Worm Origin Identification Using Random Moonwalks - PowerPoint PPT Presentation

About This Presentation
Title:

Worm Origin Identification Using Random Moonwalks

Description:

... extensive logs be kept of network traffic in order to be analyzed 'post mortem' ... Keep in mind, source-detection is done via post mortem analysis ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 19
Provided by: hunt62
Category:

less

Transcript and Presenter's Notes

Title: Worm Origin Identification Using Random Moonwalks


1
Worm Origin Identification Using Random Moonwalks
  • Rob and Isaac

2
Premise
  • People keep getting away with worms
  • Algorithm proposed can detect the source of worms

3
Deployment
  • Requires extensive logs be kept of network
    traffic in order to be analyzed post mortem
  • Paper assumes the implementation of something
    similar to IP traceback
  • Requires massive cooperation between upper tier
    ISPs in order to be effective across the entire
    Internet.

4
The Storage Problem
  • How much information do we really need to store?
  • A back-of-the-envelope calculation in 21
    suggests that the amount of flow level storage
    requirement is not inconceivable.
  • Quite the assertionBUT he just cited himself
    http//100x100network.org/papers/sekar-hotnets2004
    .pdf
  • With all this self-citation going on, we
    practically have to perform a random moonwalk
    through their own papers to verify anything they
    say!

5
Breakdown of his Analysis
  • Assumes 1000 bit average packet size, average
    flow of 10 packets per second, comes to average
    of 108 flows/sec. etc. etc.
  • Numbers are rather arbitrary
  • Storage is 4.5 TB per one hour of storage,
    distributed among POPs

6
Technicalities
  • 1 hr of data costs about 7500 (5 TB)
  • 24 hours of storage 180,000
  • 1 week of storage 1.2 million
  • This does not include maintenance, security
    costs, or any other relevant costs.
  • Who is going to pay for this?

7
The Low-Rate Problem
  • Keep in mind, source-detection is done via post
    mortem analysis
  • If attacker can find out the logging capacity of
    ISP, simply have the worm distribute slower than
    normal flow (which the paper confirms that the
    algorithms performance is unpredictable against)
    but be in a dormant state and not attack
  • If the time bomb worm distributes slowly enough
    to outlast logging capacity of the given ISP and
    then attacks aggressively simultaneously at a
    given time then the source of the attack has
    already been lost by the time networks realize
    they have been attacked

8
More Low-Rate Issues
  • Analytic method employed relies on aggressiveness
    of the worm to be successful.
  • So they use a simulation to demonstrate efficacy
    against low-rate worms.
  • Simulation was in tightly controlled, small
    environment.
  • Their own data demonstrates very rapid decrease
    in ability to detect causal edges with
    increasingly slow wormsback to time bomb
    situation.

9
The Spoof Problem
  • Paper claims worms do not use spoofed source IP
    addresses because it does not yield successful
    attacks.
  • All attacker needs to do is compromise a computer
    that is not his own, and propagate the worm from
    there.
  • So even if the source is found, if the attacker
    is clever enough to do this, then hes safe.
  • Remember One of the goals of this project is to
    aid law enforcement. But what good is knowing the
    originating host of a worm if we are dealing with
    an attacker who can cover his tracks?

10
The Security problem Problem
  • Perhaps 3-4 major worms a year
  • The proposed auditing system would require
    widespread cooperation
  • This cooperative system has security problems of
    its own!
  • What good is a detection system that is itself
    vulnerable to attack? If it could feasibly have
    been tampered with, no conviction can be made
    even if you CAN identify the source.
  • Whos going to be responsible for this magical
    Network Forensic Alliance?

11
The Clock Synchronization Problem
  • The proposed system relies on an assumption of
    quantized time intervals. This is crucial to
    their analytic method explaining the
    effectiveness of their work.
  • However, in large scale deployment, it will be
    very difficult to achieve the kind of clock
    synchronization that will be necessary to
    properly analyze data.
  • Clock skew can throw off delta-T, which can
    effect the results dramatically.

12
The Justice Problem
  • Convictions result in mild slap on the wrist
  • Sasser Worm 21 months suspended
  • Blaster variant 18 months
  • Samy 3 years probation, 90 days community
    service
  • Zotob 2 years. (end of 2006, reduced to 1 year
    sentence)

13
Justice Problem (cont)
  • SCO posted a 250,000 reward for MyDoom author,
    Microsoft posted similar award as well
  • Whos going to pay 1.2 million to track 1 week of
    logs when Microsoft is only willing to pay 250k
    to catch the criminal?
  • Whos going to pay all this money just to see
    this kind of justice get carried out?

14
Justice Problem (cont)
  • Sasser worm (origin Russia)
  • Zotob (origin Morocco)
  • Judicial systems are different across countries,
    and even if they find out where a worm came from,
    what can an ISP do anyways? What can a big
    corporation in the US do to an attacker in Iraq?

15
The Money Problem
  • Individual victimized companies have to pay for
    clean up and repairs out of pocket
  • This doesnt effect the ISPs bank accounts. Why
    should an ISP care enough to implement this
    system? Or pay the kind of money to create a
    logging system and join the NFA?

16
Money Problem (cont)
  • ISPs that agree to join the NFA will have to
    charge customers higher prices compared to other
    ISPs due to the overhead of a system that
    doesnt prevent worms, but merely finds the
    originator and gives him 90 days of community
    service.

17
The Math Curiosity Problem
  • Their paper is rich with technical details and
    calculations
  • These calculations rely on fundamental
    assumptions which we have spent the previous 20
    minutes poking holes in.
  • So that leaves all these fancy numbers as a mere
    mathematical curiosity that relies on some
    non-existent NFA, and broadly sweeping
    assumptions.
  • This system would be better suited as a homework
    problem, not a real-world solution.

18
The There are obviously too many problems with
this Problem
  • Need we say more?
Write a Comment
User Comments (0)
About PowerShow.com