1 / 19

Internet Quarantine: Requirements for Containing Self-Propagating Code

Internet Quarantine: Requirements for Containing Self-Propagating Code. David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage. Worm Security. Prevention Stop the worms from propagating by eliminating security holes from software; infeasible Treatment

kelvin
Download Presentation

Internet Quarantine: Requirements for Containing Self-Propagating Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Quarantine:Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage

  2. Worm Security • Prevention • Stop the worms from propagating by eliminating security holes from software; infeasible • Treatment • Remove the worm from the infected host • Containment • Stop the worm from spreading

  3. Worm Containment • How effectively can any containment approach counter a worm epidemic on the Internet? • Time to detect • Identification and containment • Deployment

  4. Background • History of Worms • First appeared in 1988 • Few studies done on worms • Worm containment approaches • La Brea • Intercept worm and place it in artificial persistent connection state • Unclear how effective it is • Per-host “throttling” • Reduce the rate of “new” connections allowed • If universally deployed, can reduce worm spread • Firewall filters • Detect worms then cut off communications using firewalls to block ports • NBAR • Developed by Cisco • Allows routers to block TCP sessions based on presence of certain strings in the session

  5. Modeling Worms • Classic SI model

  6. SI Model • Susceptible (S), Infected (I), population (N), contact rate (beta) • dI/dt = beta*I*S/N • dS/dt = -beta*I*S/N • Solving: (T as a constant of integration) • i(t) = (e^(beta*(t-T)))/(1+e^(beta*(t-T))) • Grows exponentially until majority are infected • Well known in public health community

  7. Modeling Containment • Reaction Time • The time R in which the system can react to contain the worm • Containment Strategy • Address Blacklisting • Block traffic from malicious source IPs • Reaction relative to each host • Content Filtering • Block traffic based on content • Reaction time from first infection • Deployment Scenario • Analyzed a few different deployment scenarios in the model • Finite Time Period • Restricted to looking at first 24 hours after worm appears

  8. Idealized Deployment • Simulation Parameters • Code-Red Case Study • Generalized Worm Containment

  9. Simulation Parameters • 360,000 vulnerable hosts • Probe rate of 10 per second • Probes randomly from time t = 0 • Hosts notified of infected hosts at t + R

  10. Code-Red Case Study • Address blacklisting • Containment with R < 20 minutes • Larger R allows spread • All susceptible hosts infected in 24 hours if R > 2 hours • Content Filtering • Containment with R < 2 hours • Worm propagates until t = R, then stops

  11. Modeling the Worm • Graphs Reaction time to the percentage of vulnerable hosts infected in the 24 hour time-period analyzed

  12. Generalized Worm Containment • Content Filtering vs. Address Blacklisting • Highly aggressive worms • Extremely challenging, even for content filtering • 1000 probes/sec requires R = 2 min

  13. Practical Deployment • Far more limited • Network Model • Deployment Scenarios • Code-Red Case Study • Generalized Worm Containment

  14. Network Model • Identify ASes on the Internet • Identify vulnerable hosts and their locations • Model AS paths between vulnerable hosts

  15. Deployment Scenarios • Models levels of AS deployment of containment

  16. Code-Red Case Study • Uses same parameters as idealized model • Reaction time = 2 hours

  17. Generalized Worm Containment • Much smaller containment with network model • 100 top ISPs model • 50% customers model • Worse results than 100 top ISPs • Infeasible to contain even modest probe rates under these models

  18. Deployment Scenarios

  19. Conclusion • Very challenging to build containment systems • Order of minutes needed to respond effectively • In the future, worms will be more aggressive • Will require a great amount of effort and engineering to fight the spread of Worms.

More Related