250 likes | 355 Views
Internet Quarantine: Requirements for Containing Self-Propagating Code. David Moore et. al. University of California, San Diego. Internet Quarantine: Requirements for Containing Self-Propagating Code. Aleksandar Kuzmanovic Rice University, COMP 629. Outline.
E N D
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego
Internet Quarantine: Requirements for Containing Self-Propagating Code Aleksandar Kuzmanovic Rice University, COMP 629
Outline • Background about worm, esp. Code-Red • What’s worm, esp. Code-Red • Prevention, Treatment and Containment of the worm. • SI epidemic model and Code Red propagation model. • Simulations on Code Red Propagation and Containment System Deployment. • Conclusion.
Background: what is worm? • Worm is a self-replicating software designed to spread through the network. • Worm vs Virus and Trojan horse • Virus and Trojan horse rely on human intervention to spread. • Worm is autonomous.
Background: Code-Red v1 • Outbreak: June 18, 2001 • How it works: • Buffer overflow exploit on Microsoft IIS web server. • Upon infected a machine, randomly generate a list of IP addresses. • Probe each of the addresses from the list. • Payload: DDoS attack against www1.whitehouse.gov. • Damage: little • Fixed random seed.
Background: Code-Red v2 • Outbreak: July 19, 2001 • How it works: • Similar to Code-Red v1, but with a random seed. • Generates 11 probes for second. • Damage: severe • 359,000 machines were infected within 14 hours.
How to mitigate the threat of worms(1) • Three approaches • Prevention: • Reduce the size of the vulnerable population. • E.g. A single vulnerability in a popular software system can result in millions of vulnerable hosts. • E.g. Code Red attacks millions of MS IIS web server.
How to mitigate the threat of worms (2) • Treatment: • E.g. virus scanner. • The time required to design, develop and test a security flaw is usually for too slow than the spread of the worm. • Containment: • E.g. firewall, filters • Containment is used to protect individual networks, and isolate infected hosts.
In this work, a vulnerable machine is described as susceptible (S) machine. A infected machine is described as infected (I). Let N be the number of vulnerable machines. Let S(t) be the number of susceptible host at time t, and s(t) be S(t)/N, where N = S(t) + I(t). Let I(t) be the number of infected hosts at time t, and i(t) be I(t)/N. Let be the contact rate of the worm. Define: SI Model (1)
SI Model (2) Solving the differential equation: where T is a constant
Code Red Propagation Model (1) • Code Red generates IPv4 address by random. Thus, there are totally 2^32 addresses. • Let r be the probe rate of a Code Red worm. • Thus:
Code Red Propagation Model (2) • Two problems • Cannot model preferential targeting algorithm. • E.g. select targets form address ranges closer to the infected host. • The rate only represents average contact rate. • E.g. a particular epidemic may grow significantly more quickly by making a few lucky targeting decisions in early phase.
Code Red Propagation Model (3) • Example on 100 simulations on Code Red propagation model: After 4 hours: 55% on average 80% in 95th percentiles 25% in 5th percentiles
Modeling Containment Systems (1) • A containment system has three important properties: • Reaction time – the time necessary for • Detection of malicious activity, • Propagation of the containment information to all hosts participating the system, and • Activating any containment strategy.
Modeling Containing Systems (2) • Containing Strategy • Address blacklisting • Maintain a list of IP addresses that have been identified as being infected. • Drop all the packets from one of the addresses in the list. • E.g. Mail filter. • Advantage: can be implemented easily with existing firewall technology.
Modeling Containing Systems (3) • Content filtering • Requires a database of content signatures known to represent particular worms. • This approach requires additional technology to automatically create appropriate content signatures. • Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation. • Deployment scenarios • Ideally, a global deployment is preferable. • Practically, a global deployment is impossible. • May be deploying at the border of ISP networks.
Idealized Deployment (1) • Simulation goal • To find how short the reaction time is necessary to effectively contain the Code-Red style worm. • Simulation Parameters: • 360,000 vulnerable hosts out of 232 hosts. • Probe rate of a worm : 10 per sec. • Containment strategy implementation • Address blacklisting • Send IP addresses to all participating hosts. • Content filtering • Send signature of the worm to all participating hosts.
Idealized Deployment (2) • Result: content filtering is more effective. Number of susceptible host decreases Worms unchecked 2 hr 20 min
Idealized Deployment (3) • Next goal: • To find the relationship between containment effectiveness and worm aggressiveness. • Figures are in log-log scale.
Idealized Deployment (4) Percentage of infected hosts Address blacklisting is hopeless when encountering aggressive worms.
Practical Deployment (1) • Network Model • AS sets in the Internet: • routing table on July 19,2001 • 1st day of the Code Red v2 outbreak. • A set of vulnerable hosts and ASes: • Use the hosts infected by Code Red v2 during the initial 24 hours of propagation. • A large and well-distributed set of vulnerable hosts. • 338,652 hosts distributed in 6,378 ASes.
Practical Deployment (2) • Deployment Scenarios • Use content filtering only. • Filtering firewall are deployed on the borders of both the customer networks, and ISP’s networks. Deployment of containment strategy.
Practical Deployment (3) • Reaction time: 2hrs Difference in performance because of the difference in path coverage.
Practical Deployment (4) System fails to contain the worm.
Conclusion • Explore the properties of the containment system • Reaction time • Containment strategy • Deployment scenario • In order to contain the worm effectively • Require automated and fast methods to detect and react to worm epidemics. • Content filtering is the most preferable strategy. • Have to cover all the Internet paths when deploying the containment systems.