On Designing and Thwarting Worms using Co-ordination

1
On Designing and Thwarting Worms using
Co-ordination

• Jayanthkumar Kannan
• Karthik Lakshminarayanan
• kjk, karthik_at_cs.berkeley.edu

2
Impact of P2P Technology

• Widespread deployment of P2P networks
• Large user base half a million nodes at any time
• Significantly different traffic patterns
• DHT technology
• Efficient distributed lookup systems
• Share information efficiently
• Achieve load-balancing
• Achieve locality properties

3
Brief outline of the talk

• Part I How malicious can a worm get?
• Stealth avoid alarms at intrusion detection
  systems
• Efficiency quicker scanning
• Use p2p systems for hit-list generation
• Understanding how bad a worm can get is essential
  in designing defenses
• Part II Is there any hope against such worms?

DHTs enable sharing of information across nodes
4
State-of-the-art

• Worm attacks
• Pre-collected IP address hit-lists
• Divide and conquer (permutation scanning)
• Random probing of IP addresses
• Defense Techniques
• Unusual high number of rejected packets
• Might do well if ISPs deploy it

5
Using a deployed P2P network

• Hit-list generation
• How fast can one get IP addresses from crawling a
  p2p network like Gnutella?
• How stale is this information after a period of
  time?
• Passive probing
• Exploit security loopholes in P2P application
• Use existing communication patterns of p2p
  networks

6
Coordinated worm attacks

• Avoid detection
• Policies followed by worms to avoid triggering
  alarms
• For e.g., restrict number of probes to an address
  prefix, probe internal IP address, bound number
  of unique probes from source
• Reduce failed probes
• Uneven IP address allocation random probing not
  ideal
• Some IDS count number of unsuccessful attempts
• Large number of missed probes
• Reduce network utilization
• Some worms caused congestion in the backbone
• Local probes to reduce number of peering links
  crossed
• Faster propagation

7
Assumptions

• Bandwidth-limited worm (such as Slammer)
• Not affected by parameters such as number of
  outstanding TCP connections
• Issue if it is a TCP worm and uses kernel TCP
  implementation

8
I Uneven IP address allocation

• Goal Probe prefixes at a rate proportional to
  the probability of finding a vulnerable host
• For each prefix maintain
• Fraction of vulnerable hosts
• Extent of IP address that has been scanned
• Let P be the total probes performed to a prefix,
  V be the total number of vulnerable hosts, I be
  the number of infected hosts, S is size of the
  prefix
• P(finding a vulnerable host), pi (S V/P I)/S

9
I Uneven IP address allocation

• Use a DHT for maintaining P,V,I,S
• Infected nodes probe DHT and get a prefix that is
  likely to have vulnerable hosts
• Probe k-prefixes, and sample according to the
  vulnerability metric
• Desired characteristics of DHT
• Performs admission control
• Allow high query/update rate
• High degree of churn
• Target size of DHT not large (5000 nodes)
• We chose Kelips as our DHT

10
A brief overview of Kelips

• Combination of DHT and unstructured network with
  O(sqrt(n)) memory usage
• Basic Idea Gossiping used to maintain
  consistency
• Information propagates to group in O(log(n)) time

11
Affinity Groups peer membership thru consistent
hash
0 1 2
Affinity Group pointers
Cross-group contacts
Kelips
Slide borrowed from authors
12
Affinity Groups peer membership by consistent
hash
filename, location
hash filename
filetuple
0 1 2
File Replica inserted Somewhere (DHT or DOLR)
replicate filetuple
Kelips
Slide borrowed from authors
13
Our Modifications

• Longest Prefix Match among home pointers
• Allows flexibility in relocating sub-prefixes
• Eg Node A has information about 10.1.0.0/16,
  Node B has information about 10.1.2.0/24.
• Inconsistency Resolution
• Application-level resolution
• If two home pointers (id,A1), and (id,A2), then
  merge data in A1 and A2, and choose one randomly
• Choose number of groups such that number of nodes
  in one group is small
• Simulations Consistency attained within 10 secs.

14
II. Evading intrusion detection systems

• By following specific policies
• By minimizing number of AS-level hops
• Assuming ISPs do monitoring
• Can be achieved by having the home pointer
  allocate prefixes to infecting nodes
• Home pointer can maintain number of nodes probing
  such addresses
• Can be used to implement powerful policies

15
III. Exploiting locality to reduce network
utilization

• Kelips can be made location-aware
• Adaptive improvement through gossiping Pick
  closest RTT ones
• Assumption
• If A is close to B, and B is close to C, A is
  close to C.
• Gives two advantages
• Each low-bandwidth host can find a nearest kelips
  proxy
• When inserting new item, inserter asks k random
  nodes to measure latencies to prefix, chooses
  best
• Conflict resolution Resolve in favor of closer
  node

16
Using DHTs for worm defenses

• Some initial high-level thoughts on this
• Our model of defense
• Some firewalls around Internet coordinate with
  one another
• Need to cut off traffic from infected networks
• Need to maintain models of normal traffic from
  every network, and shut
• Models that offer hope New IP addresses probed,
  New Prefixes probed etc

17
Using DHTs for worm defenses

• Expensive for every firewall to maintain and even
  observe required state
• DHT can be used to share such traffic model
  information
• Allocates responsibility in a secure fashion
  (replication)
• Means traffic models can be verified from
  multiple views
• Information across firewalls coordinated using a
  DHT
• Use redundant routing in DHTs to exchange
  information in the presence of network congestion
  due to worms

18
Simulation methodology

• Strawman
• Random probing (today, worms operate this way)
• Issues in simulation
• Scalability with size of topology, number of
  nodes
• Lack of data on distributions of typical AS-level
  and last-hop bandwidths
• Address space occupancy information unavailable

19
Simulation methodology

• What we used
• Discrete-time simulator
• Scaled down AS-level Internet graph (from
  Subramanian et al, Infocom 2002)
• Assigned IP prefixes as in SSFNet
• Access bandwidth from Gummadi et al, MMCN
• Kelips parameters contacted Kelips authors
• Parameters
• 100,000 vulnerable nodes (CodeRed had 400,000)
• Living in 5000 Ases (/16 prefixes)

20
Quantifying hit-list generation
n number of crawlers
n25
n20
n15
n10
n5
n1

• Gnutella crawlers on PlanetLab (thanks to Boon!)
• Harvest a huge number of IP addresses within 1
  hour!
• Further growth possibly due to the degree of churn

21
Quantifying hit-list generation

• Diminishing returns
• 57 of the hosts can be contacted after 1 week

22
Coordinated worm Infection rate
Coordinated
Random probe

• Vanilla implementation of coordinated worm
• 1.5x faster than random probing
• Useful during initial phases of worm propagation
  (2x faster)

23
Number of failed probes
Random probe
Coordinated

• Once our algorithm learns the distribution, it
  out-performs random probing worm

24
Effect of imbalance in address distribution

• Summary
• Relative performance of coordinated worm
  increases with increases with increase in
  imbalance
• number of IP addresses seen
• number of failed probes

25
Implementation

• Oops

26
Conclusion

• Have shown how DHT technology has a bearing on
  the worm vs. defense tug of war
• Possible to have much stealthier and faster worms
  using DHTs.
• Have also shown that if worm is aware of security
  policies, can circumvent
• Security through obscurity is no good

27
(No Transcript)