210 likes | 223 Views
Learn about worm containment and its effectiveness in limiting the spread of scanning worms. Find out how automated defense mechanisms can stop new worms and explore the implementation of scan detection and suppression algorithms. Hardware implementation challenges and cache optimization techniques are also discussed.
E N D
Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI
Abstract • Worms – malicious, self-propagating programs. • Represent threat to large networks. • Containment – one form of defense; limit a worm’s spread by isolating it in a small subsection of the network.
Operate by picking “random” address and attempt to infect the machine. Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses Worms will find small holes in firewall and routers. Complete infection of local network from single original source. Scanning Worms
Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection attempts. Containment looks for a class of behavior rather than specific worm signature. Able to stop new worms. Scanning Worms
Must to be Automated. Worms propagate more rapidly than human response. Works by detecting that a worm is operating in the network and then block the infected machines from contacting further hosts. “Defense in depth”. Used in addition to other network protection mechanisms. Worm Containment (virus throttling)
Break the network into many cells Within each cell a worm can spread unimpeded. Between cells, containment limits infections by blocking outgoing connections from infected cells. Works best with small cells. Must have very low false positive rate. Blocking suspicious machines or ports can cause a DoS if false positive rate is high. Mechanism Requirements
Epidemic Threshold • Worm-suppression device must necessarily allow some scanning before it triggers a response. • Worm may find a victim during that time. • Epidemic occurs if each infection results in a single child. • Exponential epidemic occurs if each infection results in more than one child.
Epidemic Threshold • The epidemic threshold depends on: • The sensitivity of the containment response devices • The density of vulnerable machines on the network • The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.
Sustained Scanning Threshold • If worm scans slower than sustained scanning threshold, the detector will not trigger. • Vital to achieve as low a sustained scanning threshold as possible. • For this implementation threshold set to 1 scan per minute. • Other methods often no better than 1 per second.
Scan Suppression • Portscans have two basic types: • Horizontal – search for identical service on large number of machines. • Vertical – examine an individual machine to discover running services. • Scan Suppression – responding to detected portscans by blocking future scanning attempts.
Implementation • Scan detection and suppression algorithm derived from Threshold Random Walk (TRW) scan detection. • TRW operates by using an oracle to determine if a connection will fail or succeed. • Walk down for a good connection. • Walk up for a failed connection. • Threshold set on deviation.
Implementation • Implementation easier than TRW. • Suitable for both hardware and software implementation. • Simplified algorithm caused increased false negative rate. • No changes in the false positive rate.
Hardware Implementation • Constraints: • Must be very fast to keep up with high packet rates. • Memory access speed. • During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations. (4 accesses for full duplex). • SRAM can be used to solve the problem, but more expensive.
Hardware Implementation • Approximate cache: a cache for which collisions cause imperfections. • Indexing into cache is done with a 32-bit block cipher and a secret key. • Helps protect against collision attack. • Collisions will only result in false-negatives.
Connection Cache • IP’s hashed with port to create index. • Aliasing result in combination. • Age is incremented each minute. • Age is zeroed each time a packet is seen. • Old entries are removed. (10 min)
Address Cache Lookup • External IP encrypted to create index and tag. • Each index may reference four entries. • Counter tracks differences between misses and hits. • When necessary, most negative entries are evicted.
Address Cache Lookup • Assumption is that legitimate traffic succeeds more often than scanning traffic. • Threshold is used to block traffic. • 10 internal • 5 internal • Hard limit on negative counts. (-20) • Positive counts are decayed over time. (1 min)
Results • Attacks are detected after only 10 scans. • Blocking: • New connections are blocked. • Current established connections are allowed. • System accurately detected real attacks. • False-positives on DNS and SMTP servers due to fan-out. Need to be white-listed. • Tighter thresholds had more false-positives, but only for odd traffic.
Attacking the Containment • Malicious False Negative: • The worm slips by even thought containment is active. • Scan at a rate slower than sustained scanning threshold. • With the threshold set to 1 per minute, growth will be very slow. • Scans to white-listed can be used for liveness testing before attack begins. • Offset misses by making valid connections.
Attacking the Containment • Malicious false positive: • False positive create a DoS target. • Forged packets can be a problem and must be prevented in the network. • Web page or html formatted email could initiate multiple connections to non-existent addresses.
Cooperation • Containment systems can cooperate to reduce thresholds during an attack. • Communication between systems must be efficient to stay ahead of spread. • Must be done carefully to avoid cooperative collapse – a cascade in sensitivity increase.