Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai

Published byYanti Hermanto Modified over 6 years ago

Similar presentations

Presentation on theme: "Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai"— Presentation transcript:

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information
Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai University of Massachusetts, Amherst

2 Worm Propagation Illustration
Find new targets IP random scanning Compromise targets Exploit vulnerability A computer worm is a malicious program that can automatically find and infect other vulnerable computers through the computer network, such as the Internet. First, I will use this picture to illustrate how a computer worm spreads in the Internet. Suppose this is the entire Internet IP address space. These blue computers are vulnerable to a specific computer worm and these gray ones are not vulnerable. At beginning, one computer is infected. It randomly picks IP addresses to scan in order to find new targets. These scans ends up on either empty IP addresses or not vulnerable computers. They will not cause any new infection. When one scan finds a vulnerable target, it is infected and immediately it joins in the infection process by sending out scans, too, together with previous infected ones. So one becomes two. After roughly the same amount of time, another two are infected and two become four. Then more worm scans are sent out and four become eight, and even more scans are sent out, and so on. Newly infected join infection army IPv4 space

3 Why Random Scanning? Very simple to program
High coverage, hard to shut down Any vulnerable with a global IP is possible to be directly infected by any infected one Propagate very fast on IPv4 Internet Slammer infected 90% in 10 minutes IPv4 space is small for blindly shooting Shooting in the dark (IPv4 space is big) 1 out of 40,000+ Slammer scans hits a target Bandwidth simulation: consider unsuccessful scans All the widely spreading worms in the last several years have chosen random scanning as their primary infection mechanism. Why? First, random scanning is very easy to program and very compact. A simple random number generator would be enough. Second, through random scanning, a worm can infect most vulnerable computers in the entire Internet. And this infection mechanism is very hard to shut down because any vulnerable host with a global IP can be directly infected by any infected one. No multi-hop infection is needed for a vulnerable host be infected. Third, a random scanning worm can propagate very fast. Slammer worm infected 90% of vulnerable computers in the entire Internet within 10 minutes because IPv4 space is small enough for worm to conduct blindly shooting. However, I want to emphasis the following important fact: Slammer has less than 100,000 vulnerable hosts and it scans the entire IPv4 space, so a worm infected host needs to send out on average more than 40,000 scans before hitting a target that is either vulnerable or infected. This is a very important fact of worm propagation. If you want to simulate a worm on packet-level on the Internet scale, first you have to think how to simulate those unsuccessful scans accurately.

4 Motivation: How Fast a Worm Can Spread?
Scanning rate h Coding skill, TCP/UDP protocol Bandwidth-limited worm (Slammer, Witty) Number of initially infected hosts I0 Hit-list worm (Warhol, flash) [Weaver’01] Scanning efficiency: p Local preference scanning Removing empty IPs from scanning space Routing worm In order to be well prepared for future worm attack, we need to study how attackers might improve their worm attacking techniques. To increase a worm’s propagation speed, first, attackers can increase their worms scanning rate \eta, which is the number of IP addresses an infected host probes per unit time. The scanning rate is determined by tcp/udp protocol and also attackers coding skill. Bandwidth-limited worms, such as slammer or witty, have maximized their scanning rate. Second way is to increase the initially infected population. Weaver has presented a “hit-list worm” to increase infection speed through this way by including a hit list of a large number of vulnerable hosts in the worm code. The third method an attacker can do is to increase a worm’s scanning efficiency p, which is the probability that a worm scan can find a vulnerable target. To achieve this, a worm can remove those obviously empty IP addresses from the worm’s scanning space. In this paper we present a new advanced worm called routing worm just based on this idea.

