CSE651: Network Security - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

CSE651: Network Security

Description:

Active Worm and Its Defense CSE651: Network Security – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 38
Provided by: DonT173
Category:

less

Transcript and Presenter's Notes

Title: CSE651: Network Security


1
Active Worm and Its Defense
  • CSE651 Network Security

2
Worm vs. Virus
  • Worm
  • A program that propagates itself over a network,
    reproducing itself as it goes
  • Virus
  • A program that searches out other programs and
    infects them by embedding a copy of itself in them

3
Active Worm VS DDoS
  • DDoS stands for Distributed Denial of Service
    attacks
  • Propagation method
  • Goal congestion, resource appropriation
  • Rate of distribution
  • Scope of infection

4
History
  • http//snowplow.org/tom/worm/history.html
  • Morris Worm, first worm virus, released on
    November 2, 1988 by Robert Tappan Morris who was
    then a 23 year old doctoral student at Cornell
    University
  • Code-Red worm in July 2001 infected more than
    350,000 Microsoft IIS servers. The attack
    finished in 14 hours
  • Slammer worm in January 2003 that infected nearly
    75,000 Microsoft SQL servers. Attack finished in
    less than one hour
  • MyDoom worm in February 2004 infected lots of
    hosts which automatically and successfully DDoS
    attacked a few popular websites

5
The Morris Worm of 1988
  • First worm program
  • Released by Robert T Morris of Cornell University
  • Affected DECs VAX and Sun Microsystemss Sun 3
    systems
  • Spread
  • 6000 victims i.e., 5-10 of hosts at that time
  • more machines disconnected from the net to avoid
    infection
  • Cost
  • Some estimate 98 million
  • Other reports lt1 million
  • Triggered the creation of CERT (Computer
    Emergency Response Team)

6
Recent Worms
  • July 13, 2001, Code Red V1
  • July 19, 2001, Code Red V2
  • Aug. 04, 2001, Code Red II
  • Sep. 18, 2001, Nimbda
  • Jan. 25, 2003, SQL Slammer
  • More recent
  • SoBigF, MSBlast

7
How an Active Worm Spreads
  • Autonomous
  • No need of human interaction

Infected
8
Basic Propagation Method
  • Network Worm Using port scan to find
    vulnerabilities of the targets
  • Application Worm Propagate through email,
    Instance Messaging, file sharing on operation
    systems, P2P file sharing systems, or other
    applications
  • Hybrid Worm

9
Delivery Method
  • How is worm code is delivered to vulnerable
    hosts
  • Self-contained Self-propagation Each newly
    infected host becomes the new source and sends
    worm code to other hosts infected by it
  • Embedded Embedded with infected files, such as
    emails, shared files
  • Second Channel The newly infected host uses
    second channel such as TFTP (Trivial File
    Transfer Protocol) to download the worm code from
    a center source

10
Scanning Strategy (1)
  • Random scanning
  • Probes random addresses in the IP address space
    (CRv2)
  • Selective random scanning
  • A set of addresses that more likely belong to
    existing machines can be selected as the target
    address space.
  • Hitlist scanning
  • Probes addresses from an externally supplied list
  • Topological scanning
  • Uses information on the compromised host (Email
    worms)
  • Local subnet scanning
  • Preferentially scans targets that reside on the
    same subnet. (Code Red II Nimbda Worm)

11
Scanning Strategy (2)
  • Routable scanning
  • Choose routable IP addresses as the target of
    scan
  • DNS scanning
  • Choose hosts with DNS name as the target of scan
  • Permutation scanning
  • Each new infected host gets a different IP
    addresses block

12
Synchronization between Infected Hosts (or Worm
Instances)
  • Asynchronized
  • Each infected host behavior individually without
    synchronization with other infected hosts
  • Synchronized
  • Infected hosts synchronized with each other by
    central server etc.

13
Propagation Activity Control
  • Non-stopping
  • Keep port scanning and never stop
  • Time Control
  • Preset stopping timer and restart timer and use
    those timers to control the port scan activities
  • Self-Adjustment
  • Self-control according to the environment (Atak
    worm) or the estimation of the infected host
    amount (Self-Stop worm)
  • Centralized Control
  • Controlled by the attacker

14
Scan Rate
  • Constant Scan Rate
  • Each infected host keeps a constant scan rate
    which is limited by the computation ability and
    outgoing bandwidth of the host.
  • Random Varying Scan Rate
  • Randomly change the scan rate.
  • Smart Varying Scan Rate
  • Change the scan rate smartly according to certain
    rule according to the attack policy and the
    environment.
  • Controlled Varying Scan Rate
  • Change the scan rate according to the attackers
    control command.

15
Modularity
  • Non-Modular
  • Modular
  • Use modular design in the worm code, so that new
    attack modules can be sent to the infected hosts
    and plugged in after the infection.

16
Organization
  • Decentralized
  • There is no organization or cooperation among
    infected hosts, and there is no communication
    between the infected hosts and the attacker.
  • Centralized Organization
  • Organized by Internet Relay Chat (IRC) or other
    methods like botnets do, so that the attacker can
    control the infected hosts.

