Presentation is loading. Please wait.

Presentation is loading. Please wait.

Very Fast Containment of Scanning Worms

Published byUlrik Thorsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Very Fast Containment of Scanning Worms"— Presentation transcript:

1 Very Fast Containment of Scanning Worms
By Nicholas Weaver Stuard Stainford Vern Paxson Presented by Yan Zhang

2 Outline Introduction Scan Suppression Implementation Cooperation
Attack on Containment Conclusion 12/30/2018 Coputer Sci & Engr, USC

3 Worms Definition: Damages:
Malicious program that propagates copies of itself to other computers Damages: consuming bandwidth make network inaccessible, cost millions of dollars 12/30/2018 Coputer Sci & Engr, USC

4 How Can Worm Acquire Targets?
Routing Worm BGP( Broader Gateway Protocol) information can tell which IP address blocks are allocated Pre-generated Hit List( Flash Worm) Hit list of vulnerable machines is sent with payload Topological Uses info on the infected host to find the next target Stealth / Passive Waits for a vulnerable system to contact it, no active scanning Scanning Virus 12/30/2018 Coputer Sci & Engr, USC

5 Scanning Worms Operate by picking random addresses, attempting to infect them Linear scanning (e.g. Blaster) Fully random (Code Red) Bias toward local addresses (Code Red II, Nimda) Permutation scanning 12/30/2018 Coputer Sci & Engr, USC

6 Scanning Worms Properties: Containment:
Most scanning attempts result in failure Infected machines will institute many connection attempts Containment: Seeks a class of behavior instead of specific worm signatures 12/30/2018 Coputer Sci & Engr, USC

7 How to mitigate the spread of scanning worm?
Prevention 􀂄Reduce size of vulnerable population 􀂄Single victim can infect millions of vulnerable hosts 􀂄Complete infection of local network from single original source Treatment 􀂄Once a host is infected, clean it up immediately 􀂄Using antivirus software, patches 􀂄Limitation: long time to develop cleanup code Containment 12/30/2018 Coputer Sci & Engr, USC

8 Worm Containment Purpose Most promising solution Reaction time
􀂄Protect individual networks, isolate infected hosts 􀂄e.g. firewalls, content filter, automated blacklists Most promising solution 􀂄Completely automated 􀂄No need participation of each host on the Internet Reaction time 􀂄Detection of malicious activity 􀂄Propagation of containment information 􀂄Activate any containment strategy 12/30/2018 Coputer Sci & Engr, USC

9 Containment Strategy Address Blacklist Content filtering
􀂄Maintain a list of IP addresses infected 􀂄Drop all packets from the addresses in the list 􀂄Pros: implement easily with existing filtering 􀂄Cons: update continuously to reflect newly infected Content filtering 􀂄Need a database of content signatures 􀂄Pros: a single update is sufficient 􀂄Cons: hard to automatically create signature 12/30/2018 Coputer Sci & Engr, USC

10 Containment Strategy Defense against scanning worms
􀂄Detect worms, block infected hosts 􀂄Based on worm behavior rather than signature 􀂄Capable to stop new worms Break the network into many cells 􀂄Must have very low false positive rate 􀂄Cause a DoS if false positive rate is high 􀂄Need to complete deployment within an enterprise 􀂄Integrate into network’s outer switches 12/30/2018 Coputer Sci & Engr, USC

11 Epidemic Threshold Epidemic Threshold
􀂄Worm-suppression device must necessarily allow some scanning before it triggers a response 􀂄Worm may find a victim during that time 􀂄Epidemic occurs if each infection results in a single child 􀂄Exponential epidemic occurs if results in more than one child 12/30/2018 Coputer Sci & Engr, USC

12 Epidemic threshold The epidemic threshold depends on
􀂄Sensitivity of containment response devices 􀂄Density of vulnerable host on the network 􀂄Degree to target, i.e. capability of worms 12/30/2018 Coputer Sci & Engr, USC

13 Sustained Scanning Threshold
If a worm scans slower than this rate, the detector will not trigger Vital to achieve as low a sustained scanning threshold as possible Target a threshold of 1 scan per minute in this paper 12/30/2018 Coputer Sci & Engr, USC

14 Outline Introduction Scan Suppression Implementation Cooperation
Attack on Containment Conclusion 12/30/2018 Coputer Sci & Engr, USC

15 Scan Suppression Scan suppression 􀂄Portscans
􀂄Responding to detected portscans by blocking future scanning attempts 􀂄Portscans 􀂄Probe attempts to determine if a service is operating at a target IP address 􀂄Portscans have two basic types 􀂄Horizontal scans 􀂄search for identical service on large number of machines 􀂄Vertical scans 􀂄examine an individual machine to discover all running services 12/30/2018 Coputer Sci & Engr, USC

16 Scan Suppression Scan detection algorithm derived from Threshold Random Walk (TRW) 􀂄Sequential Hypothesis Testing (SHT) to determine if a connection will fail or succeed 􀂄Assume that benign traffic has a higher probability of success than attack traffic 􀂄TRW can make decision by likelihood Implementation easier than TRW 􀂄Suitable for both hardware and software implementation 􀂄Simplified algorithm caused increased false negative rate 􀂄No changes in the false positive rate 12/30/2018 Coputer Sci & Engr, USC

17 Outline Introduction Scan Suppression Implementation Cooperation
Attack on Containment Conclusion 12/30/2018 Coputer Sci & Engr, USC

18 Goal & Constraints Constraints Design goal 􀂄Memory access speed
􀂄Must be very fast to keep up with high packet rates 􀂄On full duplex Gb Ethernet, access DRAM 4 times per packet 􀂄Memory size 􀂄Attempt to keep footprint under 16 MB 􀂄The number of distinct memory banks 􀂄Algorithm complexity Design goal 􀂄Less than 16MB of total memory 􀂄2 uncached memory accesses per packet 􀂄Include within conventional NIDS, such as Bro or Snort 12/30/2018 Coputer Sci & Engr, USC

