Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE551: Introduction to Information Security

Published byΘεόδοτος Νικολαΐδης Modified over 5 years ago

Similar presentations

Presentation on theme: "CSE551: Introduction to Information Security"— Presentation transcript:

1 CSE551: Introduction to Information Security
Active Worm CSE551: Introduction to Information Security CSE551 Handout on DDoS and Worm

2 Worm vs. Virus Worm Virus
A program that propagates itself over a network, reproducing itself as it goes Virus A program that searches out other programs and infects them by embedding a copy of itself in them CSE551 Handout on DDoS and Worm

3 Active Worm VS. [D]DoS Propagation method
Goal: congestion, resource appropriation Rate of distribution Scope of infection CSE551 Handout on DDoS and Worm

4 Historical Analysis Morris Worm (1988, Code Red v.2 (2001, nearly 8 infections/sec.) Nimbda (2001, netbios, UDP) SQL Slammer (2003, UDP) CSE551 Handout on DDoS and Worm

5 Recent Worms July 13, 2001, Code Red V1 July 19, 2001, Code Red V2
Aug. 04, 2001, Code Red II Sep. 18, 2001, Nimba … … Jan. 25, 2003, SQL Slammer More recent SoBigF, MSBlast … … CSE551 Handout on DDoS and Worm

6 How an Active Worm Spreads
Autonomous No need of human interaction infected machine scan probe transfer copy Infected CSE551 Handout on DDoS and Worm

7 Scanning Strategy Random scanning Hitlist scanning
Probes random addresses in the IP address space (CRv2) Hitlist scanning Probes addresses from an externally supplied list Topological scanning Uses information on the compromised host ( worms) Local subnet scanning Preferentially scans targets that reside on the same subnet. (Code Red II & Nimda Worm) CSE551 Handout on DDoS and Worm

8 Techniques for Exploiting Vulnerability
fingerd (buffer overflow) sendmail (bug in the “debug mode”) rsh/rexec (guess weak passwords) CSE551 Handout on DDoS and Worm

9 Active Worm Defense Modeling Infection Mitigation
CSE551 Handout on DDoS and Worm

10 Worm Behavior Modeling
Propagation model mirrors epidemic: V is the total number of vulnerable nodes N is the size of address space i(t) is the percentage of infected nodes among V r is the scanning speed of a infected node CSE551 Handout on DDoS and Worm

11 Infection Mitigation Patching
Filtering/intrusion detection (signature based) TCP/IP stack reimplementation, bound connection requests CSE551 Handout on DDoS and Worm

12 Summary Worms can spread quickly:
359,000 hosts in < 14 hours Home / small business hosts play significant role in global internet health No system administrator  slow response Can’t estimate infected machines by # of unique IP addresses DHCP effect appears to be real and significant Active Worm Defense Modeling Infection Mitigation CSE551 Handout on DDoS and Worm

Download ppt "CSE551: Introduction to Information Security"

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Sigurnost računala i podataka

Sigurnost računala i podataka
CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.

Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Active Worm and Its Defense1 CSE651: Network Security.

Active Worm and Its Defense1 CSE651: Network Security.

Similar presentations

Ads by Google