Internet Security & Worms Prasad S. Athawale Department of Computer Science,

Download Report

Transcript Internet Security & Worms Prasad S. Athawale Department of Computer Science,

Internet Security & Worms

Prasad S. Athawale

Department of Computer Science, University at Buffalo State University of New York, Buffalo

Outline

         Security Overview Intent History Worms Vs Viruses Worm Modelling Simulation techniques Results/Deductions Future of Worms Possible Research Work

Internet Security

  Covers a broad range of issues – from Data Integrity to Availability Attack types  Denial of Service   Viruses/Worms Snooping/Sniffing etc

Intent

The primary intent of this presentation is to explore the world of Internet Worms, in particular look at current research areas, their propagation mechanisms etc and defense measure if any

History

     Morris Worm 2 November 1988 Exploited flaws in fingerd and sendmail Password guessing /etc/passwd file Trusted Hosts

The Internet Worm Incident Technical Report CSD-TR-933*

Eugene H. Spafford

Department of Computer Sciences Purdue University

Definition

 Worms: Programs that self propagate across the internet by exploiting security flaws in widely used services 1  John Bruner in his novel “The Shockwave Rider” coined the term “worm” How to Own the Internet in your Spare Time Stuart Staniford, Vern Paxson, Nicholas Weaver

Worms Vs Viruses

  A Virus is a malicious program that spreads using a propagation technique that generally requires user intervention, and always possess a malicious intent A worm on the other hand, has ability to self-propagate, and may or may not have malicious intent

Requirements!!!

    Autonomy Replicability Reconnaissance Capabilities Attack Capabilities

Worms as Attack Vectors: Theory, Threats, and Defenses

Matthew Todd, Ph.D.

January 31, 2003

Intended Uses/Applications ?

    Launch a D-DoS Access to Sensitive Information Spread Disinformation Unknown reasons

Mechanism?

     Target Selection Exploit Propagation Mechanism Deployment Tactics Defensive Measures ?

Mechanism of Operation

Worm Propagation and Countermeasures – GSEC Practical – Glenn Gebhart – SANS Institute

Spread of a Worm

  Red Dots indicate the infected machines Bottom left corner number of infected hosts

……

 Display Propagation Speed

Why Study Worms ?

    Capable of severely hampering the working of the internet To unable us to build better defense systems To unable possible good application The worst is yet to come!

Applications of a self propagating piece of code – capable of reaching everywhere really fast ?

Current research Focus

    Modelling Scanning Techniques Propagation Mechanisms Prevention Techniques ?

Modelling

 Simple Epidemic Model  Uses the time tested model of Infectious diseases to model Worm propagation  Three possible states – Susceptible, Infected, Quarantined/Removed

Simple Epidemic Model

infectious susceptible removed    “ infectious ” hosts: continuously infect others.

“removed” hosts in epidemic area:   Recover and immune to the virus.

Dead because of the disease.

“removed” hosts in computer area:   Patched computers that are clean and immune to the worm.

Computers that are shut down or cut off from worm’s circulation. Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Epidemic modeling introduction

 Homogeneous assumption:   Any host has the equal probability to contact any other hosts in the system.

Number of contacts 

I

S

Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Deterministic epidemic models — Simple epidemic model I(t) 5 4 6 3 2 1 10 x 10 5 9 8 7  State transition: susceptible infectious N: population; S(t): susceptible hosts; I(t): infectious hosts dI(t)/dt =  S(t) I(t) S(t) + I(t) = N   I(t)  S(t) symmetric Problems:   Constant infection rate  No “removed” state.

0 5 10 15 25 30 35 40 t 20 Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Deterministic epidemic models —Kermack McKendrick epidemic model  State transition: susceptible R(t): removed from infectious;  infectious removal rate removed dI(t)/dt =  S(t) I(t) – dR(t)/dt dR(t)/dt =  I(t) ; S(t) + I(t) + R(t) = N 10 x 10 5 9 8 7 6 5  =0  =  N/16  =  N/4  =  N/2  Epidemic threshold:   No outbreak if S(0) <  /  Major Out Break if S(0)>  /  I(t) 4 3  Problems: 2  Constant infection rate  1 0 10 t 20 30 40  No susceptible Code Red Worm Propagation Modeling and Analysis – Cliff Zou removed

Consider human countermeasures  Human countermeasures:    Clean and patch: download cleaning program, patches.

Filter: put filters on firewalls, gateways.

Disconnect computers.

 Reasons for:   Suppress most new viruses/worms from outbreak. Eliminate virulent viruses/worms eventually.

 Removal of both susceptible and infectious hosts.

?

infectious susceptible removed Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Consider human countermeasures  Model (extended from KM model):     Q(t) : removal from susceptible hosts.

R(t): removal from infectious hosts.