19 Mechanism Approximate caches Efficient small (32-bit)block ciphers
􀂄Collisions cause imperfections (Bloom filter) 􀂄Fixed memory available 􀂄Allow collisions to cause aliasing 􀂄Error on the side of false negative Efficient small (32-bit)block ciphers 􀂄Prevent attackers from controlling collisions 􀂄Permute the N-bit value 􀂄Separate the resulting N-bit value into an index and a tag 12/30/2018 Coputer Sci & Engr, USC

20 Approximate Scan Suppression
􀂄Track connections and addresses using approximation caches 􀂄Replace old addresses and ports if corresponding entry has timed out 􀂄Block when counts (misses –hits) > threshold 􀂄Track addresses indefinitely as long as no evict their states from our caches 􀂄Implement a “hygiene filter” to thwart some stealthy scanning techniques without causing undue restrictions on normal machines 12/30/2018 Coputer Sci & Engr, USC

21 Connection Cache Connection cache record if we have seen a packet in each direction 􀂄Aliasing turns failed connection attempt into success (biases to false negative) 􀂄Age is reset on each forwarded packet 􀂄Every minute, back ground process purges entries older than Dconn 12/30/2018 Coputer Sci & Engr, USC

22 Connection Cache 12/30/2018 Coputer Sci & Engr, USC

23 Address cache Address cache trace “outside” addresses
􀂄Encrypt them to create index and tag 􀂄Counter tracks differences between misses and hits 􀂄Counts are decayed every Dmiss seconds (60 sec) 􀂄Hard limit on negative counts (-20) 12/30/2018 Coputer Sci & Engr, USC

24 Algorithm 12/30/2018 Coputer Sci & Engr, USC

25 Algorithm We count every successful connection (in either
direction) as a “hit”, All failed or possibly-failed connections as “misses”. If the difference between the number of hits and misses is greater than a threshold, we block further communication attempts from that address. Assume that legitimate traffic with success rate greater than 50%, while scanning traffic succeeds with a probability less than 50%. 12/30/2018 Coputer Sci & Engr, USC

26 Evaluation For 6000-host enterprise trace:
􀂄1MB connection cache, 4MB 4-way address cache, 5MB total 􀂄At most 4 memory accesses per packet 􀂄Operated at gigabit line-speed 􀂄Detects scanning at rates over 1 per minute 􀂄Low false positive rate 􀂄on DNS and SMTP servers due to fan-out 􀂄need to be white-listed 􀂄About 20% false negative rate 􀂄Detects scanning after attempts 12/30/2018 Coputer Sci & Engr, USC

27 Outline Introduction Scan Suppression Implementation Cooperation
Attack on Containment Conclusion 12/30/2018 Coputer Sci & Engr, USC

28 Cooperation Divide enterprise into small cells
􀂄Connect all cells via low-latency channel efficiently 􀂄Cooperate to reduce thresholds during an attack 􀂄A cell’s detector notifies others when it blocks an address (“kill message”) Blocking threshold dynamically adapts to number of blocks (X) in enterprise: 􀂄T’= T(1 –θ)X, for very small θ 􀂄Control how to reduce threshold as a worm spread 12/30/2018 Coputer Sci & Engr, USC

29 Cooperation Efficiency
12/30/2018 Coputer Sci & Engr, USC

30 Outline Introduction Scan Suppression Implementation Cooperation
Attack on Containment Conclusion 12/30/2018 Coputer Sci & Engr, USC

31 Attack False positives False negatives
􀂄Forge packet, spoofing outside address 􀂄False positive create a DoS target False negatives 􀂄Use a non-scanning technique (topological, meta-server, passive, and hit-list) 􀂄Scan under detection threshold(1 scan/min) 􀂄Use a white-listed port to test for liveness before scanning 􀂄Offset misses by making valid connections 12/30/2018 Coputer Sci & Engr, USC

32 Attack on Containment Attacking Cooperation
􀂄Attempt to outrace containment if threshold is permissive 􀂄Flood cooperation channels 􀂄Cooperative collapse 􀂄False positives cause lowered thresholds 􀂄Lowered thresholds cause more false positives 􀂄Feedback causes collapse of network 12/30/2018 Coputer Sci & Engr, USC

33 Attack on Containment Detecting containment Circumventing containment
􀂄Try to contact already infected hosts 􀂄Go stealthy if containment is detected Circumventing containment 􀂄Embed scan in storm of spoofed packets 􀂄Two-sided evasion 􀂄Inside and outside host initiate normal connections to counter penalty of scanning 􀂄Can modify algorithm to prevent, but lose vertical scan detection 12/30/2018 Coputer Sci & Engr, USC

34 Outline Introduction Scan Suppression Implementation Cooperation
Attack on Containment Conclusion 12/30/2018 Coputer Sci & Engr, USC

35 Conclusion Develop containment algorithms suitable for deployment in high-speed, low-cost network hardware Devise the mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection 12/30/2018 Coputer Sci & Engr, USC

36 Thank you. Comments? 12/30/2018 Coputer Sci & Engr, USC

Download ppt "Very Fast Containment of Scanning Worms"

Similar presentations

IS 376 NOVEMBER 5, 2013 2013 DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 LAN switching and Bridges Relates to Lab 6. Covers interconnection devices (at different layers) and the difference between LAN switching (bridging)

1 LAN switching and Bridges Relates to Lab 6. Covers interconnection devices (at different layers) and the difference between LAN switching (bridging)

Similar presentations

Ads by Google