330 likes | 565 Views
Very Fast containment of Scanning Worms. Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern Paxson. Outline. Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment.
E N D
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern Paxson
Outline • Worm containment • Hardware implementations • Scan suppression • Cooperation • Attacking worm containment
What is scanning worm? --- Operate by picking “random” address and attempt to infect the machine. Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection attempts. Scanning Worms
How to mitigate the spread of worms? Prevention Reduce size of vulnerable population Insufficient to counter worm threat Why?? … single vulnerability in a popular software system can translate to millions of vulnerable hosts Treatment Once a host is infected, clean it up immediately (Antivirus Software, Patches) Reduce vulnerable hosts and rate of infection Limitation… long time to develop cleanup code, and too slow to have a significant impact People don’t install patches Containment Scanning Worms
Containment • Protect individual networks and isolate infected hosts • Examples: firewalls, content filters, automated blacklists • Most Promising Solution • Can be completely automated • Containment does not require participation of each and every host on the internet
Containment Properties • Reaction time • Detection of malicious activity • Propagation of the containment information to all hosts participating the system • Activating any containment strategy. • Containing Strategy • Address blacklisting • Maintain a list of IP addresses that have been identified as being infected. • Drop all the packets from one of the addresses in the list. • Advantage: can be implemented easily with existing filtering technology. • Disadvantage: must be updated continuously to reflect newly infected hosts
Containment (contd.) • Content filtering • Requires a database of content signatures known to represent particular worms. • Requires additional technology to automatically create appropriate content signatures. • Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation • Deployment scenarios • Ideally, a global deployment is preferable. • Practically, a global deployment is impossible. • May be deploying at the border of ISP networks
Defense against scanning worms Works by detecting that a worm is operating in the network and then blocking the infected machines from contacting further hosts; Leverage the anomaly of a local host attempting to connect to multiple other hosts. Containment looks for a class of behavior rather than specific worm signature --- able to stop new worms. Worm Containment
Break the network into many cells Within each cell a worm can spread unimpeded. Between cells, containment limits infections by blocking outgoing connections from infected cells. Must have very low false positive rate. Blocking suspicious machines can cause a DOS if false positive rate is high. Need for complete deployment within an enterprise Integrated into the network’s outer switches or similar hardware elements Worm Containment
Epidemic Threshold • Worm-suppression device must necessarily allow some scanning before it triggers a response. • Worm may find a victim during that time. • The epidemic threshold depends on: • The sensitivity of the containment response devices • The density of vulnerable machines on the network --- NAT and DHCP • The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.
Sustained Scanning Threshold • If worm scans slower than sustained scanning threshold, the detector will not trigger. • Vital to achieve as low a sustained scanning threshold as possible. • For this implementation threshold set to 1 scan per minute.
Outline • Worm containment • Hardware implementations • Scan suppression • Cooperation • Attacking worm containment
Hardware Implementation • Constraints: • Memory access speed • On duplex gigabit Ethernet, can only access DRAM 4 times • Memory size • Attempt to keep footprint under 16MB • The number of distinct memory banks
Hardware Implementations • Approximate caches --- collisions cause imperfections (bloom filter) • Fixed memory available • Allow collisions to cause aliasing • Err on the side of false negative • Attacker behavior • Predicting the hashing algorithm --- keyed hash function • Simply overwhelming the cache
Hardware Implementations • Efficient small 32 bit block ciphers • Prevent attackers from controlling collisions • Permute the N-bit value • Separate the resulting N-bit value into an index and a tag
Outline • Worm containment • Hardware implementations • Scan suppression • Cooperation • Attacking worm containment
Scan Suppression Responding to detected portscans by blocking future scanning attempts. • Portscans have two basic types: • Horizontal – search for identical service on large number of machines. • Vertical – examine an individual machine to discover running services.
Outside Internet Outside Scan Suppression Protect the enterprise, forget the Internet • Preventing scans from Internet is too hard • If inside node is infected, filter sees all traffic • Cell (local area network) is “outside”, Enterprise larger internet network is “inside” • Can also treat entire enterprise as cell, Internet as outside Inside Scan detectors
Scan Suppression • Derived from Threshold Random Walk (TRW) scan detection. • The algorithm operates by using an oracle to determine if a connection will fail or succeed. • By modeling the benign traffic as having a different probability of success than attack traffic, TRW can make a decision regarding the likelihood that a particular series of connection attempts from a given host. • Assumption: benign traffic has a higher probability of success than attack traffic
Scan Suppression • Strategies: • Track connections and addresses using approximate caches; • Replace the old addresses and old ports if the corresponding entry has timed out; • Track addresses indefinitely as long as we do not have to evict their state from our caches; • Detect vertical as well as horizontal TCP scans, and horizontal UDP scans; • Implement a “hygiene filter” to thwart some stealthy scanning techniques without causing undue restrictions on normal machines.
Connection Cache • Recording if we’ve seen a packet in each direction • Aliasing turns failed attempt into success (biases to false negative) • Age is reset on each forwarded packet • Every minute, back ground process purges entries older than Dconn
Address Cache • Track “outside” addresses • Counter keeps difference between successes and failures • Counts are decremented every Dmiss seconds
Parameters and Tuning • Parameters: • T: miss-hit difference that causes block • Cmin: minimum allowed count • Cmax: maximum allowed count • Dmiss: decay rate for misses • Dconn: decay rate for idle connections • Cache size and associativity
Evaluation • For 6000-host enterprise trace: • 1MB connection cache, 4MB 4-way address cache = 5MB total • At most 4 memory accesses per packet • Operated at gigabit line-speed • Detects scanning at rates over 1 per minute • Low false positive rate • About 20% false negative rate • Detects scanning after 10-30 attempts
Outline • Worm containment • Hardware implementations • Scan suppression • Cooperation • Attacking worm containment
Cooperation • Divide enterprise into small cells • Connect all cells via low-latency channel • A cell’s detector notifies others when it blocks an address (“kill message”) • Blocking threshold dynamically adapts to number of blocks in enterprise: • T’ = T(1 –θ)X, for very small θ • Changing θ does not change epidemic threshold, but reduces infection density
Outline • Worm containment • Hardware implementations • Scan suppression • Cooperation • Attacking worm containment
Attacking worm containment • False positives • Forge packets (though this does not prevent inside systems from initiating connections) • False negatives • Use a non-scanning technique (topological, meta-server, passive and hit-list) • Scan under detection threshold • Use a white-listed port to test for liveness before scanning
Attacking Cooperation • Attempt to outrace containment if threshold is permissive • Flood cooperation channels • Cooperative collapse: • False positives cause lowered thresholds • Lowered thresholds cause more false positives • Feedback causes collapse of network
Attacking Worm Containment • Detecting containment • Try to contact already infected hosts • Go stealthy if containment is detected • Circumventing containment • Embed scan in storm of spoofed packets • Two-sided evasion: • Inside and outside host initiate normal connections to counter penalty of scanning • Can modify algorithm to prevent, but lose vertical scan detection
Conclusion • Develop containment algorithms suitable for deployment in high-speed, low-cost network hardware; • Devise the mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection.