reaction time: seconds? ● Containment: – Address blacklisting (more false positives make it harder to be aggressive) – Content filtering ● Deployment – Top 40 ISPs provide decent containment – But really, need lots and lots of nets

14 Detection ● Behavior: Contacting 1000s of hosts, etc. ● Honeypots: Hosts nobody should contact – Traffic assumed to be malicious – Replies to traffic, permits real/pretend infection – Virtual machines / honeyd / etc. ● After detection: signature inference

15 Signature Inference ● Content prevalence: Autograph, EarlyBird, etc. – Assumes some content invariance – Pretty reasonable for starters. – Goal: Identify “attack” substrings ● Maximize detection rate ● Minimize false positive rate

16 Common strings ● Definition of substring: – Byte range, protocol, port (why?) ● First: identify common packets – Hash and count? ● Saw from Snoeren – still has pretty large memory requirements – “heavy-hitter” identification: only need the common stuff, so sampling should work well ● This paper uses “multi-stage” filters: basically a counting bloom filter like we talked about last time

17 Common Substrings ● Fix length as beta (small) ● Use Rabin Fingerprinting to efficiently hash – Shift values in & out of polynomial – O(N) computation for O(N) bytes ● Reduce the # by sampling – But must deterministically sample (why?) – Sample only values whose low-order hash bits are zero (or somehing else) – This trick is used for lots of things...

18 Finding the Guilty ● Address Dispersion – Scanning worms will cover more addresses than most “legitimate” content – How many distinct sources/dests ● EarlyBird technique: scaled bitmap – 1/(2^n)th of hash space -> bitmap ● e.g., hash(src) -> [0, 63], bitmap [0,31] – When bitmap fills, double hash size ● hash(src) -> [0, 127]; increment scale counter – Small tweak: Keep 2 older bitmaps, correct for double counting

19 False Negatives in EB ● False Negatives – Very hard to prove... – Earlybird detected all worm outbreaks reported on security lists over 8 months – EB detected all worms detected by Snort (signature- based IDS) ● And some that weren't

20 False Positives in EB ● Common protocol headers – HTTP, SMTP headers – p2p protocol headers ● Non-worm epidemic activity – Spam – BitTorrent (!) ● Solution: – Small whitelist...

21 Distributing Signatures ● No time; see Dawn Song's work for some pointers on distributing verifiable signatures – Requires access to vulnerable binary – Creates signatures based on actual vulnerability, not content prevalence. Can be better – but slower – than prevalence metrics ● Have to get the signatures sent around fast ● Trust?

22 Unrelated: Presentations ● See David Patterson's “How to Give a Bad Talk” advice... ● Be neat ● Be concise! <= 7 bullets/slide, LARGE FONTS – Talk about the most important things – Your talk is an advertisement for your paper, not a complete summary. You MUST downsample, so do it well. ● Use pictures! Words + words == mental confict; words + pictures = reinforcement ● Use color, italics, bold to emphasize (and do it consistently) ● Make eye contact with audience ● Practice your talk! Even for this class

Download ppt "The Worms Crawl In The Worms Crawl Out 15-744 David Andersen."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.

Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement

Similar presentations

Ads by Google