I(t): infectious hosts. J(t)   I(t)+R(t): Number of infected hosts that have ever been infected hosts Beta is still considered Constant dS(t)/dt =  S(t) I(t) dQ(t)/dt dR(t)/dt =  I(t) dQ(t)/dt =  S(t)J(t) S(t) + I(t) + R(t) + Q(t) = N Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Two-factor

worm model  Worm may cause congestion:  Huge number of scan packets with unused IP addresses.

  Routing table cache misses. ( about 30% of IP space is used)  Generation of ICMP (router error) in case of invalid IP.

Effect: slowing down of worm propagation rate:    (t) 

Two-factor worm model

: dS(t)/dt =  (t) S(t)I(t) dR(t)/dt =  I(t) dQ(t)/dt =  S(t)J(t)  (t) =  0 [ 1 - I(t)/N ]  S(t) + I(t) + R(t) + Q(t) dQ(t)/dt = N  is used to adjust the level of congestion in the network

Perfect Worm ?

 A ‘perfect worm’ would have:  All vulnerable hosts known   No dual scanning Immediate infection  Using Code Red parameters, N=360000,initially infected = 10 and scan rate of 358/min

Time Taken = 1.758 seconds!!

On the Performance of Internet Worm Scanning Strategies Cliff Changchun Zou., Don Towsley, Weibo Gong. .Department of Electrical & Computer Engineering Department of Computer Science Univ. Massachusetts, Amherst

Perfect Worm – with delay

Scanning Techniques

 Hit-List Based Scanning  Stealthy Scans – using nmap ?

    Distributed Scanning – multiple attackers ?

DNS Searches Spiders Just Listen!

Scanning Techniques

    Sequential Scanning Hit List Based Scanning Permutation Scanning Preferential Subnet Scanning

Co-ordinated Permutation Scanning

      Assumption – A copy of the worm can detect whether a given host is infected Common permutation of IP address space known to all worms Any machine starts scanning just after it’s point of infection. If an infected host is found, there onwards random point scanning ‘Self –Coordinating', as minimizing duplication of effort Number of such infected hosts – stops scanning assuming infection complete Partitioned Scanning – Initially responsible for some set – divides and hands over to child worm

Subnet Scanning

   Cross Network Scanning is too noisy Can create congestion killing own spread Use different probabilities to target IP’s in own subnet’s e.g. Code Red own class B 3/8, class A ½, others 1/8 – Code Red, Nimda

Defense Mechanisms

   La Brea Tarpit – We can actually do something about it!

Hold Connection Attempts from a Infected Computer A byte stream flow of only 1215 bytes/hour is sufficient to keep the connection alive

Defense Mechanisms

  LaBrea can be defeated using asynchronous mode Dependent on per host throttling – each host restricts the rate at which a host can connect to new hosts – universal deployment may reduce scanning speed by an order of magnitude

Defense Mechanism

  Automatically detecting infected hosts and using firewall filters to contain spread Practical Application Cisco’s NBAR – Network Based Application Recognition  Ability to block particular TCP streams active on a router based on signature recognition

Defense: Internet Quarantine

    Prevention  This aims to reduce the size of the vulnerable population Treatment  Generally patches take days to release – only now that relatively reliable distribution networks for patches are springing up Containment  Firewalls, Content Filtering, Automated Routing Blacklists Intervention ?

Code Red Propagation

Address Blacklisting

Code Red Propagation

Content Filtering

Generalized Worm Containment

Address Blacklisting

Generalized Worm Containment

Content Filtering

Containment Results

   Not possible to limit infection to less than 18% of the vulnerable hosts for sufficiently aggressive worms (100 scans/second) Used scenarios: ‘Top 100 ISPs’ and 50% home users – for address blacklisting Reason: 99.7% paths blocked but there still exist alternate paths for propagation – works even when reaction time reduced to 0!

Dynamic Quarantine

    Based on Methods used in Epidemic Control – ‘Assume guilty till proven innocent’ Non-Intrusive : Block certain ports for a short time, automatic release Able to reduce/control the propagation speed Assumption : System is assumed homogeneous and contact rate is constant

Defense Mechanisms

  A lot of researchers have researched this area – Staniford, Kephart and White, Wang Epidemiological analysis of Computer Viruses – suggested that it can be contained but only till the infection rate doesn’t exceed a critical threshold

Containment

   Automated mechanisms required Content Filtering works the best Blocking Point – At Core ISPs

Defense: Active Worm Detection

    Uses ICMP Destination Unreachable Messages Collection Point for all ICMP-T3 packets Correlator – identify threshold crossing occurrences ICMP T3 copy generated for collector by router

Defense: Active Worm Detection

 Multiple Cases  One IP to Many IP’s on port p      Many IPs to 1 IP on port p One IP to other IP on number of ports p Many IPs to 1 IP on a number of ports If instances of such activity exceed threshold N, an alert is generated 4-6 alerts have shown good response

Active Vs Passive

  Passive – Prevent spreading of Worms by blocking Worm Traffic Active – Proactive approach by patching vulnerable systems or quickly removing infected systems

Comparison of Active and Passive Mechanisms

    Content Filtering defense mechanism limits infections Address filtering defense requires near perfect deployment Content Filtering mechanism deployed in the top 30 most connected ASes can outperform active defense Active defense worms might have to be pre-deployed in the network to be activated as required

Force Multipliers!!

