How to Own the Internet How to Own the Internet in Your Spare Timein Your Spare Time

(Stuart Staniford Vern Paxson Nicholas Weaver )(Stuart Staniford Vern Paxson Nicholas Weaver )

Giannis KapantaidakisGiannis Kapantaidakis

University of CreteUniversity of Crete

CS558CS558

What could you do if you What could you do if you 0wn’d a million hosts?0wn’d a million hosts?

►Distributed DOS attacksDistributed DOS attacks►Access sensitive informationAccess sensitive information►Confuse-Corrupt the informationConfuse-Corrupt the information

Makes it valuable tool in Cyber warfareMakes it valuable tool in Cyber warfare

How to 0wn a million How to 0wn a million hosts? Wormshosts? Worms

►Programs that self-propagate across Programs that self-propagate across the Internet exploiting security flaws in the Internet exploiting security flaws in widely-used serviceswidely-used services

(As opposed to viruses, which require user (As opposed to viruses, which require user action to spread.)action to spread.)

Code Red ICode Red I

► Initial version released July 13, 2001.Initial version released July 13, 2001.►Exploited known bug in Microsoft IIS Web Exploited known bug in Microsoft IIS Web

servers.servers.►But: failure to seed random number But: failure to seed random number

generatorgenerator.All worms attempted to .All worms attempted to compromise the same sequence of hosts.compromise the same sequence of hosts.

►Linear spread, didn’t get very farLinear spread, didn’t get very far

Code Red I v2Code Red I v2►ReleasedReleased July 19, 2001. July 19, 2001.►Same codebase but:Same codebase but:

random number generator correctly seeded.random number generator correctly seeded. DDoS payload targeting IP address ofDDoS payload targeting IP address of

www.whitehouse.govwww.whitehouse.gov

►That night, Code Red dies (That night, Code Red dies (except except for hosts for hosts with inaccurate clocks!)with inaccurate clocks!)

► It just takes It just takes one one of these to restart the worm of these to restart the worm come the first of the next month!come the first of the next month!

Random Constant Spread ModelRandom Constant Spread Model► N: Total number of Vulnerable servers in N: Total number of Vulnerable servers in

InternetInternet► K: Initial Compromise Rate: Rate at which a K: Initial Compromise Rate: Rate at which a

infected host is able to infect new hosts at the infected host is able to infect new hosts at the start of the incidentstart of the incident

► a: Proportion of machines already a: Proportion of machines already compromisedcompromised

► T: Time at which the incident happensT: Time at which the incident happens► Equation: Nda = (Na)K(1-a)dtEquation: Nda = (Na)K(1-a)dt► Solution: a = e Solution: a = e (K(t-T))(K(t-T)) / 1 + e / 1 + e (K(t-T))(K(t-T)) ► Good enough model (Works for Code Red I)Good enough model (Works for Code Red I)

►K=1.8 T=11.9K=1.8 T=11.9►Max probe rate:510.000 scans per Max probe rate:510.000 scans per

hourhour►Came close to saturation before Came close to saturation before

turning offturning off

►Reawake on Aug 1Reawake on Aug 1stst , K=0.7 , K=0.7 ►Number of vulnerable systems was Number of vulnerable systems was

less than 40% as many as the first less than 40% as many as the first timetime

►Code Red more or less followed the model.

►Released August 4, 2001.Released August 4, 2001.►Comment in code: “Code Red II.”But in Comment in code: “Code Red II.”But in

fact completely different code base.fact completely different code base.►Payload: a root backdoorPayload: a root backdoor allowing allowing

unrestricted remote accessunrestricted remote access►Bug: crashes NT, only works right on Bug: crashes NT, only works right on

Windows 2000.Windows 2000.►Used Used localized scanninglocalized scanning strategy strategy

Code Red IICode Red II

► Attempt to infect addresses close to itAttempt to infect addresses close to it With probability 3/8 it chooses a random IP from With probability 3/8 it chooses a random IP from

with the class B address space of the infected with the class B address space of the infected machinemachine

