The Top Speed of Flash Worms

1
The Top Speed of Flash Worms

• Introduction
• Design of Flash Worms
• UDP Flash Worms
• TCP Flash Worms
• Worm Resilience
• Avoiding Containment Defenses

2
Introduction

• Controlling 1 million hosts can cause enormous
  damage
• DDoS Attack
• Stealing and modifying data
• Can be leveraged for cyber-warfare
• Worms can be used to gain such control in a very
  short period of time
• Is much more dangerous
• why?

3
Remote Control

• Distributed control
• Each worm knows about other worms it has
  infected
• Analysis High connectivity , Average degree 4
• Without a single point of communication, updates
  can be passed
• Programatic Updates
• Worms as computing capsules
• Can send arbitrary code !

4
Random Scanning

• Not the most effective, but is easiest to
  implement
• Efficiency depends on the quality of random
  number generator
• Potential for repeats and invalid addresses

5
Permutation Scanning

• Random scanning inefficient ? lot of overlap
• ? All worms share a common pseudo random
  permutation / use cipher key to generate
  addresses.
• Worms start scanning after their point in
  permutation

6
Worm Scanning methods

• Hit List Scanning
• getting off the ground very fast
• Say first 10,000 hosts
• Pre-select 10,000-50,000 vulnerable machines
• First worm carries the entire hit list
• Hit list split in half on each infection
• Can establish itself in few seconds

7
Combining techniques

• Combination of hit-list scanning and permutation
  scanning produces Warhol worm
• Capable of attacking most vulerable targets in lt
  15mins
• Uses hit list to improve initial spread, then
  switches to permutation scanning to ensure high
  infection rate.
• Future worms will be faster and better (hence
  more dangerous) introducing Flash worms

8
Flash Worms

• Fastest Method ? Entire internet in 10s of
  seconds
• Obtain hit-list of vulnerable servers in advance
• 2 hours for entire IP space on OC-12 link (622
  mbps)
• List would be big ( 48 MB )
• Divide into n blocks
• Infect first of each block and hand over the
  block to the new worm
• Repeat for each block
• Alternative Store pre-assigned chunks on a high
  BW server
• Two limitations
• Large list size
• Latency
• Analysis Sub-thirty limit on total infection
  time on a 256 kbps DSL link

9
Worm spread using a hit list
For 3 million hosts, just 7 layers deep ( n 10)
10
Design of Flash Worms

• Flash worm concepts derived from 2 prominent
  worms
• Slammer worm (Jan 2003) fastest scanning worm to
  date. Infects via UDP
• Witty worm (2000)
• Authors uses information from these 2 worms to
  model their potential flash worm characteristics

11
Flash worms what are they?

• Most effort are directed against random scanning
  worms guess and attack
• Flash worms precompiled list of vulnerable
  addresses to infect
• Flash worms interesting because
• Fastest possible worms
• Spread map can be calculated offline, can be used
  to explore worse case performance of containment
  defenses

12
UDP Flash Worms

• Key issue in single packet flash worm design is
  the time between packets from a host is small
  compared to the time to cross the Internet
• Computation of average latency distribution in
  different regions motivates a shallow and broad
  infection tree
• Attacker should launch from a host with high data
  capacity and good connection to the Internet.

13
UDP Flash Worms

• The UDP worm will contain the address list to be
  infected after code
• Worm injector will copy a subset of the address
  list into each copy of worm before sending it out
• Given author assumptions about the worm and
  network conditions, the worm can infect 1 million
  hosts in less than 1 second.
• Worm will not be limited by congestion in network
  core (total bandwidth required by worm will only
  be O(10 Gbps) according to authors.

