1 / 38

CCIED Epidemiology: Real & Potential Threats

CCIED Epidemiology: Real & Potential Threats. Overview by Vern Paxson Feb. 15, 2006. Analyzing the Lay of the Land. Empirical studies Worms: Slammer, Witty Viruses: Nyxem, Sober (future) Background radiation Internet “situational awareness” Analytic studies

kaida
Download Presentation

CCIED Epidemiology: Real & Potential Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CCIED Epidemiology:Real & Potential Threats Overview by Vern Paxson Feb. 15, 2006

  2. Analyzing the Lay of the Land • Empirical studies • Worms: Slammer, Witty • Viruses: Nyxem, Sober (future) • Background radiation • Internet “situational awareness” • Analytic studies • Earlier: top-speed, worst-case, (scaledown) • Recent: self-stopping

  3. Network Telescopes • Infected host scans for other vulnerable hosts by randomly generating IP addresses • Network Telescope: monitor large range of unused IP addresses – will receive scans from infected host • Very scalable. CCIED monitors 17M+ addresses (/8 + /14 + /16s …) • Courtesy CAIDA, ESnet, LBNL, ARIN & anonymous donors

  4. Life Just Before Slammer

  5. Life Just After Slammer

  6. Slammer Ushers in a Number of Firsts • Exploits UDP service, entire worm fits in a single packet • When scanning, worm can “fire and forget”. • Worm infects 75,000+ hosts in 10 minutes (despite broken random number generator). • Kills notion of response on human time-scales • Progress limited by the Internet’s carrying capacity • Genesis of CCIED collaboration, leading to above findings • Empirical data feeds subsequent “scaledown” analysis

  7. CCIED Forensic Analysis of Witty • Worm unleashed day after flaw announced • Single UDP packet - stateless spreading • Exploited flaw in the passive analysis of Internet Security Systems products • Payload: slowly corrupt random disk blocks • /8 telescope data gives ~4 / 1,000 pkts

  8. Exploiting Witty’s Structure • Worm’s code: • Seed random number generator w/ time-of-day • Send 20,000 copies to random destinations • Pick a random disk to trash • Repeat, reseeding if the disk-trash succeeded • Key insight: random bits in headers + use of known PRNG  random # state recoverable • Keys to the Kingdom • (especially w/ some computational geometry)

  9. Precise Bandwidth Estimation vs. Rates Measured by Telescope

  10. Uptime of 750 Witty Infectees

  11. Disk Drives Per Witty Infectee

  12. Infector/Infectee Signature Infection Attempts That WereToo Early, Too Late, or Just Right

  13. Doubly-scanned infectees infected faster Unscanned infectees still get infected! In fact, some are infected Extremely Quickly! Time When Infectees Seen At Telescope

  14. Ferreting Out the Witty Perpetrator • Very strong evidence Witty targeted US military base • If attacker knew of ISS security software installation at military site  ISS insider(or ex-insider) • Fits with very rapid development of worm • Analysis also leads to Patient Zero - machine attacker used to launch Witty • (Really, Patient Negative One) • European retail ISP • Communicated to law enforcement

  15. Preliminary Virus Analysis: Nyxem • Destructive email worm (aka Kama Sutra, Blackworm, etc. etc.) • Includes “phone home” to hardwired URL • In principle, monitor evolution via URL access logs • Except: • Incidental viewing • Rubberneckers • DOS attacks by vigilantes • And the usual aliasing problems due to DHCP, NAT

  16. Reducing the Nyxem Logs • Remove: • Repetitive access w/ fixed headers: DOS floods (90+%) • Access to incorrect pages (0.2%) • Of remainder, those w/ Referrer header (9%) • Access from uninfectible sources (0.03%) • Bracket infection estimate • Low: distinct browser types per IP • High: different probes per IP • Bottom line, Jan. 15 - Feb 1: • 469,507 - 946,835 infected hosts (likely upper end) • (w/ 45,401+ also infected by Spyware etc. per browser ID)

  17. Lower-bound progress of Nymex infection,Jan. 16 - Feb. 1

  18. Nymex infection progress by continent

  19. A Different Sort of Spreading • Geography differs from • Internet density • Random-scanning worms • E.g., South America late to the game; Middle East overrepresented • Ahead of US in infections: • India (32%), Peru (19%), Italy (8%), Turkey (6%) • (US, 5.6%; Egypt, 2.6%) • Another potential opportunity: Sober • Major variant accesses list of DNS servers for well-known domains • One of these: nsx.lbl.gov

  20. The Problem ofInternet Background Radiation • Network telescopes see incessant stream of traffic • Probing from random-scanning worms • Probing from Botnets looking for fodder • Misconfigurations • Basic Question #1: • How do we ignore this to find interesting new stuff? • Basic Question #0: • What is this stuff, anyway? • Analyzed using lightweight honeyd responders

  21. Responding to Background Radiation

  22. Hourly Background Radiation Seen at a 2,560-address Telescope

  23. Internet “Situational Awareness” • Back to Question #1: • How do we tell when telescope sees something new … • … and interesting • Idea: • Characterize “background radiation” in abstract terms • Remove any matches, consider remainder “new” … • … except first run for a few months to converge on full set of abstractions

  24. Internet “Situational Awareness”,con’t • This doesn’t work. • There is constant churn in what arrives that’s new • Though often with very minor variations • In principle removable, but need better meta-abstractions for doing so • Basic question #2: What can we say about an “event” seen by the honeynet? • Is it a worm, a botnet, a misconfiguration? • If a botnet, could it be more than one? Is the scanning coordinated? How large a region is the scan targeting?

  25. Internet “Situational Awareness”,con’t • It doesn’t work ... Yet. • Significant noise problems • Significant modalities & variations • Calibration difficulties • Need more powerful abstractions • Collapse down what’s considered “different” • Need “toolbox” of statistical perspectives • E.g., arrival rates, IP ID / ephemeral port profiles, correlations in addresses, deviations from independence …

  26. Epidemiology: Possible Evolution • How fast could a worm spread? • “Detonator” design: compute hit-list of entire vulnerable population, propagate via divide & conquer. • With careful design, 106 hosts in < 2 sec! • Defensible worst-case damage (to US economy)? • Depending on attacker resources, up to 50M desktops • …. And then? Just wiping disk: ≥ $50B damage

  27. Self-Stopping Worms • How readily can a worm locally determine it has achieved x% infection of vulnerable population? • If doable, then trouble: worm spreads and then goes completely quiet … • Clearly doable with enough communication & coordination • But how simply/cheaply? • And with no a priori knowledge of vulnerable population??

  28. Dynamic Estimation • Size of vulnerable population N • Infected count over time I(t) • Worm has an oracle • Know N and I (stop when I(t)/N reaches goal) • Increasingly practical • Know N (locally estimate I(t) knowing N) • Sum-Count (locally estimate N) • Sum-Count-X (collaborate to estimate N)

  29. Know-NI Perfect knowledge lets worms stop on a dime

  30. Estimating I(t) from N Only knowing N, worms can still stop quickly

  31. Sum-Count More than 2x longer to stop… Local sampling alone insufficient

  32. Sum-Count-X Similar result without perfect knowledge!

More Related