230 likes | 307 Views
Collaborative Center for Internet Epidemiology and Defenses (CCIED) NSF 2006 Review. Vern Paxson, Stefan Savage George Varghese, Geoff Voelker, Nick Weaver
E N D
Collaborative Center for Internet Epidemiology and Defenses (CCIED)NSF 2006 Review Vern Paxson, Stefan Savage George Varghese, Geoff Voelker, Nick Weaver Mark Allman, Juan Caballero, Martin Casado, Jay Chen, Weidong Cui, Cristian Estan, Ranjit Jhala, Jaeyeon Jung, Chris Kanich, Jayanth Kumar Kannan, Christian Kreibich, Erin Kenneally, Kirill Levchenko, Justin Ma, David Moore, Michelle Panik, Colleen Shannon, Sumeet Singh, Alex Snoeren, Amin Vahdat, Erik Vandekieft, Michael Vrable, Ming Woo-Kawaguchi, Vinod Yegneswaran
Welcome! • First some context… • We are 4mos into our second year • This is the second NSF site visit we’ve had, but the first with the two of you – introductions all around • …and some expectations • We’re going to give some informal presentations • Each will have a leader, but this is a collaborative effort so expect everyone to chime in • Please ask questions and give feedback anytime • We’ll try to keep to schedule, but we can go where you want
Agenda for today • 9:30-10:15 Background/Overview: Stefan • 10:15-11:00 Empirical & Analytic Epidemiology: Vern • 11:00-11:10 Break • 11:10-12:00 Large-scale Honeyfarms: Stefan • 12:00 - 1:30 Lunch • 1:30 - 2:00 Education and Outreach: Geoff • 2:00 - 3:00 Meeting with Students • 3:00 - 3:15 Break • 3:15 - 4:00 Network Defenses: Nick and Stefan • 4:00 - 4:45 Broader & Future efforts : Vern • 4:45 - 5:30 Wiggle room
For the rest of our time… • History/Background • Motivation and scope • Major CCIED Activities
Ancient history – independent groups • In late 90’s Paxson deploys Bro IDS system at LBL and starts looking at network-based intrusions • In 2000, UCSD develops “network telescope”-based backscatter DoS inference technique Paxson, Bro: a System for Detecting Intruders in Real Time, USENIX Security, 1998 & Moore et al, Inferring Internet Denial of Service Activity, USENIX Security, 2001
Code Red • Code Red epidemic takes off in 2001, first large-scale network worm in over a decade • Selects IP address at random and probes for vulnerability • Monitored via telescopes • ~360,000 hosts in a day • Slow admin response • Didn’t do much • Growth matches logisticfunction Moore et al, CodeRed: a Case study on the Spread of an Internet Worm, IMW 2002 andStaniford et al, How to 0wn the Internet in your Spare Time, USENIX Security 2002
Code Red is only proof of concept • Better targeting possible • Biased: local biases faster and more likely to hit • Topological: exploit application-level networks (e.g. e-mail, p2p apps, google vs searchers, etc) • Hitlist: predetermine vulnerable hosts (at least some) • Metaserver worms – exploit directory servers for this purpose • Permutation scanning: don’t duplicate effort • Contagion worms: hide in existing communication patterns • More destructive payload possible • Toast disk, toast bios, patch microcode • Simple cost models suggest multi-billion costs achievable • Call for Cyber-CDC See: Staniford et al, How to 0wn the Internet in your Spare Time, USENIX Security 2002 and Weaver et al, A Worst-case Worm. WEIS 2004
How well must defense work? • Containment strategy • “Sharable” signatures offer huge advantages • Reaction Time • For CodeRed densities • 3hrs for 10 probes/sec • 2mins for 1000 probes/sec • Deployment • Need to interdict most paths • Worms form world’s best overlay net See: Moore et al, Internet Quarantine: Requirements for Containing Self-Propagating Code, Infocom 2003
CCIED precursor • Around this time both groups are providing input to Anup Ghosh (then DARPA) for new program: Dynamic Quarantine for Worms • We join forces (along with Silicon Defense) and put in joint proposal • Highest-rated proposal for DQW • Project then classified (then reclassified again!) • Group stays in touch…
A pretty fast outbreak:Slammer (2003) • First ~1min behaves like classic random scanning worm • Doubling time of ~8.5 seconds • CodeRed doubled every 40mins • >1min worm starts to saturateaccess bandwidth • Some hosts issue >20,000 scans per second • Self-interfering(no congestion control) • Peaks at ~3min • >55million IP scans/sec • 90% of Internet scanned in <10mins • Infected ~100k hosts (conservative) See: Moore et al, The Spread of the Sapphire/Slammer Worm, IEEE Security & Privacy, 1(4), 2003
