Very Fast containment of Scanning Worms - PowerPoint PPT Presentation

About This Presentation
Title:

Very Fast containment of Scanning Worms

Description:

Once a host is infected, clean it up immediately (Antivirus Software, Patches) ... If worm scans slower than sustained scanning threshold, the detector will ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 34
Provided by: Art5152
Category:

less

Transcript and Presenter's Notes

Title: Very Fast containment of Scanning Worms


1
Very Fast containment of Scanning Worms
  • Presenter Yan Gao
  • ------------------------------------------------
  • Authors Nicholas Weaver Stuart Staniford
    Vern Paxson

2
Outline
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment

3
Scanning Worms
  • What is scanning worm?
  • --- Operate by picking random address and
    attempt to infect the machine.
  • Blaster linear scanning
  • Code Red fully random
  • Code Red II Nimda bias toward local addresses
  • Common properties of scanning worms
  • Most scanning attempts result in failure.
  • Infected machines will institute many connection
    attempts.

4
Scanning Worms
  • How to mitigate the spread of worms?
  • Prevention
  • Reduce size of vulnerable population
  • Insufficient to counter worm threat
  • Why?? single vulnerability in a popular
    software system can translate to millions of
    vulnerable hosts
  • Treatment
  • Once a host is infected, clean it up immediately
    (Antivirus Software, Patches)
  • Reduce vulnerable hosts and rate of infection
  • Limitation long time to develop cleanup code,
    and too slow to have a significant impact
  • People dont install patches
  • Containment

5
Containment
  • Protect individual networks and isolate infected
    hosts
  • Examples firewalls, content filters, automated
    blacklists
  • Most Promising Solution
  • Can be completely automated
  • Containment does not require participation of
    each and every host on the internet

6
Containment Properties
  • Reaction time
  • Detection of malicious activity
  • Propagation of the containment information to all
    hosts participating the system
  • Activating any containment strategy.
  • Containing Strategy
  • Address blacklisting
  • Maintain a list of IP addresses that have been
    identified as being infected.
  • Drop all the packets from one of the addresses in
    the list.
  • Advantage can be implemented easily with
    existing filtering technology.
  • Disadvantage must be updated continuously to
    reflect newly infected hosts

7
Containment (contd.)
  • Content filtering
  • Requires a database of content signatures known
    to represent particular worms.
  • Requires additional technology to automatically
    create appropriate content signatures.
  • Advantage a single update is sufficient to
    describe any number of instances of a particular
    worm implementation
  • Deployment scenarios
  • Ideally, a global deployment is preferable.
  • Practically, a global deployment is impossible.
  • May be deploying at the border of ISP networks

8
Worm Containment
  • Defense against scanning worms
  • Works by detecting that a worm is operating in
    the network and then blocking the infected
    machines from contacting further hosts
  • Leverage the anomaly of a local host attempting
    to connect to multiple other hosts.
  • Containment looks for a class of behavior rather
    than specific worm signature --- able to stop new
    worms.

9
Worm Containment
  • Break the network into many cells
  • Within each cell a worm can spread unimpeded.
  • Between cells, containment limits infections by
    blocking outgoing connections from infected
    cells.
  • Must have very low false positive rate.
  • Blocking suspicious machines can cause a DOS if
    false positive rate is high.
  • Need for complete deployment within an enterprise
  • Integrated into the networks outer switches or
    similar hardware elements

10
Epidemic Threshold
  • Worm-suppression device must necessarily allow
    some scanning before it triggers a response.
  • Worm may find a victim during that time.
  • The epidemic threshold depends on
  • The sensitivity of the containment response
    devices
  • The density of vulnerable machines on the network
    --- NAT and DHCP
  • The degree to which the worm is able to target
    its efforts into the correct network, and even
    into the current cell.

11
Sustained Scanning Threshold
  • If worm scans slower than sustained scanning
    threshold, the detector will not trigger.
  • Vital to achieve as low a sustained scanning
    threshold as possible.
  • For this implementation threshold set to 1 scan
    per minute.