5 What Is a Routing Worm? Containing information of BGP routable space
The other IP space — not Internet reachable Scanning the other IP space — produces no infection Routable IPv4 space increases slowly NAT CIDR DHCP A routing worm contains BGP routing prefix information such that it only scans IP addresses in BGP routable space. Because the other IPv4 space is not Internet reachable, so scanning those IP addresses will be wasted and generate no new infection. Why this is important? In this figure, X-axis is the time from Nov. 97 to this month, Y-axis shows the percentage of IPv4 space that is allocated for Internet routing in the last 8 years. You can see that the the Internet IP address space is efficiently used in the last 8 years due to these three methods to solve IP address issues. And currently only about one third of IPv4 space belongs to BGP routable space. NAT: network address translation CIDR: Classless Inter-Domain Routing DHCP: Dynamic Host Configuration Protocol

6 BGP Routing Worm Contains BGP non-overlapping prefixes
Remove “ /24” if BGP contains “ /16” prefixes  (Sept. 22, 2003) Increasing worm’s speed > 3 times Scanning space: 28.6% of IPv4 space Scanning efficiency: p=N/W Code Red: 12,000  Routing: 3,500 Payload requirement  175KB Big payload for worm propagation The straightforward way of a routing worm is to contain BGP routing prefixes in its worm code after removing overlapping ones. For example, it’s possible that BGP routing table contains both these prefixes, but this bigger prefix contains all IPs in this small prefix, so the worm does not need to consider this small prefix. After removing overlapping prefixes, according to our analysis of the routing table in Sept. 22, 2003, a BGP routing worm needs to contain 62,000 of the original 140,000 BGP routing prefixes. In this way, the worm only needs to scan less than 30% of IPv4 space and increase its scanning efficiency by three times. For example, according to CAIDA analysis, Code Red worm has 360,000 vulnerable population when it spread out in Since it uniformly scans the entire IPv4 space, on average a worm infected host needs to probe 12,000 IP addresses in order to find one vulnerable target. If Code Red uses routing worm scan, it only needs to probe 35 hundred in order to find a vulnerable target. The problem of this BGP routing worm is that it needs a big payload for the BGP routing prefixes, which could slow down the worm’s spreading speed.

7 “/8” Routing Worm IANA provides /8 address allocations
x.0.0.0/8: 256 /8 prefixes in IPv4 space 116 “/8” contain all BGP routable space Scanning space: 45.3%; payload: 116 bytes 002/8 : IANA - Reserved 003/8 : General Electric Company 018/8 : MIT 056/8 : U.S. Postal Service 214/8 : US-DOD 216/8 : American Registry for Internet Numbers 224/8 : IANA - Multicast Therefore, attackers might try this /8 routing worm. The Internet Assigned Numbers Authority publicizes the Internet /8 address allocation. The IPv4 Internet has overall 256 /8 prefixes. This table is a sample of /8 address allocation. Some /8 networks have been allocated to big companies, to universities, government branches, some other /8 networks have been reserved for multicast or future use. We find out that for the routing table we processed, 116 /8 prefixes contain all the BGP routing prefixes. Therefore, a /8 routing worm only needs to add a 116 bytes payload in order to decrease its scanning space by more than half. IANA: Internet Assigned Numbers Authority ARIN: American Registry for Internet Numbers

8 Routing Worm based on Aggregated BGP Prefixes
Trade-off between Scanning space  Prefix payload /16 routing worm /8 routing worm /8 routing worm applicable for bandwidth-limited worm In fact, you can think that a /8 routing worm is an extreme case where all BGP routing prefixes are aggregated to /8 size. Attackers can use different /n aggregation in order to make a trade-off between worm scanning space size and the worm’s payload. This figure shows the size of scanning space and the prefix payload for different /n aggregations. Worm payload plays a critical role in a bandwidth-limited worm, such as Slammer worm and Witty worm. In the future, attackers might deploy the /8 routing worm for their future bandwidth-limited worms since this routing worm only adds a bit more than 100 bytes to the worm code. “/n” aggregation (n=8~16)

9 Routing Worm Propagation Study
: Scanning space : # of vulnerable : Avg. scan rate Code Red style worm h = 358/min, N = 360,000 Hitlist, I0 = 10,000 BGP routing, W=.29£ 232 /8 routing, W=.45£ 232 Now we show how fast a routing worm can spread out. This is the fundamental worm propagation model used by many people. I_t is the number of infected hosts at time t, N is the number of total vulnerable hosts when a worm spreads out. \eta is the worm’s average scan rate, and \Omega is the size of the worm’s scanning space. Most previous worms scanned the entire Internet, so their \Omega is equal to 2^32. Let us study a Code Red style worm. This curve shows how the Code Red spreads out. When it is transformed into a hit-list worm, and assume that the worm has a hit-list containing 10,000 IP addresses of vulnerable hosts. Then this curve shows how the hit-list worm spreads out. Basically, a hit-list worm removes the initially long infection time. On the other hand, if the Code Red worm is transformed into a routing worm, these two curves show the propagation of BGP routing worm and /8 routing worm. Compared to a hit-list worm, they are slower at the beginning, but their spreading speed is faster. Because hit-list worm and routing worm increase a worm’s speed through two different techniques. They can be easily combined together to generate a hit-list routing worm, which propagation is shown as this curve.

