1. Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage

2. Worm Security  Prevention Stop the worms from propagating by eliminating security holes from software; infeasible Stop the worms from propagating by eliminating security holes from software; infeasible  Treatment Remove the worm from the infected host Remove the worm from the infected host  Containment Stop the worm from spreading Stop the worm from spreading

3. Worm Containment  How effectively can any containment approach counter a worm epidemic on the Internet? Time to detect Time to detect Identification and containment Identification and containment Deployment Deployment

4. Background  History of Worms First appeared in 1988 First appeared in 1988 Few studies done on worms Few studies done on worms  Worm containment approaches La Brea La Brea Intercept worm and place it in artificial persistent connection stateIntercept worm and place it in artificial persistent connection state Unclear how effective it isUnclear how effective it is Per-host “throttling” Per-host “throttling” Reduce the rate of “new” connections allowedReduce the rate of “new” connections allowed If universally deployed, can reduce worm spreadIf universally deployed, can reduce worm spread Firewall filters Firewall filters Detect worms then cut off communications using firewalls to block portsDetect worms then cut off communications using firewalls to block ports NBAR NBAR Developed by CiscoDeveloped by Cisco Allows routers to block TCP sessions based on presence of certain strings in the sessionAllows routers to block TCP sessions based on presence of certain strings in the session

5. Modeling Worms  Classic SI model

6. SI Model  Susceptible (S), Infected (I), population (N), contact rate (beta)  dI/dt = beta*I*S/N  dS/dt = -beta*I*S/N  Solving: (T as a constant of integration) i(t) = (e^(beta*(t-T)))/(1+e^(beta*(t-T))) i(t) = (e^(beta*(t-T)))/(1+e^(beta*(t-T)))  Grows exponentially until majority are infected  Well known in public health community

7. Modeling Containment  Reaction Time The time R in which the system can react to contain the worm The time R in which the system can react to contain the worm  Containment Strategy Address Blacklisting Address Blacklisting Block traffic from malicious source IPsBlock traffic from malicious source IPs Reaction relative to each hostReaction relative to each host Content Filtering Content Filtering Block traffic based on contentBlock traffic based on content Reaction time from first infectionReaction time from first infection  Deployment Scenario Analyzed a few different deployment scenarios in the model Analyzed a few different deployment scenarios in the model  Finite Time Period Restricted to looking at first 24 hours after worm appears Restricted to looking at first 24 hours after worm appears

8. Idealized Deployment  Simulation Parameters  Code-Red Case Study  Generalized Worm Containment

9. Simulation Parameters  360,000 vulnerable hosts  Probe rate of 10 per second  Probes randomly from time t = 0  Hosts notified of infected hosts at t + R

10. Code-Red Case Study  Address blacklisting Containment with R < 20 minutes Containment with R < 20 minutes Larger R allows spread Larger R allows spread All susceptible hosts infected in 24 hours if R > 2 hours All susceptible hosts infected in 24 hours if R > 2 hours  Content Filtering Containment with R < 2 hours Containment with R < 2 hours Worm propagates until t = R, then stops Worm propagates until t = R, then stops

11. Modeling the Worm  Graphs Reaction time to the percentage of vulnerable hosts infected in the 24 hour time- period analyzed

12. Generalized Worm Containment  Content Filtering vs. Address Blacklisting  Highly aggressive worms Extremely challenging, even for content filtering Extremely challenging, even for content filtering 1000 probes/sec requires R = 2 min 1000 probes/sec requires R = 2 min

13. Practical Deployment  Far more limited  Network Model  Deployment Scenarios  Code-Red Case Study  Generalized Worm Containment

14. Network Model  Identify ASes on the Internet  Identify vulnerable hosts and their locations  Model AS paths between vulnerable hosts

15. Deployment Scenarios  Models levels of AS deployment of containment

16. Code-Red Case Study  Uses same parameters as idealized model  Reaction time = 2 hours

17. Generalized Worm Containment  Much smaller containment with network model  100 top ISPs model  50% customers model Worse results than 100 top ISPs Worse results than 100 top ISPs  Infeasible to contain even modest probe rates under these models

18. Deployment Scenarios

19. Conclusion  Very challenging to build containment systems  Order of minutes needed to respond effectively  In the future, worms will be more aggressive  Will require a great amount of effort and engineering to fight the spread of Worms.