14
UDP Flash Worms
15
TCP Flash Worms

• TCP worms are larger and slower than UDP worms,
  but more services to exploit
• 2 Types of TCP worms
• Small worms, where k (no of packets) lt Window
• Large worms, where k gt W
• Packet loss will affect worm speed esp large
  worms
• No direct guidance due to absence of ack
  clocking from TCP slow start, so might overflow
  buffers
• Solution round robin through connection to avoid
  overflowing senders
• Author believes a TCP worm can be not much larger
  than Slammer

16
TCP Flash worms

• Small worms

Window
Small worm (smaller than window)
Large worms
Window
Large worm (larger than window)
Whilst large worms can make transmission faster
by disregarding window size and send the whole
worm (provided the receiver can receive fast
enough), packet loss will degrade performance of
worm because window will not move forward
17
TCP Flash Worms

• TCP worms are slower than UDP worms because of
  TCP latency
• But TCP worms are still fast, author simulation
  show 99 compromise after 3.3s

18
TCP Flash Worms
19
Worm Resilience

• Address list is imperfect
• Why? Unreliable diagnostic, aging
• 2 Situations
• False negative
• False positive
• False positives can hamper worm spread
• Especially true for deep and narrow spread trees
• Broad / shallow trees are more resilient
• Binary spread trees are too fragile (what if a
  node close to source is invulnerable?)

20
Worm Resilience

• Making Flash worms resilient
• Shallow spread tree Flash worms?
• Add acknowledgements have infected nodes send
  back copy of worm to initial host
• If no ack, substitute address
• Acks are not good for deep spread trees
• Too slow / must gather acks effectively
• Solution Double infection
• Have each intermediate node infect one of its
  siblings as well

21
Worm Resilience

• To compute probability r that a given node ends
  up uninfected, the authors propose this equation
• Graphs are shown on the next page

22
Worm Resilience
It is readily apparent that a shallow tree is
less fragile than a deep, binary tree, where an
invulnerable host can prune entire branches of
the tree.
23
Worm Resilience
24
Worm Resilience

• K independent K-way trees
• In K-way tree, non-leaf nodes use a fraction 1/K
  of the total nodes
• K independent internal sets
• Can start worms using such trees simultaneously
  to increase resilience
• Cost increased code complexity
• Graphs show that they are more effective than the
  binary tree scheme (except the 2 way tree
  compared to doubling up infections)

25
Worm Resilience
26
Worm Resilience
Note that the 2-2 way trees performance is worse
than doubling up. This might be because it is
less likely to get 2 invulnerable hosts at the
same level than to get 2 invulnerable hosts (one
one each tree) on each path to a host.
27
Multitree Approach Implications

• Multitree approach may not increase bandwidth
  required by worm, except for single packet UDP
  worm (increase bandwidth by factor of K)
• Multitree approachDoes not slow the worm it
  might actually make it faster by offering the
  benefits of a shallower tree
• But may make worm easier to detect

28
Avoiding Containment Defenses

• Methods of avoiding containment
• Slowing the worm
• Reduce the degree K at each node
• Add redundancy to route around defenses
• Flash worm using binary tree / low-K tree will
  avoid scan-detection algs (no of victims
  contacted below threshold for detection)
• Avoids dark-address detectors because addresses
  contacted will mostly be valid

29
Avoiding Containment Defenses

• 2 possible detectors
• EarlyBird detector
• Honeyfarm detector
• EarlyBird searches for statistical anomalies in
  common content pattern freq
• Honeypot will detect worms by letting worm to
  propagate to it.
• But detection is not enough it must respond to
  infection by stopping the spread
• EarlyBird is too slow to stop worm
• Honeypot cannot tell rest of network of worm fast
  enough

30
Implications

• One solution for Flash Worm writers
• Ignore containment defenses
• Make worm fast and reliable
• Dont avoid detection (by slowing worm etc)
• Consider systems with defense as resistant,
  counter using resilience mechanisms
• Best chance defender has is to hide list of
  vulnerable addresses from any potential attackers
  (ie no good solution)

31
Related work

• Study of fast worms that spread via IM clients
• Sizable buddy lists and short latency for sending
  messages
• 6-157s to saturate 500, 000 machines, based on
  author assumptions

32
Conclusions

• Flash worms can spread extremely quickly,
  provided that they have a good hit list
• UDP worms infects in lt 1s
• TCP worms infects in a few seconds
• Shallow trees are resilient to list errors, but
  less resilient to containment defenses
• Deep trees are harder to contain, but is less
  resilient to list errors
• Deep trees can tolerate modest proportions of
  list errors and containment defenses

33
Exploiting P2P systems for infection

• Large set, all running same software
• Only single exploit now needed
• More favorable for infection
• Interconnect with large number of peers
• Transfer large files
• Not mainstream protocols
• Execute on desktops, not servers
• Potentially immense size