modeling worms: two papers at infocom 2003 worms programs that self propagate across the internet by...
TRANSCRIPT
Modeling Worms: Two papers at Infocom 2003
WormsPrograms that self propagate across the internet by exploiting the security flaws in widely used services.
Worms can cause an enormous amount of damage Launch DDOS attacks Access sensitive information Cause confusion by corrupting the sensitive
information.
Therefore it is important to understand how worms propagate in order to contain them.
To contain worms to 10% of vulnerable hosts after 24 hours of spreading at 10 probes/sec (CodeRed): Address blacklisting: reaction time must be < 25
minutes. Content filtering: reaction time must be < 3 hours
How quickly does eachstrategy need to react?Address Blacklisting:
Reaction time (minutes)
% I
nfec
ted
(95th
per
c.)
Reaction time (hours)
% I
nfec
ted
(95th
per
c.) Content Filtering:
Network worms are well modeled as infectious epidemics Simplest version: Homogeneous random
contacts Classic SI model
N: population size S(t): susceptible hosts at time t I(t): infected hosts at time t ß: contact rate i(t): I(t)/N, s(t): S(t)/N
Modeling network worms
Modeling network worms
N
IS
dt
dSN
IS
dt
dI
)1( ii
dt
di
)(
)(
1)(
Tt
Tt
e
eti
courtesy Paxson, Staniford, Weaver
Epidemiological model deficiencies
White, one of the authors of the Epidemiological paper mentioned:
About the mystery of the model in “not” being able to explain the slow-ness of the worm spread in a global network
Epidemiological model deficiencies…
The model assumes “zero” infection time, which is unrealistic Even in experiments on practical
deployment, they assume a topology, but further assume “zero” latencies on all network links !!!
Doesn’t model the simultaneous reduction in number of vulnerable hosts by “patching”
Unrealistic assumptions lead to…
… fascinating negative results Example 1: When the Top-100 ISP’s
deploy containment strategies, they still can not prevent a worm spreading at 100 probes/sec from affecting 18% of the internet and this is no matter what be the
reaction time of the system towards containment
Analytical Active Worm Propagation Model (AAWP)
AAWP…
Assume, that you know the result of an infection in “one” time-tick
At time ‘i’, ni machines are infected and mi is the total number of vulnerable machines
Probability of a new machine being infected in one scan: (mi-ni)/232
Total number of scans at time ‘i’: sni
Given, death rate “d” and patching rate “p” Total number reduced to (1-p)mi
Number infected reduced by pni + dni
AAWP…
2. Patching Rate1. HitList Size 3.Time to Complete Infection
Effect of various Parameters on worm spread
(All cases are for 1,000,000 vulnerable machines, a scanning rate of 100 scans/second, and a death rate of 0.001 /second
AAWP versus Epidemiological
Epidemiological is a continuous time model, while AAWP is a discrete time model Epidemiological is less accurate
because, a host can start infecting others even before it’s completely infected
AAWP versus Epidemiological…
Epidemiological doesn’t consider reduction in number of machines by either patching or death
Epidemiological assumes each time to infect a new host is “zero”, which doesn’t model: Network congestion delays Size of worm’s copy Distance between source and
destination
Advantages of AAWP over Epidemiological model
AAWP explains…
The lower prevalence of worms in the internet
It’s optimistic in the sense that worms can still be controlled
AAWP’s containment strategy
Deploy sensors in certain networks, which monitor TCP-SYN probes on port 80 which are trying to connect to IP-addresses in this network
For a CodeRed like worm with hitlist size=1 Monitor 224 addresses: reaction time=2 min Monitor 218 addresses: reaction time=1 hr Monitor 216 addresses: reaction time=2 hr
Conclusions…
Internet Quarantine paper concludes: Require fast reaction time O(min) Wide-spread deployment of containment tools
Nearly all AS’s must deploy content filtering Containment strategy is more effective than address
blacklisting
AAWP paper concludes: Obtain a secretive /24 network and deploy a
sensor tool like LaBrea to monitor the traffic into the network
Worms using subnet addresses spread faster than those using random addresses
AAWP paper differs
Highly virulent worms
Warhol WormCombination of Permutation and Hit List Scanning
New Infection Strategies
How do worms spread Using Random Port Scans
i.e. transmission of messages by worms to a PC or network to determine any open ports that will accept a connection
The infection rate of the worm can be increased in one of the following ways
Increase the scan rate Optimized Scanning Routines:Instead of Random Port
scanning, use following algorithms Localized Scanning Hitlist Scanning Permutation Scanning Topological Scanning
New Infection Strategies ..
Localized Scanning-Code Red II Preferentially scans targets that reside on the same subnet
Code Red II used this technique. Specifically, 1/8 of the time, address used was completely
random 1/2 of the time, address used was in its own class
A /8 network 3/8 of the time, address used was in /16 network
New Infection Strategies ..
Topological Scanning e.g. Morris Worm In this, the worm uses the information contained in the
victim’s machine to select new machines
Morris Internet worm enumerated targets by examining local configuration files and active network connections on each compromised host
email worms use this technique
Peer to peer systems are highly vulnerable to this kind of scanning
New Infection Strategies .
Hit List Scanning The author of the worm collects the list of around 10,000 -
50,000 potentially vulnerable machine ideally the ones with very good network connection, before releasing the worm
The worm when released initially attacks these machine. So the initial infection is higher
Techniques to generate Hit List Stealthy Scans Distributed Scanning Public Surveys Just Listen
New Infection Strategies
Permutation Scanning In this all worms share a common pseudorandom
permutation of the IP address space
Any machine infected during the hit list phase starts scanning after their point in the permutation, looking for vulnerable machines
Permutation scanning ensures that the same addresses are not probed multiple times
Worms seen in the past.
Morris Worm Topological Scanning
Code Red –I Random Scanning
Code Red-II Localised Scanning
Slammer/Sapphire worm Random Scanning