1 / 12

Routing Worm: A Fast, Selective Attack Worm based on IP Address Information

This research paper explores a routing worm that contains BGP routing prefix information in its code, allowing for faster propagation and selective attacks based on IP address information. By scanning routable space instead of the entire IPv4 space, the worm can increase its propagation speed by 2-3.5 times. The paper also discusses the possibility of upgrading IPv4 to IPv6 as a defense mechanism.

laceyrice
Download Presentation

Routing Worm: A Fast, Selective Attack Worm based on IP Address Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst

  2. Routing Worm Summary • Routing worm:contains information of BGP routing prefixes in the worm code. • A faster spreading worm • Internet routable IP space < 30% of entire IPv4 space. • Scanning routable space instead of entire IPv4 space. • Increasing propagation speed by 2 ~ 3.5 times. • A selective attack worm • IP address  routing prefix  AS  ISP, country • Pinpoint attacking vulnerable hosts in a specific target • Selective attack based on any information derived from compromised hosts.

  3. BGP Routing Table Introduction • BGP (Border Gateway Protocol) • Inter-autonomous system routing protocol. • Backbone BGP routers contain all routable prefixes (without default route) • Routable IPv4 space increases slowly • NAT • CIDR • DHCP

  4. BGP Routing Worm • Contains BGP non-overlapping prefixes: • Non-overlapping prefixes: • Remove “128.119.85/24” if BGP contains “128.119/16”. • 140602 prefixes  62053 prefixes (Sept. 22, 2003) • Payload requirement: 175KB • Big payload for Internet-scale worm propagation. • Increasing worm’s speed by 3.5 times. • Scanning space is 28.6% of entire IPv4 space.

  5. Class A Routing Worm • IANA provides Class A address allocations • Class A (x.0.0.0/8); 256 Class A in IPv4 space. • 116 Class A contain all BGP routable space. • Scanning space: 45.3%; payload: 116 Bytes.

  6. Routing Worm based on Aggregated BGP Prefixes • Two extreme cases of routing worms: • BGP routing worm: all prefixes in BGP • Class A routing worm: only “/8” prefixes • Routing worm based on aggregated prefixes • “/n” aggregation: combine several longer prefixes into a shorter “/n” prefix. • “128.119.5/24” + “128.119.2/24”  “128.119/16” or “128.119.0/19” • Class A prefixes are results of “/8” aggregation.

  7. Routing Worm based on Aggregated BGP Prefixes • Flexible trade-off between: • Scanning space  Prefix payload “/n” aggregation (n=8~16) Payload vs. Scanning space trade-off

  8. Comparison of the Code Red worm, a routing worm, a hit-list worm, a hit-list routing worm N=360,000; h=358 scans/min; I(0)=10 ( 10,000 for a hit-list worm ) where : # of vulnerable : Scanning space : Scan rate Routing Worm Propagation Study

  9. Routing Worm: A Selective Attack Worm • Selective Attack: worm has different behaviors on different compromised hosts. • Routing worm: imposes damage based on geographical information of IP addresses of compromised hosts • Geographical information of IP addresses • IP address  Routing prefix  AS AS  Company, ISP, Country • Pinpoint attacking vulnerable hosts in a specific target • Potential terrorist’s attack  BGP routing table  Researches

  10. Selective Attack: a Generic Attacking Technique • Selective attack: imposes damage based on any information a worm can get from compromised hosts • OS (e.g. : illegal OS, language, time zone ) • Software (e.g. : installed a specific program) • Hardware ( e.g. : CPU, memory, network card) • Selective attack: improving propagation speed • Maximize infectious power of each compromised host. • Multi-thread worm: generates different numbers of threads on different computers based on CPU, memory, and connection speed.

  11. Defense: Upgrading IPv4 to IPv6 • Routing worm: Reducing worm scanning space • Effective, easier than hit-list worm to implement • Difficult to prevent: • public BGP tables and IP geographical information • Defense: Increasing worm scanning space  Upgrading IPv4 to IPv6 • The smallest network in IPv6 has 264 IP address space. • A worm needs 40 years to infect 50% of vulnerable hosts in a network when N=1,000,000, h=100,000/sec, I(0)=1000 • Limitation: for scan-based worms only

  12. Summary • Routing worm:contains information of BGP routing prefixes in the worm code. • Routing worm: a faster spreading worm • Scans routable space (< 30%) instead of entire IPv4 space. • Increasing propagation speed by 2 ~ 3.5 times. • Routing worm: a selective attack worm • IP address  routing prefix  AS  ISP, Country • Pinpoint attacking vulnerable hosts in a specific target • Selective attack based on any information a worm can get from compromised hosts. • Defense: Increase a worm’s scanning space IPv4 upgrade to IPv6

More Related