10 Congestion Challenge x Network congestion happens in local networks
Traditional scanning worm Network congestion happens in local networks Simulation: 1/3 of scans contribute congestion to both source and destination local networks A routing worm also generates two challenges to the security community. First, a routing worm can cause more congestion trouble to the Internet than an ordinary worm. Suppose in this local network there is one infected computer. These four routers are Internet backbone routers containing the complete BGP routing prefixes. When the worm scans the entire IPv4 space, since currently only one third of IP space is Internet routable, thus on average, among three scans sent out by the worm, two of them will be immediately dropped before they enter the Internet backbone, only one scan will travel across the backbone to reach the other local network. Therefore, when a traditional worm causes Internet congestion, it is mainly local network congestions while the Internet backbone does not feel so much pressure.

11 Congestion Challenge x x
Routing worm A routing worm generates three times more scanning traffic on the Internet backbone On the other hand, if it is a routing worm, then this entrance router cannot drop any scans. All worm scans will travel across the Internet backbone, and can only be dropped at the target local networks. Therefore, a routing worm will generate three times more scanning traffic on the Internet backbone. When a routing worm causes congestion, the network congestion might be everywhere and will affect all Internet communications.

12 Fast Detection Challenge
Detection of local infected host Excessive number of failed connection requests 2/3 scans of ordinary worm are non-routable The second challenge is that a routing worm makes it harder to detect local infected computers. For local detection, the most popular way is to rely on the fact that a worm infected computer will send out much more failed connection requests than a normal computer. For a traditional worm, we don’t need to wait for connection response in order to know this computer is infected because on average two third of the worm scans target IP addresses that are not in BGP routable space. However, for a routing worm, we cannot rely on this fact for detection and have to wait for connection response to know whether a connection will fail or not. This detection time difference might be critical in defending against a fast spreading worm. Routing worm detection needs connection response (RST, timeout)

13 Routing Worm: A Selective Attack Worm
Imposes damage based on Victims’ IP addresses IP address  BGP routing prefix  AS  Company, ISP, Country Pinpoint attack a specific target Potential terrorist attack, hater attack Another dangerous perspective of routing worm is that it can conduct selective attack. There are many research about how to match BGP routing prefixes to Autonomous Systems, then to companies, ISPs, and countries. With the BGP routing prefixes in the worm code, a routing worm can pinpoint attack a specific country or company, destroy computers in the target area while leave all infected computers in other areas intact. This selective attack makes a routing worm an ideal attacking tool for International terrorists, or some minded company haters.

14 Selective Attack: a Generic Attacking Technique
Selective attack: exploit any information of compromised hosts OS ( illegal OS, language, time zone ) Software ( installed a specific program ) Hardware ( CPU, memory, network card ) Increase worm propagation speed Max infectious power of compromised hosts Multi-thread worm (Code Red, Sasser) In fact, selective attack is a very generic attacking technique. A worm can exploit any information it can get on compromised computers. For example, a worm can destroy computers installed with illegal Windows only, on installed with a specific software or hardware only. In addition, selective attack idea can be used by attacker to increase their worm’s propagation speed. For example, Code Red and Sasser worm (128 threads) are multi-thread worms that always generate the fixed number of threads on compromised computers for infection. In fact, a computer with dial-up connection can only support several worm threads, while a high-end web server can support thousands of worm infection threads. So a worm can generate different number of infection threads on different computers to increase the worm’s propagation speed.

