Presentation is loading. Please wait.

Presentation is loading. Please wait.

Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern."— Presentation transcript:

1 Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern Paxson

2 Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

3 Scanning Worms What is scanning worm? --- Operate by picking “random” address and attempt to infect the machine. Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection attempts.

4 Scanning Worms How to mitigate the spread of worms? Prevention  Reduce size of vulnerable population  Insufficient to counter worm threat  Why?? … single vulnerability in a popular software system can translate to millions of vulnerable hosts Treatment  Once a host is infected, clean it up immediately (Antivirus Software, Patches)  Reduce vulnerable hosts and rate of infection  Limitation … long time to develop cleanup code, and too slow to have a significant impact  People don’t install patches Containment

5 Protect individual networks and isolate infected hosts Examples: firewalls, content filters, automated blacklists Most Promising Solution Can be completely automated Containment does not require participation of each and every host on the internet

6 Containment Properties Reaction time Detection of malicious activity Propagation of the containment information to all hosts participating the system Activating any containment strategy. Containing Strategy Address blacklisting Maintain a list of IP addresses that have been identified as being infected. Drop all the packets from one of the addresses in the list. Advantage: can be implemented easily with existing filtering technology. Disadvantage: must be updated continuously to reflect newly infected hosts

7 Containment (contd.) Content filtering Requires a database of content signatures known to represent particular worms. Requires additional technology to automatically create appropriate content signatures. Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation Deployment scenarios Ideally, a global deployment is preferable. Practically, a global deployment is impossible. May be deploying at the border of ISP networks

8 Worm Containment Defense against scanning worms Works by detecting that a worm is operating in the network and then blocking the infected machines from contacting further hosts; Leverage the anomaly of a local host attempting to connect to multiple other hosts. Containment looks for a class of behavior rather than specific worm signature --- able to stop new worms.

9 Worm Containment Break the network into many cells Within each cell a worm can spread unimpeded. Between cells, containment limits infections by blocking outgoing connections from infected cells. Must have very low false positive rate. Blocking suspicious machines can cause a DOS if false positive rate is high. Need for complete deployment within an enterprise Integrated into the network’s outer switches or similar hardware elements

10 Epidemic Threshold Worm-suppression device must necessarily allow some scanning before it triggers a response. Worm may find a victim during that time. The epidemic threshold depends on: The sensitivity of the containment response devices The density of vulnerable machines on the network --- NAT and DHCP The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.

11 Sustained Scanning Threshold If worm scans slower than sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained scanning threshold as possible. For this implementation threshold set to 1 scan per minute.

12 Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

13 Hardware Implementation Constraints: Memory access speed On duplex gigabit Ethernet, can only access DRAM 4 times Memory size Attempt to keep footprint under 16MB The number of distinct memory banks

14 Hardware Implementations Approximate caches --- collisions cause imperfections (bloom filter) Fixed memory available Allow collisions to cause aliasing Err on the side of false negative Attacker behavior Predicting the hashing algorithm --- keyed hash function Simply overwhelming the cache

15 Hardware Implementations Efficient small 32 bit block ciphers Prevent attackers from controlling collisions Permute the N-bit value Separate the resulting N-bit value into an index and a tag

16 Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

17 Scan Suppression Responding to detected portscans by blocking future scanning attempts. Portscans have two basic types: Horizontal – search for identical service on large number of machines. Vertical – examine an individual machine to discover running services.

18 Scan Suppression Protect the enterprise, forget the Internet Preventing scans from Internet is too hard If inside node is infected, filter sees all traffic Cell (local area network) is “ outside ”, Enterprise larger internet network is “ inside ” Can also treat entire enterprise as cell, Internet as outside Interne t Inside Scan detectors Outside

19 Scan Suppression Derived from Threshold Random Walk (TRW) scan detection. The algorithm operates by using an oracle to determine if a connection will fail or succeed. By modeling the benign traffic as having a different probability of success than attack traffic, TRW can make a decision regarding the likelihood that a particular series of connection attempts from a given host. Assumption: benign traffic has a higher probability of success than attack traffic

20 Scan Suppression Strategies: Track connections and addresses using approximate caches; Replace the old addresses and old ports if the corresponding entry has timed out; Track addresses indefinitely as long as we do not have to evict their state from our caches; Detect vertical as well as horizontal TCP scans, and horizontal UDP scans; Implement a “ hygiene filter ” to thwart some stealthy scanning techniques without causing undue restrictions on normal machines.

21 Connection Cache Recording if we ’ ve seen a packet in each direction Aliasing turns failed attempt into success (biases to false negative) Age is reset on each forwarded packet Every minute, back ground process purges entries older than D conn

22 Address Cache Track “ outside ” addresses Counter keeps difference between successes and failures Counts are decremented every D miss seconds

23 Algorithm Pseudo-code

24 Parameters and Tuning Parameters: T: miss-hit difference that causes block C min : minimum allowed count C max : maximum allowed count D miss : decay rate for misses D conn : decay rate for idle connections Cache size and associativity

25 Evaluation For 6000-host enterprise trace: 1MB connection cache, 4MB 4-way address cache = 5MB total At most 4 memory accesses per packet Operated at gigabit line-speed Detects scanning at rates over 1 per minute Low false positive rate About 20% false negative rate Detects scanning after 10-30 attempts

26 Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

27 Cooperation Divide enterprise into small cells Connect all cells via low-latency channel A cell ’ s detector notifies others when it blocks an address ( “ kill message ” ) Blocking threshold dynamically adapts to number of blocks in enterprise: T ’ = T(1 – θ) X, for very small θ Changing θ does not change epidemic threshold, but reduces infection density

28 Cooperation – Effect of θ

29 Outline Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

30 False positives Forge packets (though this does not prevent inside systems from initiating connections) False negatives Use a non-scanning technique (topological, meta-server, passive and hit-list) Scan under detection threshold Use a white-listed port to test for liveness before scanning

31 Attacking Cooperation Attempt to outrace containment if threshold is permissive Flood cooperation channels Cooperative collapse: False positives cause lowered thresholds Lowered thresholds cause more false positives Feedback causes collapse of network

32 Attacking Worm Containment Detecting containment Try to contact already infected hosts Go stealthy if containment is detected Circumventing containment Embed scan in storm of spoofed packets Two-sided evasion: Inside and outside host initiate normal connections to counter penalty of scanning Can modify algorithm to prevent, but lose vertical scan detection

33 Conclusion Develop containment algorithms suitable for deployment in high-speed, low-cost network hardware; Devise the mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection.

Download ppt "Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern."

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Connecting LANs: Section 15.1. 15.2 Figure 15.1 Five categories of connecting devices.

Connecting LANs: Section Figure 15.1 Five categories of connecting devices.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Similar presentations

Ads by Google