1 / 12

Active Worm

Active Worm. CSE551: Introduction to Information Security. Worm vs. Virus. Worm A program that propagates itself over a network, reproducing itself as it goes Virus A program that searches out other programs and infects them by embedding a copy of itself in them. Active Worm VS. [D]DoS.

adlai
Download Presentation

Active Worm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Worm CSE551: Introduction to Information Security CSE551 Handout on DDoS and Worm

  2. Worm vs. Virus • Worm • A program that propagates itself over a network, reproducing itself as it goes • Virus • A program that searches out other programs and infects them by embedding a copy of itself in them CSE551 Handout on DDoS and Worm

  3. Active Worm VS. [D]DoS • Propagation method • Goal: congestion, resource appropriation • Rate of distribution • Scope of infection CSE551 Handout on DDoS and Worm

  4. Historical Analysis • Morris Worm (1988, http://www.worm.net/worm-src/worm-src.html) • Code Red v.2 (2001, nearly 8 infections/sec.) • Nimbda (2001, netbios, UDP) • SQL Slammer (2003, UDP) CSE551 Handout on DDoS and Worm

  5. Recent Worms • July 13, 2001, Code Red V1 • July 19, 2001, Code Red V2 • Aug. 04, 2001, Code Red II • Sep. 18, 2001, Nimba • … … • … … • Jan. 25, 2003, SQL Slammer • More recent • SoBigF, MSBlast … … CSE551 Handout on DDoS and Worm

  6. transfercopy scan probe machine infected machine How an Active Worm Spreads • Autonomous • No need of human interaction Infected CSE551 Handout on DDoS and Worm

  7. Scanning Strategy • Random scanning • Probes random addresses in the IP address space (CRv2) • Hitlist scanning • Probes addresses from an externally supplied list • Topological scanning • Uses information on the compromised host (Email worms) • Local subnet scanning • Preferentially scans targets that reside on the same subnet. (Code Red II & Nimda Worm) CSE551 Handout on DDoS and Worm

  8. Techniques for Exploiting Vulnerability • fingerd (buffer overflow) • sendmail (bug in the “debug mode”) • rsh/rexec (guess weak passwords) CSE551 Handout on DDoS and Worm

  9. Modeling Infection Mitigation Active Worm Defense CSE551 Handout on DDoS and Worm

  10. Worm Behavior Modeling • Propagation model mirrors epidemic: • V is the total number of vulnerable nodes • N is the size of address space • i(t) is the percentage of infected nodes among V • r is the scanning speed of a infected node CSE551 Handout on DDoS and Worm

  11. Patching Filtering/intrusion detection (signature based) TCP/IP stack reimplementation, bound connection requests Infection Mitigation CSE551 Handout on DDoS and Worm

  12. Summary • Worms can spread quickly: • 359,000 hosts in < 14 hours • Home / small business hosts play significant role in global internet health • No system administrator  slow response • Can’t estimate infected machines by # of unique IP addresses • DHCP effect appears to be real and significant • Active Worm Defense • Modeling • Infection Mitigation CSE551 Handout on DDoS and Worm

More Related