With probability ½ from class AWith probability ½ from class A And with probability 1/8 from the whole internetAnd with probability 1/8 from the whole internet

► Localized spreading works - hosts around it are Localized spreading works - hosts around it are often similar,topologically faster,spreads fast in often similar,topologically faster,spreads fast in internal network once it gets through the firewallinternal network once it gets through the firewall

Localized ScanningLocalized Scanning

NimdaNimda

►Released September 18, 2001.Released September 18, 2001.►Multi- mode spreading:Multi- mode spreading:

attack IIS servers via infected clients.attack IIS servers via infected clients. email itself to address book as a virusemail itself to address book as a virus copy itself across open network sharescopy itself across open network shares modifying Web pages on infected servers in modifying Web pages on infected servers in

order to infect clientsorder to infect clients scanning for Code Red II and sadmind backdoors scanning for Code Red II and sadmind backdoors

(!)(!)

►Average - 100 connections per second Average - 100 connections per second ►About 3X number of Code Red probesAbout 3X number of Code Red probes►Full functionality still Full functionality still notnot known! known!

►Since Nimda spreads by multiple Since Nimda spreads by multiple vectors,the counts shown for it may be vectors,the counts shown for it may be an underestimatean underestimate

►Why Red Code I continues to gain Why Red Code I continues to gain strength each month remains strength each month remains unknown unknown

Ways of reducing timeWays of reducing time

►Hit List scanningHit List scanning►Permutation scanningPermutation scanning►Topological ScanningTopological Scanning► Internet scale hit-listsInternet scale hit-lists

Hit List scanningHit List scanning Idea: Idea: reduce slow startup phasreduce slow startup phase.e.

► The author of the worm collects the list of around The author of the worm collects the list of around 10,000 -50,000 potentially vulnerable machines 10,000 -50,000 potentially vulnerable machines ideally the ones with very good network connection, ideally the ones with very good network connection, before releasing the wormbefore releasing the worm

► The worm when released initially attacks these The worm when released initially attacks these machines .So the initial infection is higher.When it machines .So the initial infection is higher.When it infects a machine it divides the hit-list in halfinfects a machine it divides the hit-list in half

Ways to get Hit listWays to get Hit list

Distributed Scanning - use zombiesDistributed Scanning - use zombies Stealthy Scan- spread it over several Stealthy Scan- spread it over several

monthsmonths DNS searches - e. g., www. domain. comDNS searches - e. g., www. domain. com Spiders - ask the search enginesSpiders - ask the search engines Just Listening-P2P, or exploit existing Just Listening-P2P, or exploit existing

wormsworms

Permutation ScanningPermutation Scanning

Idea: Idea: reduce redundant scanninreduce redundant scanning.g.► Permutation allows a worm to detect when a Permutation allows a worm to detect when a

host is already infected.host is already infected.► Worms share a common permutation of the Worms share a common permutation of the

IP address space.IP address space.► An infected machine starts scanning just An infected machine starts scanning just

after their position in the permutation. When after their position in the permutation. When the worm sees an infected machine is the worm sees an infected machine is chooses a new random start point.chooses a new random start point.

Warhol WormWarhol Worm

►Based on:Based on: Hit List &Hit List & Permutation ScanningPermutation Scanning

►Simulation EnvironmentSimulation Environment►Results of SimulationResults of Simulation

►So now we already have methods to So now we already have methods to attack most vulnerable targets in <15 in <15 minutes.minutes.

Topological ScanningTopological Scanning

►Alternative to hit-list scanningAlternative to hit-list scanning►Use addresses available on victim’s Use addresses available on victim’s

machines.machines.►Use this as a start point before using Use this as a start point before using

Permutation Scanning.Permutation Scanning.►Peer to peer systems are highly Peer to peer systems are highly

vulnerable to this kind of scanningvulnerable to this kind of scanning

► Idea: use an Idea: use an Internet- sized hit lisInternet- sized hit list.t. ((entire address space scan roughly 2hr)entire address space scan roughly 2hr)► Initial copy of the worm has the entire Initial copy of the worm has the entire

hit list.hit list.►Each generation, infectsEach generation, infects n n from the list, gives from the list, gives

eacheach 1/n. 1/n. (Or, point them to a well- (Or, point them to a well- connected connected serversservers that serves up that serves up portions of portions of the list.the list.))

