1 / 14

Defending against Hitlist Worms using NASR

Defending against Hitlist Worms using NASR. Khanh Nguyen. Introduction. Worms spread fast. Code Red and slammer: thousands of computers in less than half an hr. Sapphire: 70,000computers/15min. Research studies estimated: 1 million hosts/<2sec. (Hitlist worm). Hitlist Worm Characteristics.

damien
Download Presentation

Defending against Hitlist Worms using NASR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defending against Hitlist Worms using NASR Khanh Nguyen

  2. Introduction • Worms spread fast. • Code Red and slammer: thousands of computers in less than half an hr. • Sapphire: 70,000computers/15min. • Research studies estimated: 1 million hosts/<2sec. (Hitlist worm)

  3. Hitlist Worm Characteristics • Determine a large vulnerable population before it starts spreading. • How does determine the vulnerable machines before attack makes a difference?

  4. Defend against Worm • Monitor the “dark space” or inactive port • Does not work against Hitlist worm • Network Address Space Randomization: caused some addresses to be stale at the time of attack

  5. NASR Issues • Size of routing table, number of routing updates, and the frequency of recomputing routes • Requires Global coordination • Easier to implement at local regions

  6. Implementation • Modification to a DHCP server (iprand-interval) • Implemented an advanced randomization enabled DHCP server based on the standard open source. • Provides: activity monitoring and service fingerprinting

  7. Activity Monitoring & Service Fingerprinting • Activity Monitoring: • Keeps track of open connections and tries to avoid forcing an address change • Only consider long-lived TCP connections (ex: FTP) • Service Fingerprinting: • Attemps to identify what services are running on each host (ex: TCP connection at port 80 suggests a Web server)

  8. Measurements • Hitlist construction • Speed of addresses changed (without any form of randomization) • How address space is allocated and utilized

  9. Hitlist Construction • Random scanning: • using ICMP ECHO msg. • Generated 20,000 addresses. • Probe the hitlist once every hour

  10. Hitlist Construction cont. • Passive P2P snooping: • Gathered 200K IP • Do a ICMP ECHO probe

  11. Hitlist construction cont. • Search-engine harvesting: • Search for “the”, returned millions of results. • Only 612 unique alive host • Attacker can use random keyword generator

  12. Subnet address space utilization • The feasibility and effectiveness of network address space randomization depend on how unused addresses there are in NASR-enabled subnet. • Subnet utilize level

  13. Result

  14. Conclusion • Limitation on Global scale • Effective on subnet level • Slows down hitlist worms, and forces them to exhibit scan-like behavior • It’s neither a detection mechanism nor an end-system enhancement, which makes it easy to implement.

More Related