Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Published byBerniece Johnson Modified over 9 years ago

Similar presentations

Presentation on theme: "Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services."— Presentation transcript:

1 Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services. Worms can cause an enormous amount of damage Launch DDOS attacks Access sensitive information Cause confusion by corrupting the sensitive information. Therefore it is important to understand how worms propagate in order to contain them.

2 To contain worms to 10% of vulnerable hosts after 24 hours of spreading at 10 probes/sec (CodeRed): Address blacklisting: reaction time must be < 25 minutes. Content filtering: reaction time must be < 3 hours How quickly does each strategy need to react? Address Blacklisting: Reaction time (minutes) % Infected (95 th perc.) Reaction time (hours) % Infected (95 th perc.) Content Filtering:

3 Network worms are well modeled as infectious epidemics Simplest version: Homogeneous random contacts Classic SI model N: population size S(t): susceptible hosts at time t I(t): infected hosts at time t ß: contact rate i(t): I(t)/N, s(t): S(t)/N Modeling network worms

4 courtesy Paxson, Staniford, Weaver

5 Epidemiological model deficiencies White, one of the authors of the Epidemiological paper mentioned: About the mystery of the model in “not” being able to explain the slow-ness of the worm spread in a global network

6 Epidemiological model deficiencies… The model assumes “zero” infection time, which is unrealistic Even in experiments on practical deployment, they assume a topology, but further assume “zero” latencies on all network links !!! Doesn’t model the simultaneous reduction in number of vulnerable hosts by “patching”

7 Unrealistic assumptions lead to… … fascinating negative results Example 1: When the Top-100 ISP’s deploy containment strategies, they still can not prevent a worm spreading at 100 probes/sec from affecting 18% of the internet and this is no matter what be the reaction time of the system towards containment

8 Analytical Active Worm Propagation Model (AAWP)

9 AAWP… Assume, that you know the result of an infection in “one” time-tick At time ‘i’, n i machines are infected and m i is the total number of vulnerable machines Probability of a new machine being infected in one scan: (m i -n i )/2 32 Total number of scans at time ‘i’: sn i Given, death rate “d” and patching rate “p” Total number reduced to (1-p)m i Number infected reduced by pn i + dn i

10 AAWP…

11 2. Patching Rate1.HitList Size 3.Time to Complete Infection Effect of various Parameters on worm spread (All cases are for 1,000,000 vulnerable machines, a scanning rate of 100 scans/second, and a death rate of 0.001 /second

12 AAWP versus Epidemiological Epidemiological is a continuous time model, while AAWP is a discrete time model Epidemiological is less accurate because, a host can start infecting others even before it’s completely infected

13 AAWP versus Epidemiological… Epidemiological doesn’t consider reduction in number of machines by either patching or death Epidemiological assumes each time to infect a new host is “zero”, which doesn’t model: Network congestion delays Size of worm’s copy Distance between source and destination

14 Advantages of AAWP over Epidemiological model

15 AAWP explains… The lower prevalence of worms in the internet It’s optimistic in the sense that worms can still be controlled

16 AAWP’s containment strategy Deploy sensors in certain networks, which monitor TCP-SYN probes on port 80 which are trying to connect to IP-addresses in this network For a CodeRed like worm with hitlist size=1 Monitor 2 24 addresses: reaction time=2 min Monitor 2 18 addresses: reaction time=1 hr Monitor 2 16 addresses: reaction time=2 hr

17 Conclusions… Internet Quarantine paper concludes: Require fast reaction time O(min) Wide-spread deployment of containment tools Nearly all AS’s must deploy content filtering Containment strategy is more effective than address blacklisting AAWP paper concludes: Obtain a secretive /24 network and deploy a sensor tool like LaBrea to monitor the traffic into the network

18 Worms using subnet addresses spread faster than those using random addresses AAWP paper differs

19 Highly virulent worms Warhol Worm Combination of Permutation and Hit List Scanning

20 New Infection Strategies How do worms spread Using Random Port Scans i.e. transmission of messages by worms to a PC or network to determine any open ports that will accept a connection The infection rate of the worm can be increased in one of the following ways Increase the scan rate Optimized Scanning Routines:Instead of Random Port scanning, use following algorithms Localized Scanning Hitlist Scanning Permutation Scanning Topological Scanning

21 New Infection Strategies.. Localized Scanning-Code Red II Preferentially scans targets that reside on the same subnet Code Red II used this technique. Specifically, 1/8 of the time, address used was completely random 1/2 of the time, address used was in its own class A /8 network 3/8 of the time, address used was in /16 network

22 New Infection Strategies.. Topological Scanning e.g. Morris Worm In this, the worm uses the information contained in the victim’s machine to select new machines Morris Internet worm enumerated targets by examining local configuration files and active network connections on each compromised host email worms use this technique Peer to peer systems are highly vulnerable to this kind of scanning

23 New Infection Strategies. Hit List Scanning The author of the worm collects the list of around 10,000 - 50,000 potentially vulnerable machine ideally the ones with very good network connection, before releasing the worm The worm when released initially attacks these machine. So the initial infection is higher Techniques to generate Hit List Stealthy Scans Distributed Scanning Public Surveys Just Listen

24 New Infection Strategies Permutation Scanning In this all worms share a common pseudorandom permutation of the IP address space Any machine infected during the hit list phase starts scanning after their point in the permutation, looking for vulnerable machines Permutation scanning ensures that the same addresses are not probed multiple times

25 Worms seen in the past. Morris Worm Topological Scanning Code Red –I Random Scanning Code Red-II Localised Scanning Slammer/Sapphire worm Random Scanning

Download ppt "Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)

CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Similar presentations

Ads by Google