370 likes | 530 Views
Active Worm and Its Defense. CSE651: Network Security. Worm vs. Virus. Worm A program that propagates itself over a network, reproducing itself as it goes Virus A program that searches out other programs and infects them by embedding a copy of itself in them. Active Worm VS [D]DoS.
E N D
Active Worm and Its Defense CSE651: Network Security Active Worm and Its Defense
Worm vs. Virus • Worm • A program that propagates itself over a network, reproducing itself as it goes • Virus • A program that searches out other programs and infects them by embedding a copy of itself in them Active Worm and Its Defense
Active Worm VS [D]DoS • DDoS stands for Distributed Denial of Service attacks • Propagation method • Goal: congestion, resource appropriation • Rate of distribution • Scope of infection Active Worm and Its Defense
History http://snowplow.org/tom/worm/history.html • Morris Worm, first worm ”virus”, released on November 2, 1988 by Robert Tappan Morris who was then a 23 year old doctoral student at Cornell University • Code-Red worm in July 2001 infected more than 350,000 Microsoft IIS servers. The attack finished in 14 hours • Slammer worm in January 2003 that infected nearly 75,000 Microsoft SQL servers. Attack finished in less than one hour • MyDoom worm in February 2004 infected lots of hosts which automatically and successfully DDoS attacked a few popular websites Active Worm and Its Defense
The Morris Worm of 1988 • First “worm” program • Released by Robert T Morris of Cornell University • Affected DEC’s VAX and Sun Microsystems’s Sun 3 systems • Spread • ~6000 victims i.e., 5-10% of hosts at that time • more machines disconnected from the net to avoid infection • Cost • Some estimate: $98 million • Other reports: <$1 million • Triggered the creation of CERT (Computer Emergency Response Team) Active Worm and Its Defense
Recent Worms • July 13, 2001, Code Red V1 • July 19, 2001, Code Red V2 • Aug. 04, 2001, Code Red II • Sep. 18, 2001, Nimbda • … • Jan. 25, 2003, SQL Slammer • More recent • SoBigF, MSBlast … Active Worm and Its Defense
transfercopy scan probe machine infected machine How an Active Worm Spreads • Autonomous • No need of human interaction Infected Active Worm and Its Defense
Basic Propagation Method • Network Worm: Using port scan to find vulnerabilities of the targets • Application Worm: Propagate through email, Instance Messaging, file sharing on operation systems, P2P file sharing systems, or other applications • Hybrid Worm Active Worm and Its Defense
Delivery Method How is worm code is delivered to vulnerable hosts • Self-contained Self-propagation: Each newly infected host becomes the new source and sends worm code to other hosts infected by it • Embedded: Embedded with infected files, such as emails, shared files • Second Channel: The newly infected host uses second channel such as TFTP (Trivial File Transfer Protocol) to download the worm code from a center source Active Worm and Its Defense
Scanning Strategy (1) • Random scanning • Probes random addresses in the IP address space (CRv2) • Selective random scanning • A set of addresses that more likely belong to existing machines can be selected as the target address space. • Hitlist scanning • Probes addresses from an externally supplied list • Topological scanning • Uses information on the compromised host (Email worms) • Local subnet scanning • Preferentially scans targets that reside on the same subnet. (Code Red II & Nimbda Worm) Active Worm and Its Defense
Scanning Strategy (2) • Routable scanning • Choose routable IP addresses as the target of scan • DNS scanning • Choose hosts with DNS name as the target of scan • Permutation scanning • Each new infected host gets a different IP addresses block Active Worm and Its Defense
Synchronization between Infected Hosts (or Worm Instances) • Asynchronized • Each infected host behavior individually without synchronization with other infected hosts • Synchronized • Infected hosts synchronized with each other by central server etc. Active Worm and Its Defense
Propagation Activity Control • Non-stopping • Keep port scanning and never stop • Time Control • Preset stopping timer and restart timer and use those timers to control the port scan activities • Self-Adjustment • Self-control according to the environment (Atak worm) or the estimation of the infected host amount (Self-Stop worm) • Centralized Control • Controlled by the attacker Active Worm and Its Defense
Scan Rate • Constant Scan Rate • Each infected host keeps a constant scan rate which is limited by the computation ability and outgoing bandwidth of the host. • Random Varying Scan Rate • Randomly change the scan rate. • Smart Varying Scan Rate • Change the scan rate smartly according to certain rule according to the attack policy and the environment. • Controlled Varying Scan Rate • Change the scan rate according to the attacker’s control command. Active Worm and Its Defense
Modularity • Non-Modular • Modular • Use modular design in the worm code, so that new attack modules can be sent to the infected hosts and plugged in after the infection. Active Worm and Its Defense
Organization • Decentralized • There is no organization or cooperation among infected hosts, and there is no communication between the infected hosts and the attacker. • Centralized Organization • Organized by Internet Relay Chat (IRC) or other methods like botnets do, so that the attacker can control the infected hosts. Active Worm and Its Defense