    Multiple Attack Capabilities Defense Command Interface Polymorphism

Worms as Attack Vectors: Theory, Threats, and Defenses

Matthew Todd, Ph.D.

January 31, 2003

Upgrade

    Modular Design Multiple vulnerabilities pre-identified Subsequent ‘0’ day exploits could be released Signature Alteration (Polymorphism)

Communication Channels

      ‘Drop-Box’ Concept E-Mail IRC Specific channels on IRC KaZaa File shares Covert Channels ?

Communication Channels

   Encrypted channels Public Key, Simple XOR ?

 Encrypted data might draw attention – simple XOR might help protect entropy Distributed Hash Tables  Principle used by software like Kazaa to determine location of files etc

Curious Yellow Vs Curious Blue

  Curious Yellow – a high co ordination worm – uses techniques for fast propagation, and distributed control Curious Blue to counter it – with distribution of patches carried out in a similar manner Since both accept updates – can be easily

Proposed ‘Conceptual’ Worms

    Flash Warhol BGP Curious Yellow

Flash Worms

    Closest thing to a perfect worm IP addresses of all vulnerable hosts known beforehand Scanning space reduced 99% hosts infected in 2.53 seconds assuming no delay

Tremendous speed of infection – no time for human intervention

Warhol Worm

  Uses combination of Hit-List & Permutation Scanning This combination improves initial speed – quickly achieving a set base & permutation scanning keeps the worms infection rate high for longer period Provides a very practical design of a worm – and achieves 99% infection in around 15mins

BGP Routing Worm

   Based on BGP Routing Tables Freely Available on the Internet Geographical Information – ISP,AS, company, country etc.

Reduce the scanning space to 28.6% of all IP space

Routing Worm: A Fast, Selective Attack Worm based on IP Address Information

Cliff C. Zou., Don Towsley, Weibo Gong., Songlin Cai.,.Department of Electrical & Computer Engineering Department of Computer Science, Univ. Massachusetts, Amherst

Contagion

      Slowly spreading worm to avoid detection P2P based High Bandwidth traffic usual – not detected One client/server program may dominate e.g. KaZaa Not strictly a worm – but can be used to support a worm!

Potential ? - A University 9 million distinct IP’s in one month!

Takeaway

      Stealth would play a major role in the next generation of Worms Bandwidth, Network Capacity, Widespread use of Computers & a predominantly Ignorant User Community are a given, and these would be exploited to the maximum Proactive defense mechanisms rather than ‘observing’ mechanisms –  Observe ‘periphery’ of ones network ?

For Content Based Systems – Ability to identify signatures at an early stage Espionage, Rivalry & Enemity + Non-cooperative Govts/Corporations Design to Security has to be the additional component along with Reliability, Scalability and Availability

            

References

Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense

Cliff Changchun Zou, Weibo Gong, Don Towsley, Univ. Massachusetts Amherst, MA

On the Performance of Internet Worm Scanning Strategies

Cliff Changchun Zou., Don Towsley, Weibo Gong. Univ. Massachusetts, Amherst

Modelling the Spread of Active Worm

Zesheng Chen (Georgia Tect), Lixin Gai(U Mass), Kevin Kwiat (AFRL)

Slowing down Internet Worms

Shigang Chen, Yong Tang (UFL, Gainsville)

Comparing Active and Passive Worm Defenses

Michael Liljenstam David M. Nicol (UIUC, Urbana Champaigne)

Internet Qurantine:Requirements for Containing Self- Propagating Code

David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, UCSD

Routing Worm: A Fast, Selective Attack Worm based on IP Address Information

Cliff C. Zou., Don Towsley, Weibo Gong., Songlin Cai Univ. Massachusetts, Amherst

Worms as Attack Vectors: Theory, Threats, and Defenses

A Practical Assignment, submitted in partial requirement for GSEC certification (GIAC Security Essentials Certification Matthew Todd, Ph.D.

"I don't think I really love you“ or writing internet worms for fun and profit (C) 1998-2000 Michal Zalewski

The Internet Worm Incident Technical Report CSD-TR-933*

Eugene H. Spafford Purdue University

How to Own the Internet in your Spare Time

Stuart Staniford (Silicon Defense), Vern Paxson (ICSI Center for Internet Research), Nicholas Weaver (UC Berkeley)

The Future of Internet Worms

Jose Nazario, with Jeremy Anderson, Rick Wash and Chris Connelly Crimelabs research

Curious Yellow: The first coordinated Worm Design

By Brandon Wiley