Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

Published byGertrude Willis Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst."— Presentation transcript:

1 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst

2 2 Routing Worm Summary Routing worm: contains information of BGP routing prefixes in the worm code. A faster spreading worm  Internet routable IP space < 30% of entire IPv4 space.  Scanning routable space instead of entire IPv4 space.  Increasing propagation speed by 2 ~ 3.5 times. A selective attack worm  IP address  routing prefix  AS  ISP, country  Pinpoint attacking vulnerable hosts in a specific target  Selective attack based on any information derived from compromised hosts.

3 3 BGP Routing Table Introduction BGP (Border Gateway Protocol)  Inter-autonomous system routing protocol. Backbone BGP routers contain all routable prefixes (without default route) Routable IPv4 space increases slowly  NAT  CIDR  DHCP

4 4 BGP Routing Worm Contains BGP non-overlapping prefixes:  Non-overlapping prefixes:  Remove “ 128.119.85/24 ” if BGP contains “ 128.119/16 ”.  140602 prefixes  62053 prefixes (Sept. 22, 2003) Payload requirement: 175KB  Big payload for Internet-scale worm propagation. Increasing worm’s speed by 3.5 times.  Scanning space is 28.6% of entire IPv4 space.

5 5 Class A Routing Worm IANA provides Class A address allocations  Class A (x.0.0.0/8); 256 Class A in IPv4 space. 116 Class A contain all BGP routable space.  Scanning space: 45.3%; payload: 116 Bytes. 002/8 : IANA - Reserved 003/8 : General Electric Company 056/8 : U.S. Postal Service 214/8 : US-DOD 216/8 : ARIN 217/8 : RIPE NCC 224/8 : IANA - Multicast

6 6 Routing Worm based on Aggregated BGP Prefixes Two extreme cases of routing worms:  BGP routing worm: all prefixes in BGP  Class A routing worm: only “/8” prefixes Routing worm based on aggregated prefixes  “/n” aggregation : combine several longer prefixes into a shorter “/n” prefix.  “128.119.5/24” + “128.119.2/24”  “128.119/16” or “128.119.0/19”  Class A prefixes are results of “/8” aggregation.

7 7 Routing Worm based on Aggregated BGP Prefixes Flexible trade-off between:  Scanning space  Prefix payload “/n” aggregation (n=8~16) Payload vs. Scanning space trade-off

8 8 Routing Worm Propagation Study : # of vulnerable : Scan rate : Scanning space where N=360,000;  =358 scans/min; I(0)=10 ( 10,000 for a hit-list worm ) Comparison of the Code Red worm, a routing worm, a hit-list worm, a hit-list routing worm

9 9 Routing Worm: A Selective Attack Worm Selective Attack: worm has different behaviors on different compromised hosts. Routing worm: imposes damage based on geographical information of IP addresses of compromised hosts Geographical information of IP addresses  IP address  Routing prefix  AS AS  Company, ISP, Country  Pinpoint attacking vulnerable hosts in a specific target  Potential terrorist’s attack  BGP routing table  Researches

10 10 Selective Attack: a Generic Attacking Technique Selective attack: imposes damage based on any information a worm can get from compromised hosts  OS (e.g. : illegal OS, language, time zone )  Software (e.g. : installed a specific program)  Hardware ( e.g. : CPU, memory, network card) Selective attack: improving propagation speed  Maximize infectious power of each compromised host.  Multi-thread worm: generates different numbers of threads on different computers based on CPU, memory, and connection speed.

11 11 Defense: Upgrading IPv4 to IPv6 Routing worm: Reducing worm scanning space  Effective, easier than hit-list worm to implement  Difficult to prevent:  public BGP tables and IP geographical information Defense: Increasing worm scanning space  Upgrading IPv4 to IPv6  The smallest network in IPv6 has 2 64 IP address space.  A worm needs 40 years to infect 50% of vulnerable hosts in a network when N=1,000,000,  =100,000/sec, I(0)=1000  Limitation: for scan-based worms only

12 12 Summary Routing worm: contains information of BGP routing prefixes in the worm code. Routing worm: a faster spreading worm  Scans routable space (< 30%) instead of entire IPv4 space.  Increasing propagation speed by 2 ~ 3.5 times. Routing worm: a selective attack worm  IP address  routing prefix  AS  ISP, Country  Pinpoint attacking vulnerable hosts in a specific target  Selective attack based on any information a worm can get from compromised hosts. Defense : Increase a worm’s scanning space  IPv4 upgrade to IPv6

Download ppt "1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_b Subnetting,Supernetting, CIDR IPv6 Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.

TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_b Subnetting,Supernetting, CIDR IPv6 Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
Classifying Network Addressing

Classifying Network Addressing
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)

IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
IPv6: The Next Generation Internet Protocol Luke Simpson and Martin Bouts ECE 4112 Spring 2005 May 2nd, 2005.

IPv6: The Next Generation Internet Protocol Luke Simpson and Martin Bouts ECE 4112 Spring 2005 May 2nd, 2005.
CSCI 4550/8556 Computer Networks Comer, Chapter 18: IP: Internet Protocol Addresses.

CSCI 4550/8556 Computer Networks Comer, Chapter 18: IP: Internet Protocol Addresses.
IP Addressing. TCP/IP addresses -Addressing in TCP/IP is specified by the Internet Protocol (IP) -Each host is assigned a 32-bit number -Called the IP.

IP Addressing. TCP/IP addresses -Addressing in TCP/IP is specified by the Internet Protocol (IP) -Each host is assigned a 32-bit number -Called the IP.
Computer Networks: Global Internet Global Internet.

Computer Networks: Global Internet Global Internet.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 CCNA 3 v3.1 Module 1. 2 CCNA 3 Module 1 Introduction to Classless Routing.

1 CCNA 3 v3.1 Module 1. 2 CCNA 3 Module 1 Introduction to Classless Routing.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies Routing I.

TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies Routing I.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 CIDR Classless Inter-Domain Routing Rizwan Rehman, CCS, DU.

1 CIDR Classless Inter-Domain Routing Rizwan Rehman, CCS, DU.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Addressing Networking for Home and Small Businesses – Chapter 5.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Addressing Networking for Home and Small Businesses – Chapter 5.

Similar presentations

Ads by Google