Internet Quarantine: Requirements for Containing SelfPropagating Code

About This Presentation

Title:

Internet Quarantine: Requirements for Containing SelfPropagating Code

Description:

Address blacklisting. Maintain a list of IP addresses that have been identified as being infected. ... Address blacklisting. Send IP addresses to all ... – PowerPoint PPT presentation

Number of Views:37

Avg rating:3.0/5.0

Slides: 25

Provided by: tyw8

Category:

more less

Transcript and Presenter's Notes

Title: Internet Quarantine: Requirements for Containing SelfPropagating Code

1
Internet Quarantine Requirements for Containing
Self-Propagating Code

David Moore et. al.
University of California, San Diego

2
Outline

Background about worm, esp. Code-Red
Whats worm, esp. Code-Red
Prevention, Treatment and Containment of the
worm.
SI epidemic model and Code Red propagation model.
Simulations on Code Red Propagation and
Containment System Deployment.
Conclusion.

3
Background what is worm?

Worm is a self-replicating software designed to
spread through the network.
Worm vs Virus and Trojan horse
Virus and Trojan horse rely on human intervention
to spread.
Worm is autonomous.

4
Background Code-Red v1

Outbreak June 18, 2001
How it works
Buffer overflow exploit on Microsoft IIS web
server.
Upon infected a machine, randomly generate a list
of IP addresses.
Probe each of the addresses from the list.
Payload DDoS attack against www1.whitehouse.gov.
Damage little
Fixed random seed.

5
Background Code-Red v2

Outbreak July 19, 2001
How it works
Similar to Code-Red v1, but with a random seed.
Generates 11 probes for second.
Damage severe
359,000 machines were infected within 14 hours.

6
How to mitigate the threat of worms(1)

Three approaches
Prevention
Reduce the size of the vulnerable population.
E.g. A single vulnerability in a popular software
system can result in millions of vulnerable
hosts.
E.g. Code Red attacks millions of MS IIS web
server.

7
How to mitigate the threat of worms (2)

Treatment
E.g. virus scanner.
The time required to design, develop and test a
security flaw is usually for too slow than the
spread of the worm.
Containment
E.g. firewall, filters
Containment is used to protect individual
networks, and isolate infected hosts.

8
SI Model (1)

In this work, a vulnerable machine is described
as susceptible (S) machine.
A infected machine is described as infected (I).
Let N be the number of vulnerable machines.
Let S(t) be the number of susceptible host at
time t, and s(t) be S(t)/N, where N S(t)
I(t).
Let I(t) be the number of infected hosts at time
t, and i(t) be I(t)/N.
Let be the contact rate of the worm.
Define

9
SI Model (2)
Solving the differential equation
where T is a constant
10
Code Red Propagation Model (1)

Code Red generates IPv4 address by random. Thus,
there are totally 232 addresses.
Let r be the probe rate of a Code Red worm.
Thus

11
Code Red Propagation Model (2)

Two problems
Cannot model preferential targeting algorithm.
E.g. select targets form address ranges closer to
the infected host.
The rate only represents average contact
rate.
E.g. a particular epidemic may grow significantly
more quickly by making a few lucky targeting
decisions in early phase.

12
Code Red Propagation Model (3)

Example on 100 simulations on Code Red
propagation model

After 4 hours 55 on average 80 in 95th
percentiles 25 in 5th percentiles
13
Modeling Containment Systems (1)

A containment system has three important
properties
Reaction time the time necessary for
Detection of malicious activity,
Propagation of the containment information to all
hosts participating the system, and
Activating any containment strategy.

14
Modeling Containing Systems (2)

Containing Strategy
Address blacklisting
Maintain a list of IP addresses that have been
identified as being infected.
Drop all the packets from one of the addresses in
the list.
E.g. Mail filter.
Advantage can be implemented easily with
existing firewall technology.

15
Modeling Containing Systems (3)

Content filtering
Requires a database of content signatures known
to represent particular worms.
This approach requires additional technology to
automatically create appropriate content
signatures.
Advantage a single update is sufficient to
describe any number of instances of a particular
worm implementation.
Deployment scenarios
Ideally, a global deployment is preferable.
Practically, a global deployment is impossible.
May be deploying at the border of ISP networks.

16
Idealized Deployment (1)

Simulation goal
To find how short the reaction time is necessary
to effectively contain the Code-Red style worm.
Simulation Parameters
360,000 vulnerable hosts out of 232 hosts.
Probe rate of a worm 10 per sec.
Containment strategy implementation
Address blacklisting
Send IP addresses to all participating hosts.
Content filtering
Send signature of the worm to all participating
hosts.

17
Idealized Deployment (2)

Result content filtering is more effective.

Number of susceptible host decreases
Worms unchecked
2 hr
20 min
18
Idealized Deployment (3)

Next goal
To find the relationship between containment
effectiveness and worm aggressiveness.
Figures are in log-log scale.

19
Idealized Deployment (4)
Percentage of infected hosts
Address blacklisting is hopeless when
encountering aggressive worms.
20
Practical Deployment (1)

Network Model
AS sets in the Internet
routing table on July 19,2001
1st day of the Code Red v2 outbreak.
A set of vulnerable hosts and ASes
Use the hosts infected by Code Red v2 during the
initial 24 hours of propagation.
A large and well-distributed set of vulnerable
hosts.
338,652 hosts distributed in 6,378 ASes.

21
Practical Deployment (2)