15 Is Routing Worm a Real Threat?
BGP routing table is open to public Increase infection speed 2~3 times Pinpoint target attack Easier than hit-list worm to implement One routing dataset for all worms Different security holes need different hit lists for hit-list worm No need for hit-list collection People have presented many advanced worms in the past, like hit-list worm, the famous warhol worm, and peer-to-peer worm. Then a following question will be: is this routing worm a real threat? We believe it is for the following reasons. First, BGP routing table is a public information that we cannot prevent attackers to exploit. Attackers can use it to easily drop the scanning space by more tha half without any coding difficulties. Second, a routing worm is easier than a hit-list worm to implement. Attackers can use the same routing dataset for all their scanning worms. On the other hand, for a hit-list worm, attackers have to collect the IP addresses of a large number of vulnerable computers beforehand. The hit-list data cannot be reused easily because different security holes may have different vulnerable population, and computers’ IP addresses change frequently.

16 Defense: Upgrading IPv4 to IPv6
Increase scanning space: IPv4  IPv6 Smallest BGP prefix in IPv6: /64 Address usage inside /64: not in BGP 40 years to infect 50% hosts in a /64 network (N=1,000,000, h=100,000/sec, I0=1000) Limitation Eliminate scanning mechanism only Controversial issue in upgrading Routing worm increases its speed by decreasing the scanning space. So the fundamental defense is to increase the scanning space by upgrading current IPv4 to IPv6. In IPv6, the smallest BGP routing prefix is /64. Attackers can still use BGP routing table, but they cannot know the address allocation within any /64 local networks. A /64 network is very big for random scanning. For example, a worm with 100,000 scan rate will need 40 years to infect just half of vulnerable hosts in a /64 network. Therefore, upgrading to IPv6 will eliminate the random scanning worm propagation mechanism. Of course, this upgrade will not eliminate worms, but will force worms to use other infection mechanisms. In addition, upgrading IPv6 is still a controversial issue.

17 Summary Routing worm: contains BGP routing information Challenges
A faster spreading worm A selective attack worm Challenges Easy to implement by attackers More congestion to the Internet backbone Harder to quickly detect local infected Defense: IPv4  IPv6 Limitation: eliminate random scanning only In summary, a routing worm contains BGP routing information and only scans addresses in the BGP routable space. A routing worm propagates faster than a traditional worm, and attackers can use it to conduct pinpoint heavy attack to a specific country, company, or ISP. Routing worm is a real threat since it is very easy for attackers to implement. In addition, a routing worm poses more congestion trouble to the Internet backbone and makes it harder to quickly detect local infected computers. The fundamental defense of routing worms and all other scanning worms is to upgrade current IPv4 Internet to IPv6. However, it can only eliminate the random scanning mechanism of worms and this upgrading is still a controversial issue.

Download ppt "Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_b Subnetting,Supernetting, CIDR IPv6 Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.

TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_b Subnetting,Supernetting, CIDR IPv6 Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
IP Addressing. TCP/IP addresses -Addressing in TCP/IP is specified by the Internet Protocol (IP) -Each host is assigned a 32-bit number -Called the IP.

IP Addressing. TCP/IP addresses -Addressing in TCP/IP is specified by the Internet Protocol (IP) -Each host is assigned a 32-bit number -Called the IP.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
CSE5803 Advanced Internet Protocols and Applications (7) 1 7.1 Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.

CSE5803 Advanced Internet Protocols and Applications (7) Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Types of Addresses in IPv4 Network Range

Types of Addresses in IPv4 Network Range
ECE 4110 – Internetwork Programming Subnetting, Supernetting, and Classless Addressing.

ECE 4110 – Internetwork Programming Subnetting, Supernetting, and Classless Addressing.
1 Internet Addresses (You should read Chapter 4 in Forouzan) IP Address is 32 Bits Long Conceptually the address is the pair ( NETID, HOSTID ) Addresses.

1 Internet Addresses (You should read Chapter 4 in Forouzan) IP Address is 32 Bits Long Conceptually the address is the pair ( NETID, HOSTID ) Addresses.
1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,

1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
Chapter 18 IP: Internet Protocol Addresses

Chapter 18 IP: Internet Protocol Addresses
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 VLSM and CIDR Routing Protocols and Concepts – Chapter 6 05/07/2009.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 VLSM and CIDR Routing Protocols and Concepts – Chapter 6 05/07/2009.

Similar presentations

Ads by Google