Worm Defenses

Download Report

Transcript Worm Defenses

Worm Defenses
Zach Lovelady and Nick Oliver
cs239 – Network Security – Spr2003
Worms – what are they?
• Self-propagating code that spreads via the
network
– Can have malicious payload
– Or not
• slammer worm
• Not viruses – which require some sort of
user action to propagate
Recent Example
• Code red v2 (July 19th, 2001)
– 360,000 hosts compromised in 14 hours
• Doubled in size every 37 minutes
– Peak infection rate of 2000 hosts/min
– Costs of recovery ~ $2.6 billion
– Exploited buffer overflow in MS IIS
• Patch had been released
Recent Example
• Saphire/Slammer worm – Jan 25, 2003
– Fastest spreading worm yet
– Affected at least 75,000 hosts
• 90% compromised in first 10 minutes
• Doubled in size every 8.5 seconds (first minute)
– Peak scanning rate of 55 million scans/sec after 3
minutes
– No malicious payload
•
•
•
•
1 UDP packet
Overloaded networks
Took database servers out of operation
Cancelled airline flights, Out-of-service ATMs, interference
with elections
– Exploited buffer overflow in MS SQL Server or MSDE
• Patch had been released July 24th, 2002
Recent Example
Worms – Framework for
understanding
• Biological Model
– SI Model from study of
infectious diseases
– Describes rate of
growth of epidemics in
finite systems
2 equations describe
behavior of population:
Or, equivalently:
Solving this equation gives:
(for some constant of
integration T)
dI
IS