12
Outline
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment

13
Hardware Implementation
  • Constraints
  • Memory access speed
  • On duplex gigabit Ethernet, can only access DRAM
    4 times
  • Memory size
  • Attempt to keep footprint under 16MB
  • The number of distinct memory banks

14
Hardware Implementations
  • Approximate caches
  • --- collisions cause imperfections (bloom
    filter)
  • Fixed memory available
  • Allow collisions to cause aliasing
  • Err on the side of false negative
  • Attacker behavior
  • Predicting the hashing algorithm
  • --- keyed hash function
  • Simply overwhelming the cache

15
Hardware Implementations
  • Efficient small 32 bit block ciphers
  • Prevent attackers from controlling collisions
  • Permute the N-bit value
  • Separate the resulting N-bit value into an index
    and a tag

16
Outline
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment

17
Scan Suppression
  • Responding to detected portscans by blocking
    future scanning attempts.
  • Portscans have two basic types
  • Horizontal search for identical service on
    large number of machines.
  • Vertical examine an individual machine to
    discover running services.

18
Scan Suppression
  • Protect the enterprise, forget the Internet
  • Preventing scans from Internet is too hard
  • If inside node is infected, filter sees all
    traffic
  • Cell (local area network) is outside,
    Enterprise larger internet network is inside
  • Can also treat entire enterprise as cell,
    Internet as outside

Inside
Scan detectors
19
Scan Suppression
  • Derived from Threshold Random Walk (TRW) scan
    detection.
  • The algorithm operates by using an oracle to
    determine if a connection will fail or succeed.
  • By modeling the benign traffic as having a
    different probability of success than attack
    traffic, TRW can make a decision regarding the
    likelihood that a particular series of connection
    attempts from a given host.
  • Assumption benign traffic has a higher
    probability of success than attack traffic

20
Scan Suppression
  • Strategies
  • Track connections and addresses using approximate
    caches
  • Replace the old addresses and old ports if the
    corresponding entry has timed out
  • Track addresses indefinitely as long as we do not
    have to evict their state from our caches
  • Detect vertical as well as horizontal TCP scans,
    and horizontal UDP scans
  • Implement a hygiene filter to thwart some
    stealthy scanning techniques without causing
    undue restrictions on normal machines.

21
Connection Cache
  • Recording if weve seen a packet in each
    direction
  • Aliasing turns failed attempt into success
    (biases to false negative)
  • Age is reset on each forwarded packet
  • Every minute, back ground process purges entries
    older than Dconn

22
Address Cache
  • Track outside addresses
  • Counter keeps difference between successes and
    failures
  • Counts are decremented every Dmiss seconds

23
Algorithm Pseudo-code
24
Parameters and Tuning
  • Parameters
  • T miss-hit difference that causes block
  • Cmin minimum allowed count
  • Cmax maximum allowed count
  • Dmiss decay rate for misses
  • Dconn decay rate for idle connections
  • Cache size and associativity

25
Evaluation
  • For 6000-host enterprise trace
  • 1MB connection cache, 4MB 4-way address cache
    5MB total
  • At most 4 memory accesses per packet
  • Operated at gigabit line-speed
  • Detects scanning at rates over 1 per minute
  • Low false positive rate
  • About 20 false negative rate
  • Detects scanning after 10-30 attempts

26
Outline
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment

27
Cooperation
  • Divide enterprise into small cells
  • Connect all cells via low-latency channel
  • A cells detector notifies others when it blocks
    an address (kill message)
  • Blocking threshold dynamically adapts to number
    of blocks in enterprise
  • T T(1 ?)X, for very small ?
  • Changing ? does not change epidemic threshold,
    but reduces infection density

28
Cooperation Effect of ?
29
Outline
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment

30
Attacking worm containment
  • False positives
  • Forge packets (though this does not prevent
    inside systems from initiating connections)
  • False negatives
  • Use a non-scanning technique (topological,
    meta-server, passive and hit-list)
  • Scan under detection threshold
  • Use a white-listed port to test for liveness
    before scanning

31
Attacking Cooperation
  • Attempt to outrace containment if threshold is
    permissive
  • Flood cooperation channels
  • Cooperative collapse
  • False positives cause lowered thresholds
  • Lowered thresholds cause more false positives
  • Feedback causes collapse of network

32
Attacking Worm Containment
  • Detecting containment
  • Try to contact already infected hosts
  • Go stealthy if containment is detected
  • Circumventing containment
  • Embed scan in storm of spoofed packets
  • Two-sided evasion
  • Inside and outside host initiate normal
    connections to counter penalty of scanning
  • Can modify algorithm to prevent, but lose
    vertical scan detection

33
Conclusion
  • Develop containment algorithms suitable for
    deployment in high-speed, low-cost network
    hardware
  • Devise the mechanisms for cooperation that enable
    multiple containment devices to more effectively
    detect and respond to an emerging infection.
Write a Comment
User Comments (0)
About PowerShow.com