Modeling Worms: Two papers at Infocom 2003

WormsPrograms that self propagate across the internet by exploiting the security flaws in widely used services.

Worms can cause an enormous amount of damage Launch DDOS attacks Access sensitive information Cause confusion by corrupting the sensitive

information.

Therefore it is important to understand how worms propagate in order to contain them.

To contain worms to 10% of vulnerable hosts after 24 hours of spreading at 10 probes/sec (CodeRed): Address blacklisting: reaction time must be < 25

minutes. Content filtering: reaction time must be < 3 hours

How quickly does eachstrategy need to react?Address Blacklisting:

Reaction time (minutes)

% I

nfec

ted

(95th

per

c.)

Reaction time (hours)

% I

nfec

ted

(95th

per

c.) Content Filtering:

Network worms are well modeled as infectious epidemics Simplest version: Homogeneous random

contacts Classic SI model

N: population size S(t): susceptible hosts at time t I(t): infected hosts at time t ß: contact rate i(t): I(t)/N, s(t): S(t)/N

Modeling network worms

Modeling network worms

N

IS

dt

dSN

IS

dt

dI

)1( ii

dt

di

)(

)(

1)(

Tt

Tt

e

eti

courtesy Paxson, Staniford, Weaver

Epidemiological model deficiencies

White, one of the authors of the Epidemiological paper mentioned:

About the mystery of the model in “not” being able to explain the slow-ness of the worm spread in a global network

Epidemiological model deficiencies…

The model assumes “zero” infection time, which is unrealistic Even in experiments on practical

deployment, they assume a topology, but further assume “zero” latencies on all network links !!!

Doesn’t model the simultaneous reduction in number of vulnerable hosts by “patching”

Unrealistic assumptions lead to…

… fascinating negative results Example 1: When the Top-100 ISP’s

deploy containment strategies, they still can not prevent a worm spreading at 100 probes/sec from affecting 18% of the internet and this is no matter what be the

reaction time of the system towards containment

Analytical Active Worm Propagation Model (AAWP)

AAWP…

Assume, that you know the result of an infection in “one” time-tick

At time ‘i’, ni machines are infected and mi is the total number of vulnerable machines

Probability of a new machine being infected in one scan: (mi-ni)/232

Total number of scans at time ‘i’: sni

Given, death rate “d” and patching rate “p” Total number reduced to (1-p)mi

Number infected reduced by pni + dni

AAWP…

2. Patching Rate1. HitList Size 3.Time to Complete Infection

Effect of various Parameters on worm spread

(All cases are for 1,000,000 vulnerable machines, a scanning rate of 100 scans/second, and a death rate of 0.001 /second

AAWP versus Epidemiological

Epidemiological is a continuous time model, while AAWP is a discrete time model Epidemiological is less accurate

because, a host can start infecting others even before it’s completely infected

AAWP versus Epidemiological…

Epidemiological doesn’t consider reduction in number of machines by either patching or death

Epidemiological assumes each time to infect a new host is “zero”, which doesn’t model: Network congestion delays Size of worm’s copy Distance between source and

destination

Advantages of AAWP over Epidemiological model

AAWP explains…

The lower prevalence of worms in the internet

It’s optimistic in the sense that worms can still be controlled

AAWP’s containment strategy

Deploy sensors in certain networks, which monitor TCP-SYN probes on port 80 which are trying to connect to IP-addresses in this network

For a CodeRed like worm with hitlist size=1 Monitor 224 addresses: reaction time=2 min Monitor 218 addresses: reaction time=1 hr Monitor 216 addresses: reaction time=2 hr

Conclusions…

Internet Quarantine paper concludes: Require fast reaction time O(min) Wide-spread deployment of containment tools

Nearly all AS’s must deploy content filtering Containment strategy is more effective than address

blacklisting

AAWP paper concludes: Obtain a secretive /24 network and deploy a

sensor tool like LaBrea to monitor the traffic into the network

Worms using subnet addresses spread faster than those using random addresses

AAWP paper differs

Highly virulent worms

Warhol WormCombination of Permutation and Hit List Scanning

New Infection Strategies

How do worms spread Using Random Port Scans

i.e. transmission of messages by worms to a PC or network to determine any open ports that will accept a connection

The infection rate of the worm can be increased in one of the following ways

Increase the scan rate Optimized Scanning Routines:Instead of Random Port

scanning, use following algorithms Localized Scanning Hitlist Scanning Permutation Scanning Topological Scanning

New Infection Strategies ..

Localized Scanning-Code Red II Preferentially scans targets that reside on the same subnet

Code Red II used this technique. Specifically, 1/8 of the time, address used was completely

random 1/2 of the time, address used was in its own class

A /8 network 3/8 of the time, address used was in /16 network

New Infection Strategies ..

Topological Scanning e.g. Morris Worm In this, the worm uses the information contained in the

victim’s machine to select new machines

Morris Internet worm enumerated targets by examining local configuration files and active network connections on each compromised host

email worms use this technique

Peer to peer systems are highly vulnerable to this kind of scanning

New Infection Strategies .

Hit List Scanning The author of the worm collects the list of around 10,000 -

50,000 potentially vulnerable machine ideally the ones with very good network connection, before releasing the worm

The worm when released initially attacks these machine. So the initial infection is higher

Techniques to generate Hit List Stealthy Scans Distributed Scanning Public Surveys Just Listen

New Infection Strategies

Permutation Scanning In this all worms share a common pseudorandom

permutation of the IP address space

Any machine infected during the hit list phase starts scanning after their point in the permutation, looking for vulnerable machines

Permutation scanning ensures that the same addresses are not probed multiple times

Worms seen in the past.

Morris Worm Topological Scanning

Code Red –I Random Scanning

Code Red-II Localised Scanning

Slammer/Sapphire worm Random Scanning