Payload with the worm code • Spamming • Code competent to carry out spamming. • DDoS Attack • Code competent to carry out DDoS attacks. • Sniffing • Code competent to watch for interesting clear-text data passing by the infected hosts. • Spyware • Spyware code. • Keylogging • Code competent to remember and retrieve the passwords on the infected hosts. • Data Theft • Code competent to steal privacy data. Active Worm and Its Defense
Techniques for Exploiting Vulnerability • fingerd (buffer overflow) • sendmail (bug in the “debug mode”) • rsh/rexec (guess weak passwords) Active Worm and Its Defense
Modeling Infection Mitigation Active Worm Defense Active Worm and Its Defense
Worm Behavior Modeling (1) • Propagation model • V is the total number of vulnerable nodes • N is the size of address space • i(t) is the percentage of infected nodes among V • r is the scan rate of the worm Active Worm and Its Defense
Worm Behavior Modeling (2) • Propagation model • M(i): the number of overall infected hosts at time i • N(i): the number of un-infected vulnerable hosts at time i • E(i): the number of newly infected hosts from time tick i to time i+1 . • T: the total number of IP addresses, i.e., 232 for IPv4. • N(0): the number of vulnerable hosts on the Internet before the • worm attack starts. • E(0) = 0, M(0) = M0. Active Worm and Its Defense
Modeling P2P-based Active Worm Attacks • Basic worm attack strategies • Pure Random-based Scan (PRS) • Randomly select the attack victim • Adopted by Code-Red-I and Slammer • P2P based attack strategies • Offline P2P-based Hit-list Scan (OPHLS) • Online P2P-based Scan (OPS) • Both strategies exploit P2P system features Active Worm and Its Defense
Background: P2P Systems • Host-based overlay system • Structured and unstructured • Rich connectivity • Very popular – 3,467,860 users in the FastTrack P2P system; – 1,420,399 users in the eDonkey P2P system; – 1,155,953 users in the iMesh P2P system; – 103,466 users in the Gnutella P2P system. Active Worm and Its Defense
Two P2P-based Worm Attack Strategies • Offline P2P-based Hit-list Scan (OPHLS) • Offline collect P2P host addresses as a hit-list • Attack the hit-list first • Attack Internet via PRS • Online P2P-based Scan (OPS) • Use runtime P2P neighbor information • Attack P2P neighbors • Extra attack resource applied to attack Internet via PRS Active Worm and Its Defense
Online-based P2P Worm Attack Strategy Active Worm and Its Defense
Performance Comparison of Attack Strategies • The P2P-based attack strategies overall outperforms the PRS attack strategy • OPHLS attack strategy achieves the best performance compared to all other online-based attack strategies Active Worm and Its Defense
Sensitivity of Attack to P2P System Size • With the P2P size increases, the attack performance becomes consistently better for all attack strategies Active Worm and Its Defense
Detection • Host-based detection • Network-based detection • Detecting large scale worm propagation • Global distributed traffic monitoring framework • Distributed monitors and data center • Worm port scanning and background port scanning Active Worm and Its Defense
Distributed Worm Monitoring Systems Active Worm and Its Defense
Detection Schemes • Worm behavior • Pure random scan • Each worm instance takes part in attack all the time • Constant scan rate • Overall port scanning traffic volume implies the number of worm instances (infected hosts). • Total number of worm instances and overall port scanning traffic volume increase exponentially during worm propagation. • Count-based and trend-based detection schemes Active Worm and Its Defense
Patching Filtering/intrusion detection (signature based) DAW (Distributed Anti-Worm Architecture) TCP/IP stack reimplementation, bound connection requests Infection Mitigation Active Worm and Its Defense
Goals of DAW • Impede worm progress, allow human intervention • Detect worm-infected clients • Ensure congestion issues minimized – little routing performance impact • Shigang Chen and Yong Tang. Slowing down internet worms. In Proceedings of 24th International Conference on Distributed Computing Systems, March 2004. Active Worm and Its Defense
DAW • Requirements • Distributed, sensors act independently • NIDS (rather than HIDS) • Limited responsibility, ensures availability of nodes Active Worm and Its Defense
DAW Active Worm and Its Defense
User behavior Few failed connections (DNS) Predictable traffic generation throughout “day” Relatively uniform intranet traffic distribution Worm behavior Sampling shows 99.96% failure in scan rate Spikes in failure:request ratio Traffic pattern disproportionately favors infected clients Active Worm Detection in DAW Active Worm and Its Defense
Active Worm -Failures • TCP only, random scanning • ICMP Unreachable/TCP-RST response • 99.96% failure 80/tcp Active Worm and Its Defense
Summary • Worms can spread quickly: • 359,000 hosts in < 14 hours • Home / small business hosts play significant role in global internet health • No system administrator slow response • Can’t estimate infected machines by # of unique IP addresses • DHCP effect appears to be real and significant • Active Worm Defense • Modeling • Infection Mitigation Active Worm and Its Defense