Slammer: defining event • Slammer is kick-off for close collaboration between group members • Also shaped a shared viewpoint on the nature of critical Internet threats: “Large-scale subversion of hosts” is the key issue • Series of joint meetings define CCIED proposal and ultimately lead to funded proposal • Raise additional direct support from Microsoft, Intel, HP, ESnet, VMware and indirectly (via CNS) from AT&T, Alcatel, Sun and Qualcomm
Motivation: threat transformation • Traditional threats • Attacker manually targets high-value system/resource • Defender increases cost to compromise high-value systems • Biggest threat: insider attacker • Modern threats • Attacker uses automation to target all systems at once (can filter later) • Defender must defend all systems at once • Biggest threats: software vulnerabilities & naïve users
Driving economic forces • Emergence of profit-making payloads • SPAM forwarding (MyDoom.A backdoor, SoBig), Credit Card theft (Korgo), DDoS extortion, (many) etc… • “Virtuous” economic cycle transforms nature of threat • Commoditization of compromised hosts • Fluid third-party exchange market (millions) • Going rate for SPAM proxying 3 -10 cents/host/week • Seems small, but 25k botnet gets you $40k-130k/yr • Raw bots, 1$+/host, Special orders ($50+) • Hosts effectively becoming a criminal platform • Innovation in both host substrate and its uses • Sophisticated infection and command/control networks • DDoS, SPAM, piracy, phishing, identity theft are all applications
Example: Just last week… “A 20-year-old California man was indicted in Seattle Feb. 10 on charges that he used a computer "bot" network to cause computer malfunctions at Seattle's Northwest Hospital in January of 2005. … During the disruption, doors to the operating rooms did not open, pagers did not work and computers in the intensive care unit shut down," the [Washington State] Attorney General said.” And this is just the side-effects!
Overall CCIED Scope Develop the understanding and technology to address large-scale subversion of Internet hosts
CCIED’s major research efforts • Internet Epidemiology: Understanding • What kinds of new attacks are going on? • How are they controlled? How do they behave? What are their side-effects? What are their limits? • Automated Network Defenses: Reacting • Stop new attacks without humans in the loop • Forensic, Legal and Economic issues: Deploying • What investigatory and evidentiary value can we provide with technology? What is the legal framework for safely using the technologies we developed? How do we create the proper incentives for deployment?
CCIED’s education priorities • We are committed to provide outreach to train researchers and the workforce (interpreted broadly) • Talks, Tutorials, Workshops • Curriculum development • Worm/virus/epidemiology components for undergrad and grad classes • Archived lectures/seminars
Year one milestones • Development and deployment of large-scale network worm detection system (telescope/simple honeyfarm) • Testing of prototype in-line defenses (scan suppression, signature extraction) • Legal issues related to honeyfarm • Initial development of curriculum for security courses • CCIED Web Portal running
Year two … • Most of our proposed milestones we’ve now already accomplished or make less sense than they once did • The field is changing very quickly and we’re trying to keep our focus relevant • This is our job, but we’re also helped by our technical advisory board
Technical Advisory Board • Members selected for technical strengths • David Aucsmith, Microsoft (2006) • David Clark, MIT • Sean Donelan, SBC • Carey Nachenberg, Symantec • Lance Spitzner, Honeynet Project • Stuart Staniford, Nevis Networks • Helen Wang, Microsoft Research • Meeting in September 2005 • Feedback • Start looking at new threats (e.g. botnets, non-scanning behavior) • Look to develop partnerships w/industry • Some discussion about how to best inform research community
Focus questions for the TAB • Are we considering the right threats? • Are there other technical approaches we should be considering? • Are we missing any important partnership opportunities? • Are we missing any key capabilities on our team? • What education/training is necessary/missing for practitioners in the field? How can we best help here?