dt
N
dS
IS
 
dt
N
di
 i (1  i )
dt
e  (t T )
i (t ) 
1  e  (t T )
Biological model – accuracy
Figure: Hourly probe rate data for inbound port 80 at the
Chemical Abstracts Service, for Code Red I's reemergence
on August 1st. The x-axis the time of day on August 1st
(Central US Time). The y-axis shows the monitored probe rate.
Code Red 1 (re-emergance)
Figure: The early moments of the DShield dataset,
matched against the behavior of a random-scanning worm
Slammer/Saphire
Worm – scanning strategies
• Model presented assumes random scanning
for other hosts to infect.
• Other, more efficient scanning techniques
possible
–
–
–
–
Localized
Hit-list
Permutation
Warhol worm
Localized Scanning—Code Red II
• A single stage scanning worm that chose random
IP addresses and attempted to infect them.
• Also used a localized scanning strategy where it
was more likely to attempt to infect addresses
relatively close to it. With probability 3/8 it
chooses a random IP from with the class B address
space of the infected network, ½ for class A, and
1/8 from the whole internet.
• Very successful strategy. Allows the worm to
spread very rapidly within a internal network with
multiple hosts having the same vulnerability.
Multi-vector worms--Nimda
• Worms are not restricted to a single method of
propagation. Nimda used five methods.
• Infecting web servers from infected client hosts
via probing for vulnerabilities.
• Bulk e-mailing of itself to addresses found on the
host.
• Copied itself across open network shares.
• Adding code to web pages to infect clients that
browsed the pages.
• Scanning for backdoors left by Code Red II.
Hit-list Scanning
• Worms spend most of their time “getting off the ground”.
They spread exponentially but that means the majority of
the attack only affects the first tens of thousands of
victims.
• Hit-list scanning overcomes this problem by compiling a
list of potentially vulnerable hosts before the worm is
released. The worm scans the list and divides the list in
two when a new host is infected.
• Lists can be created using several methods: stealthy scans,
distributed scans from zombies, DNS searches, web
crawlers, public surveys, and listening for advertisements.
Permutation Scanning
• Random scanning is naturally inefficient and can not detect
when all potential hosts have been attacked.
• Permutation allows a worm to detect when a host is
already infected, is self-coordinated, comprehensive, and
looks like it is conducting a random scan.
• Worms share a common pseudo random permutation of the
IP address space generated by a 32-bit block cipher and a
preselected key.
• An infected machine starts scanning just after their
position in the permutation. When the worm sees an
infected machine is chooses a new random start point.
Warhol Worm
• Combination of a hit-list and permutation
scanning.
• “Capable of attacking most vulnerable
targets in well under an hour, possibly less
than 15 minutes.”
Worms – how to stop them
• From epidemiology – 3 factors determine
the spread of an infectious pathogen
– Vulnerability of population
– Length of infectious period
– Rate of infection
Worms – how to stop them (2)
Factor
Intervention
Example
Vulnerability of population
(size of vulnerable
population)
Prevention
- Patch software
- Engineer software with fewer
vulnerabilities (don’t use gets() )
- Increase heterogeneity of software on
internet (get rid of Microsoft, and all
popular networked software)
Length of infectious period
Treatment
- software patches (after outbreak) – but
human timescales are too slow (16 days
for most hosts to eliminate code red
vulnerability)
- automatic patches ( virus software
model)
Rate of infection
containment
-firewalls, content filters, automated
routing blacklists
-Coordination among pervasive systems
-Slow or stop spread of infection
Containment Approach
• Paper (“Internet Quarantine: Reqmts for
Containing Self Propagating Code” )seeks to
establish how well any containment approach can
hope to perform against worms
• Looks at 3 main parameters
– Reaction time
– Containment strategy
• Address blacklisting
– Requires continuous updates
• Content filtering
– Requires effective signatures
– Deployment
Containment strategies – Simulation Results
• Idealized deployment
– Every node on network has
containment software
• Info distributed instantly
• Code Red v2 style worm
– 360,000 vulnerable hosts
out of 2^32
– 10 probes/sec per infected
host
Containment strategies – Simulation Results
 Percentage of infected hosts
after 24 hours.
Containment strategies – Simulation Results
All customer networks in XX% of 
ASs implement containment filtering
• Practical deployment
• Use real internet topology
of AS connectivity
• Look at 2 deployment
strategies
– Filter at customer edge
networks
– Filter in exchange point
routers of major (highest
outdegree) Ass
• Same worm
Containment strategies – Simulation Results
• Reaction times required for effective worm containment
• Notice that near-total containment is virtually impossible
with aggressive worms in either deployment scenario
Worm Defenses
• One possible approach
– Peer-to-peer defense network
Cooperative Response Strategies for
Large Scale Attack Mitigation
D. Norjiri, J. Rowe, K. Levitt
UC Davis
Cooperative Peer-to-peer Strategies
• Direct cooperation occurs only between a limited
number of friend organizations.
• Organizations receiving an alert report act
according to their own local policy—there are no
central authorities.
• “When a site detects suspicious worm-like
behavior, its initial cooperation strategy is to share
the information with its friend
organizations…sharing produces a propagating
mitigating response whose rate of spread is similar
to that of the worm itself.”
Simulated Models of Mitigation
Strategies
• Investigate the global properties when complex
decision making by cooperating members is
involved.
• Topology: Thousands of vulnerable hosts and
hundreds of cooperating members are simulated.
Members share worm reports. When the number
of worm reports exceed some threshold a
member’s response device protects its collection
of vulnerable hosts from infection. Response
devices are directly connected.
Response Devices
• Two states: normal and alerted.
• Normal: receives alerts and raises alert level but does not
send alerts.
• Alerted: Blocks worm infection attempts using ingress and
egress filtering and shares alerts with neighbors.
• In the abscense of worm activities the device backs off its
alert level and can return to normal.
• Model parameters: 1) average number of vulnerable hosts
protected by device, 2) number of cooperating friends, 3)
threshold for state change, 4) back-off rate, 5) alert
severity.
False Alarms
• Always a problem with security systems including
this model.
• See figure 6. Assume that 5% of all members
incorrectly report a worm attack to their friends.
With a lower alert threshold as many as 75% of all
members begin blocking ‘worm’ attacks.
• Reducing the sensitivity reduces the poor
operation of false positives but increases the risk
of succumbing to attack.
Conclusion
• Mathematical model shows that large scale worm
attacks can be slowed by unleashing a controlled
“white worm” that propagates at a faster rate.
• Simulations model more complex response and
shows that some defense benefits can be achieved
when cooperating directly with peers.
• Slow, stealthy worms and false positives are not
well received.
Closing thoughts/Questions
• Containing worms difficult – especially in partial
deployment
– All or most IP-IP paths should be filtered
• Containment/Prevention/Treatment? What’s best?
• How do we contain multi-vector worms?
• How do we deal with stealthy, slow spreading
worms?
• A more malicious Slammer – how much damage
could it do?
References
•
•
•
•
BGP picture: http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html
Vern Paxson, Stuart Staniford, and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, Proceedings of the
11th USENIX Security Symposium (Security '02).
David Moore, Colleen Shannon, Geoffrey Voelker and Stefan Savage, Internet Quarantine: Requirements for
Containing Self-Propagating Code, to appear in Proceedings of the 2003 IEEE Infocom Conference, San Francisco,
CA, April 2003
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer
Worm, technical report, February 2003