1. Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego

2. Outline Background about worm, esp. Code-Red – What’s worm, esp. Code-Red – Prevention, Treatment and Containment of the worm. SI epidemic model and Code Red propagation model. Simulations on Code Red Propagation and Containment System Deployment. Conclusion.

3. Background: what is worm? Worm is a self-replicating software designed to spread through the network. Worm vs Virus and Trojan horse – Virus and Trojan horse rely on human intervention to spread. – Worm is autonomous.

4. Background: Code-Red v1 Outbreak: June 18, 2001 How it works: – Buffer overflow exploit on Microsoft IIS web server. – Upon infected a machine, randomly generate a list of IP addresses. – Probe each of the addresses from the list. Payload: DDoS attack against www1.whitehouse.gov. Damage: little – Fixed random seed.

5. Background: Code-Red v2 Outbreak: July 19, 2001 How it works: – Similar to Code-Red v1, but with a random seed. – Generates 11 probes for second. Damage: severe – 359,000 machines were infected within 14 hours.

6. How to mitigate the threat of worms(1) Three approaches – Prevention: Reduce the size of the vulnerable population. E.g. A single vulnerability in a popular software system can result in millions of vulnerable hosts. E.g. Code Red attacks millions of MS IIS web server.

7. How to mitigate the threat of worms (2) Treatment: – E.g. virus scanner. – The time required to design, develop and test a security flaw is usually for too slow than the spread of the worm. Containment: – E.g. firewall, filters – Containment is used to protect individual networks, and isolate infected hosts.

8. SI Model (1) In this work, a vulnerable machine is described as susceptible (S) machine. A infected machine is described as infected (I). Let N be the number of vulnerable machines. Let S(t) be the number of susceptible host at time t, and s(t) be S(t)/N, where N = S(t) + I(t). Let I(t) be the number of infected hosts at time t, and i(t) be I(t)/N. Let be the contact rate of the worm. Define:

9. SI Model (2) Solving the differential equation: where T is a constant

10. Code Red Propagation Model (1) Code Red generates IPv4 address by random. Thus, there are totally 2^32 addresses. Let r be the probe rate of a Code Red worm. Thus:

11. Code Red Propagation Model (2) Two problems – Cannot model preferential targeting algorithm. E.g. select targets form address ranges closer to the infected host. – The rate only represents average contact rate. E.g. a particular epidemic may grow significantly more quickly by making a few lucky targeting decisions in early phase.

12. Code Red Propagation Model (3) Example on 100 simulations on Code Red propagation model: After 4 hours: 55% on average 80% in 95 th percentiles 25% in 5 th percentiles

13. Modeling Containment Systems (1) A containment system has three important properties: – Reaction time – the time necessary for Detection of malicious activity, Propagation of the containment information to all hosts participating the system, and Activating any containment strategy.

14. Modeling Containing Systems (2) – Containing Strategy Address blacklisting – Maintain a list of IP addresses that have been identified as being infected. – Drop all the packets from one of the addresses in the list. – E.g. Mail filter. – Advantage: can be implemented easily with existing firewall technology.

15. Modeling Containing Systems (3) Content filtering – Requires a database of content signatures known to represent particular worms. – This approach requires additional technology to automatically create appropriate content signatures. – Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation. Deployment scenarios – Ideally, a global deployment is preferable. – Practically, a global deployment is impossible. – May be deploying at the border of ISP networks.

16. Idealized Deployment (1) Simulation goal – To find how short the reaction time is necessary to effectively contain the Code-Red style worm. Simulation Parameters: – 360,000 vulnerable hosts out of 2 32 hosts. – Probe rate of a worm : 10 per sec. Containment strategy implementation – Address blacklisting Send IP addresses to all participating hosts. – Content filtering Send signature of the worm to all participating hosts.

17. Idealized Deployment (2) Result: content filtering is more effective. 20 min 2 hr Number of susceptible host decreases Worms unchecked

18. Idealized Deployment (3) Next goal: – To find the relationship between containment effectiveness and worm aggressiveness. – Figures are in log-log scale.

19. Idealized Deployment (4) Percentage of infected hosts Address blacklisting is hopeless when encountering aggressive worms.

20. Practical Deployment (1) Network Model – AS sets in the Internet: routing table on July 19,2001 1 st day of the Code Red v2 outbreak. – A set of vulnerable hosts and ASes: Use the hosts infected by Code Red v2 during the initial 24 hours of propagation. A large and well-distributed set of vulnerable hosts. – 338,652 hosts distributed in 6,378 ASes.

21. Practical Deployment (2) Deployment Scenarios – Use content filtering only. – Filtering firewall are deployed on the borders of both the customer networks, and ISP’s networks. Deployment of containment strategy.

22. Practical Deployment (3) Reaction time: 2hrs Difference in performance because of the difference in path coverage.

23. Practical Deployment (4) System fails to contain the worm.

24. Conclusion Explore the properties of the containment system – Reaction time – Containment strategy – Deployment scenario In order to contain the worm effectively – Require automated and fast methods to detect and react to worm epidemics. – Content filtering is the most preferable strategy. – Have to cover all the Internet paths when deploying the containment systems.