1 / 25

Modeling Worms: Two papers at Infocom 2003

Two papers discussing the modeling and containment strategies for internet worms, including address blacklisting and content filtering. The papers also explore the deficiencies of epidemiological models and propose a new analytical active worm propagation model (AAWP).

lalvarado
Download Presentation

Modeling Worms: Two papers at Infocom 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services. Worms can cause an enormous amount of damage • Launch DDOS attacks • Access sensitive information • Cause confusion by corrupting the sensitive information. Therefore it is important to understand how worms propagate in order to contain them.

  2. Address Blacklisting: Content Filtering: % Infected (95th perc.) Reaction time (minutes) Reaction time (hours) How quickly does eachstrategy need to react? % Infected (95th perc.) • To contain worms to 10% of vulnerable hosts after 24 hours of spreading at 10 probes/sec (CodeRed): • Address blacklisting: reaction time must be < 25 minutes. • Content filtering: reaction time must be < 3 hours

  3. Modeling network worms • Network worms are well modeled as infectious epidemics • Simplest version: Homogeneous random contacts • Classic SI model • N: population size • S(t): susceptible hosts at time t • I(t): infected hosts at time t • ß: contact rate • i(t): I(t)/N, s(t): S(t)/N

  4. Modeling network worms courtesy Paxson, Staniford, Weaver

  5. Epidemiological model deficiencies • White, one of the authors of the Epidemiological paper mentioned: • About the mystery of the model in “not” being able to explain the slow-ness of the worm spread in a global network

  6. Epidemiological model deficiencies… • The model assumes “zero” infection time, which is unrealistic • Even in experiments on practical deployment, they assume a topology, but further assume “zero” latencies on all network links !!! • Doesn’t model the simultaneous reduction in number of vulnerable hosts by “patching”

  7. Unrealistic assumptions lead to… • … fascinating negative results • Example 1: When the Top-100 ISP’s deploy containment strategies, they still can not prevent a worm spreading at 100 probes/sec from affecting 18% of the internet • and this is no matter what be the reaction time of the system towards containment

  8. Analytical Active Worm Propagation Model (AAWP)

  9. AAWP… • Assume, that you know the result of an infection in “one” time-tick • At time ‘i’, ni machines are infected and mi is the total number of vulnerable machines • Probability of a new machine being infected in one scan: (mi-ni)/232 • Total number of scans at time ‘i’: sni • Given, death rate “d” and patching rate “p” • Total number reduced to (1-p)mi • Number infected reduced by pni + dni

  10. AAWP…

  11. Effect of various Parameters on worm spread 3.Time to Complete Infection • HitList Size 2. Patching Rate (All cases are for 1,000,000 vulnerable machines, a scanning rate of 100 scans/second, and a death rate of 0.001 /second

  12. AAWP versus Epidemiological • Epidemiological is a continuous time model, while AAWP is a discrete time model • Epidemiological is less accurate because, a host can start infecting others even before it’s completely infected

  13. AAWP versus Epidemiological… • Epidemiological doesn’t consider reduction in number of machines by either patching or death • Epidemiological assumes each time to infect a new host is “zero”, which doesn’t model: • Network congestion delays • Size of worm’s copy • Distance between source and destination

  14. Advantages of AAWP over Epidemiological model

  15. AAWP explains… • The lower prevalence of worms in the internet • It’s optimistic in the sense that worms can still be controlled

  16. AAWP’s containment strategy • Deploy sensors in certain networks, which monitor TCP-SYN probes on port 80 which are trying to connect to IP-addresses in this network • For a CodeRed like worm with hitlist size=1 • Monitor 224 addresses: reaction time=2 min • Monitor 218 addresses: reaction time=1 hr • Monitor 216 addresses: reaction time=2 hr

  17. Conclusions… • Internet Quarantine paper concludes: • Require fast reaction time O(min) • Wide-spread deployment of containment tools • Nearly all AS’s must deploy content filtering • Containment strategy is more effective than address blacklisting • AAWP paper concludes: • Obtain a secretive /24 network and deploy a sensor tool like LaBrea to monitor the traffic into the network

  18. Worms using subnet addresses spread faster than those using random addresses • AAWP paper differs

  19. Highly virulent worms • Warhol Worm Combination of Permutation and Hit List Scanning

  20. New Infection Strategies How do worms spread • Using Random Port Scans i.e. transmission of messages by worms to a PC or network to determine any open ports that will accept a connection The infection rate of the worm can be increased in one of the following ways • Increase the scan rate • Optimized Scanning Routines:Instead of Random Port scanning, use following algorithms • Localized Scanning • Hitlist Scanning • Permutation Scanning • Topological Scanning

  21. New Infection Strategies .. • Localized Scanning-Code Red II Preferentially scans targets that reside on the same subnet Code Red II used this technique. Specifically, • 1/8 of the time, address used was completely random • 1/2 of the time, address used was in its own class A /8 network • 3/8 of the time, address used was in /16 network

  22. New Infection Strategies .. • Topological Scanning e.g. Morris Worm In this, the worm uses the information contained in the victim’s machine to select new machines Morris Internet worm enumerated targets by examining local configuration files and active network connections on each compromised host email worms use this technique Peer to peer systems are highly vulnerable to this kind of scanning

  23. New Infection Strategies . • Hit List Scanning The author of the worm collects the list of around 10,000 -50,000 potentially vulnerable machine ideally the ones with very good network connection, before releasing the worm The worm when released initially attacks these machine. So the initial infection is higher Techniques to generate Hit List • Stealthy Scans • Distributed Scanning • Public Surveys • Just Listen

  24. New Infection Strategies • Permutation Scanning In this all worms share a common pseudorandom permutation of the IP address space Any machine infected during the hit list phase starts scanning after their point in the permutation, looking for vulnerable machines Permutation scanning ensures that the same addresses are not probed multiple times

  25. Worms seen in the past. Morris Worm Topological Scanning Code Red –I Random Scanning Code Red-II Localised Scanning Slammer/Sapphire worm Random Scanning

More Related