17
Payload with the worm code
  • Spamming
  • Code competent to carry out spamming.
  • DDoS Attack
  • Code competent to carry out DDoS attacks.
  • Sniffing
  • Code competent to watch for interesting
    clear-text data passing by the infected hosts.
  • Spyware
  • Spyware code.
  • Keylogging
  • Code competent to remember and retrieve the
    passwords on the infected hosts.
  • Data Theft
  • Code competent to steal privacy data.

18
Techniques for Exploiting Vulnerability
  • fingerd (buffer overflow)
  • sendmail (bug in the debug mode)
  • rsh/rexec (guess weak passwords)

19
Active Worm Defense
  • Modeling
  • Infection Mitigation

20
Worm Behavior Modeling (1)
  • Propagation model
  • V is the total number of vulnerable nodes
  • N is the size of address space
  • i(t) is the percentage of infected nodes among V
  • r is the scan rate of the worm

21
Worm Behavior Modeling (2)
  • Propagation model
  • M(i) the number of overall infected hosts at
    time i
  • N(i) the number of un-infected vulnerable
    hosts at time i
  • E(i) the number of newly infected hosts from
    time tick i to time i1 .
  • T the total number of IP addresses, i.e., 232
    for IPv4.
  • N(0) the number of vulnerable hosts on the
    Internet before the
  • worm attack starts.
  • E(0) 0, M(0) M0.

22
Modeling P2P-based Active Worm Attacks
  • Basic worm attack strategies
  • Pure Random-based Scan (PRS)
  • Randomly select the attack victim
  • Adopted by Code-Red-I and Slammer
  • P2P based attack strategies
  • Offline P2P-based Hit-list Scan (OPHLS)
  • Online P2P-based Scan (OPS)
  • Both strategies exploit P2P system features

23
Background P2P Systems
  • Host-based overlay system
  • Structured and unstructured
  • Rich connectivity
  • Very popular
  • 3,467,860 users in the FastTrack P2P system
  • 1,420,399 users in the eDonkey P2P system
  • 1,155,953 users in the iMesh P2P system
  • 103,466 users in the Gnutella P2P system.

24
Two P2P-based Worm Attack Strategies
  • Offline P2P-based Hit-list Scan (OPHLS)
  • Offline collect P2P host addresses as a hit-list
  • Attack the hit-list first
  • Attack Internet via PRS
  • Online P2P-based Scan (OPS)
  • Use runtime P2P neighbor information
  • Attack P2P neighbors
  • Extra attack resource applied to attack Internet
    via PRS

25
Online-based P2P Worm Attack Strategy
26
Performance Comparison of Attack Strategies
  • The P2P-based attack strategies overall
    outperforms the PRS attack strategy
  • OPHLS attack strategy achieves the best
    performance compared to all other online-based
    attack strategies

27
Sensitivity of Attack to P2P System Size
  • With the P2P size increases, the attack
    performance becomes consistently better for all
    attack strategies

28
Detection
  • Host-based detection
  • Network-based detection
  • Detecting large scale worm propagation
  • Global distributed traffic monitoring framework
  • Distributed monitors and data center
  • Worm port scanning and background port scanning

29
Distributed Worm Monitoring Systems
30
Detection Schemes
  • Worm behavior
  • Pure random scan
  • Each worm instance takes part in attack all the
    time
  • Constant scan rate
  • Overall port scanning traffic volume implies the
    number of worm instances (infected hosts).
  • Total number of worm instances and overall port
    scanning traffic volume increase exponentially
    during worm propagation.
  • Count-based and trend-based detection schemes

31
Infection Mitigation
  • Patching
  • Filtering/intrusion detection (signature based)
  • DAW (Distributed Anti-Worm Architecture)
  • TCP/IP stack reimplementation, bound connection
    requests

32
Goals of DAW
  • Impede worm progress, allow human intervention
  • Detect worm-infected clients
  • Ensure congestion issues minimized little
    routing performance impact
  • Shigang Chen and Yong Tang. Slowing down internet
    worms. In Proceedings of 24th International
    Conference on Distributed Computing Systems,
    March 2004.

33
DAW
  • Requirements
  • Distributed, sensors act independently
  • NIDS (rather than HIDS)
  • Limited responsibility, ensures availability of
    nodes

34
DAW
35
Active Worm Detection in DAW
  • User behavior
  • Few failed connections (DNS)
  • Predictable traffic generation throughout day
  • Relatively uniform intranet traffic distribution
  • Worm behavior
  • Sampling shows 99.96 failure in scan rate
  • Spikes in failurerequest ratio
  • Traffic pattern disproportionately favors
    infected clients

36
Active Worm -Failures
  • TCP only, random scanning
  • ICMP Unreachable/TCP-RST response
  • 99.96 failure ? 80/tcp

37
Summary
  • Worms can spread quickly
  • 359,000 hosts in lt 14 hours
  • Home / small business hosts play significant role
    in global internet health
  • No system administrator ? slow response
  • Cant estimate infected machines by of unique
    IP addresses
  • DHCP effect appears to be real and significant
  • Active Worm Defense
  • Modeling
  • Infection Mitigation
Write a Comment
User Comments (0)
About PowerShow.com