► If n=10 requires 7 generations to infect 10^7 If n=10 requires 7 generations to infect 10^7 hosts (less than 30 seconds! )hosts (less than 30 seconds! )

Flash Worms:The Real Flash Worms:The Real DangerDanger

►All those worms use singular All those worms use singular communication patternscommunication patterns

►This forms the basis for automatic This forms the basis for automatic detectiondetection

►How can we remove that weakness How can we remove that weakness from worms?from worms?

Still need better wormsStill need better worms

Contagion WormsContagion Worms► Suppose you have two exploits:Suppose you have two exploits:

Es : exploit in web serverEs : exploit in web server Ec: exploit in clientEc: exploit in client

► You infect a server (or client) with Es (Ec)You infect a server (or client) with Es (Ec)► Then you…wait. (Perhaps you bait, e. g., host Then you…wait. (Perhaps you bait, e. g., host

porn.)porn.)► When vulnerable client arrives, infect it.When vulnerable client arrives, infect it.► You send over You send over both Es and Ecboth Es and Ec► As client happens to visit other vulnerable As client happens to visit other vulnerable

servers infectsservers infects► Clearly there are no unusual communication Clearly there are no unusual communication

patterns to be observed (other than slightly patterns to be observed (other than slightly larger- than- usual transfers)larger- than- usual transfers)

►They become Dangerous with P2P They become Dangerous with P2P systems because:systems because: Likely only need a single exploit, not a Likely only need a single exploit, not a

pair.pair. Often, peers running Often, peers running identical identical software.software. Often used to transfer large files.Often used to transfer large files. Often give access to user’s desktop rather Often give access to user’s desktop rather

than server.than server. and can be Very Largeand can be Very Large

Contagion WormsContagion Worms

►KazaA: 9 million distinct IP connections KazaA: 9 million distinct IP connections with university hosts (5800) in a single with university hosts (5800) in a single monthmonth

► If you 0wn’d a single university, then If you 0wn’d a single university, then in November, 2001in November, 2001 you could have you could have 0wn’d 90wn’d 9 million million additional hosts. additional hosts.

►How fast? How fast? FFaster than 1 month.aster than 1 month.

Contagion WormsContagion Worms

Updating and controlUpdating and control►Distributed controlDistributed control

Each worm has a list of other copiesEach worm has a list of other copies Ability to create encrypted communication Ability to create encrypted communication

channels to spread infochannels to spread info Commands cryptographically signed by Commands cryptographically signed by

author.author. Each worm copy, confirms signature,spreads Each worm copy, confirms signature,spreads

to other copies and then executes the to other copies and then executes the commandcommand

►Programmatic UpdatesProgrammatic Updates Operating systems allow dynamic code loadingOperating systems allow dynamic code loading New encrypted attack modules from Worm New encrypted attack modules from Worm

authorauthor

Centre for Disease ControlCentre for Disease Control

►Roles it is expected to performRoles it is expected to perform Identifying outbreaksIdentifying outbreaks Rapidly Analyzing pathogensRapidly Analyzing pathogens Fighting InfectionsFighting Infections Anticipating new vectorsAnticipating new vectors Resisting future threatsResisting future threats

How open?How open?

►Have a open website (accessible to all)?Have a open website (accessible to all)?► Drawbacks: Drawbacks:

Attacker targets the siteAttacker targets the site How correct an information placed on site isHow correct an information placed on site is Attacker also gains understandingAttacker also gains understanding Some sources may not be willing to make Some sources may not be willing to make

their information public their information public

►How International.How International.