380 likes | 481 Views
CCIED Epidemiology: Real & Potential Threats. Overview by Vern Paxson Feb. 15, 2006. Analyzing the Lay of the Land. Empirical studies Worms: Slammer, Witty Viruses: Nyxem, Sober (future) Background radiation Internet “situational awareness” Analytic studies
E N D
CCIED Epidemiology:Real & Potential Threats Overview by Vern Paxson Feb. 15, 2006
Analyzing the Lay of the Land • Empirical studies • Worms: Slammer, Witty • Viruses: Nyxem, Sober (future) • Background radiation • Internet “situational awareness” • Analytic studies • Earlier: top-speed, worst-case, (scaledown) • Recent: self-stopping
Network Telescopes • Infected host scans for other vulnerable hosts by randomly generating IP addresses • Network Telescope: monitor large range of unused IP addresses – will receive scans from infected host • Very scalable. CCIED monitors 17M+ addresses (/8 + /14 + /16s …) • Courtesy CAIDA, ESnet, LBNL, ARIN & anonymous donors
Slammer Ushers in a Number of Firsts • Exploits UDP service, entire worm fits in a single packet • When scanning, worm can “fire and forget”. • Worm infects 75,000+ hosts in 10 minutes (despite broken random number generator). • Kills notion of response on human time-scales • Progress limited by the Internet’s carrying capacity • Genesis of CCIED collaboration, leading to above findings • Empirical data feeds subsequent “scaledown” analysis
CCIED Forensic Analysis of Witty • Worm unleashed day after flaw announced • Single UDP packet - stateless spreading • Exploited flaw in the passive analysis of Internet Security Systems products • Payload: slowly corrupt random disk blocks • /8 telescope data gives ~4 / 1,000 pkts
Exploiting Witty’s Structure • Worm’s code: • Seed random number generator w/ time-of-day • Send 20,000 copies to random destinations • Pick a random disk to trash • Repeat, reseeding if the disk-trash succeeded • Key insight: random bits in headers + use of known PRNG random # state recoverable • Keys to the Kingdom • (especially w/ some computational geometry)
Precise Bandwidth Estimation vs. Rates Measured by Telescope
Infector/Infectee Signature Infection Attempts That WereToo Early, Too Late, or Just Right
Doubly-scanned infectees infected faster Unscanned infectees still get infected! In fact, some are infected Extremely Quickly! Time When Infectees Seen At Telescope
Ferreting Out the Witty Perpetrator • Very strong evidence Witty targeted US military base • If attacker knew of ISS security software installation at military site ISS insider(or ex-insider) • Fits with very rapid development of worm • Analysis also leads to Patient Zero - machine attacker used to launch Witty • (Really, Patient Negative One) • European retail ISP • Communicated to law enforcement
Preliminary Virus Analysis: Nyxem • Destructive email worm (aka Kama Sutra, Blackworm, etc. etc.) • Includes “phone home” to hardwired URL • In principle, monitor evolution via URL access logs • Except: • Incidental viewing • Rubberneckers • DOS attacks by vigilantes • And the usual aliasing problems due to DHCP, NAT
Reducing the Nyxem Logs • Remove: • Repetitive access w/ fixed headers: DOS floods (90+%) • Access to incorrect pages (0.2%) • Of remainder, those w/ Referrer header (9%) • Access from uninfectible sources (0.03%) • Bracket infection estimate • Low: distinct browser types per IP • High: different probes per IP • Bottom line, Jan. 15 - Feb 1: • 469,507 - 946,835 infected hosts (likely upper end) • (w/ 45,401+ also infected by Spyware etc. per browser ID)
A Different Sort of Spreading • Geography differs from • Internet density • Random-scanning worms • E.g., South America late to the game; Middle East overrepresented • Ahead of US in infections: • India (32%), Peru (19%), Italy (8%), Turkey (6%) • (US, 5.6%; Egypt, 2.6%) • Another potential opportunity: Sober • Major variant accesses list of DNS servers for well-known domains • One of these: nsx.lbl.gov
The Problem ofInternet Background Radiation • Network telescopes see incessant stream of traffic • Probing from random-scanning worms • Probing from Botnets looking for fodder • Misconfigurations • Basic Question #1: • How do we ignore this to find interesting new stuff? • Basic Question #0: • What is this stuff, anyway? • Analyzed using lightweight honeyd responders
Hourly Background Radiation Seen at a 2,560-address Telescope
Internet “Situational Awareness” • Back to Question #1: • How do we tell when telescope sees something new … • … and interesting • Idea: • Characterize “background radiation” in abstract terms • Remove any matches, consider remainder “new” … • … except first run for a few months to converge on full set of abstractions
Internet “Situational Awareness”,con’t • This doesn’t work. • There is constant churn in what arrives that’s new • Though often with very minor variations • In principle removable, but need better meta-abstractions for doing so • Basic question #2: What can we say about an “event” seen by the honeynet? • Is it a worm, a botnet, a misconfiguration? • If a botnet, could it be more than one? Is the scanning coordinated? How large a region is the scan targeting?
Internet “Situational Awareness”,con’t • It doesn’t work ... Yet. • Significant noise problems • Significant modalities & variations • Calibration difficulties • Need more powerful abstractions • Collapse down what’s considered “different” • Need “toolbox” of statistical perspectives • E.g., arrival rates, IP ID / ephemeral port profiles, correlations in addresses, deviations from independence …
Epidemiology: Possible Evolution • How fast could a worm spread? • “Detonator” design: compute hit-list of entire vulnerable population, propagate via divide & conquer. • With careful design, 106 hosts in < 2 sec! • Defensible worst-case damage (to US economy)? • Depending on attacker resources, up to 50M desktops • …. And then? Just wiping disk: ≥ $50B damage
Self-Stopping Worms • How readily can a worm locally determine it has achieved x% infection of vulnerable population? • If doable, then trouble: worm spreads and then goes completely quiet … • Clearly doable with enough communication & coordination • But how simply/cheaply? • And with no a priori knowledge of vulnerable population??
Dynamic Estimation • Size of vulnerable population N • Infected count over time I(t) • Worm has an oracle • Know N and I (stop when I(t)/N reaches goal) • Increasingly practical • Know N (locally estimate I(t) knowing N) • Sum-Count (locally estimate N) • Sum-Count-X (collaborate to estimate N)
Know-NI Perfect knowledge lets worms stop on a dime
Estimating I(t) from N Only knowing N, worms can still stop quickly
Sum-Count More than 2x longer to stop… Local sampling alone insufficient
Sum-Count-X Similar result without perfect knowledge!