1

Very Fast containment of Scanning Worms

By: Artur ZakModified by: David Allen

Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI

2

Abstract

Worms – malicious, self-propagating programs.

Represent threat to large networks.

Containment – one form of defense; limit a worm’s spread by isolating it in a small subsection of the network.

3

Scanning Worms

Operate by picking “random” address and attempt to infect the machine.

Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local

addresses Worms will find small holes in firewall and

routers. Complete infection of local network from

single original source.

4

Scanning Worms Common properties of scanning worms:

Most scanning attempts result in failure. Infected machines will institute many

connection attempts.

Containment looks for a class of behavior rather than specific worm signature. Able to stop new worms.

5

Worm Containment (virus throttling)

Must to be Automated. Worms propagate more rapidly than

human response. Works by detecting that a worm is

operating in the network and then block the infected machines from contacting further hosts.

“Defense in depth”. Used in addition to other network protection mechanisms.

6

Mechanism Requirements Break the network into many cells

Within each cell a worm can spread unimpeded.

Between cells, containment limits infections by blocking outgoing connections from infected cells.

Works best with small cells. Must have very low false positive rate.

Blocking suspicious machines or ports can cause a DoS if false positive rate is high.

7

Epidemic Threshold

Worm-suppression device must necessarily allow some scanning before it triggers a response. Worm may find a victim during that time. Epidemic occurs if each infection results

in a single child. Exponential epidemic occurs if each

infection results in more than one child.

8

Epidemic Threshold

The epidemic threshold depends on: The sensitivity of the containment

response devices The density of vulnerable machines on

the network The degree to which the worm is able to

target its efforts into the correct network, and even into the current cell.

9

Sustained Scanning Threshold If worm scans slower than

sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained

scanning threshold as possible. For this implementation threshold set

to 1 scan per minute. Other methods often no better than 1

per second.

10

Scan Suppression

Portscans have two basic types: Horizontal – search for identical

service on large number of machines. Vertical – examine an individual

machine to discover running services. Scan Suppression – responding to

detected portscans by blocking future scanning attempts.

11

Implementation Scan detection and suppression

algorithm derived from Threshold Random Walk (TRW) scan detection. TRW operates by using an oracle to

determine if a connection will fail or succeed.

Walk down for a good connection. Walk up for a failed connection. Threshold set on deviation.

12

Implementation

Implementation easier than TRW. Suitable for both hardware and

software implementation. Simplified algorithm caused increased

false negative rate. No changes in the false positive rate.

13

Hardware Implementation

Constraints: Must be very fast to keep up with high

packet rates. Memory access speed.

During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations. (4 accesses for full duplex).

SRAM can be used to solve the problem, but more expensive.

14

Hardware Implementation

Approximate cache: a cache for which collisions cause imperfections.

Indexing into cache is done with a 32-bit block cipher and a secret key. Helps protect against collision attack.

Collisions will only result in false-negatives.

15

Connection Cache

IP’s hashed with port to create index.

Aliasing result in combination.

Age is incremented each minute.

Age is zeroed each time a packet is seen.

Old entries are removed. (10 min)

16

Address Cache Lookup

External IP encrypted to create index and tag.

Each index may reference four entries.

Counter tracks differences between misses and hits.

When necessary, most negative entries are evicted.

17

Address Cache Lookup

Assumption is that legitimate traffic succeeds more often than scanning traffic.

Threshold is used to block traffic.

10 internal 5 internal

Hard limit on negative counts. (-20)

Positive counts are decayed over time. (1 min)

18

Results Attacks are detected after only 10 scans. Blocking:

New connections are blocked. Current established connections are allowed.

System accurately detected real attacks. False-positives on DNS and SMTP servers

due to fan-out. Need to be white-listed. Tighter thresholds had more false-

positives, but only for odd traffic.

19

Attacking the Containment Malicious False Negative:

The worm slips by even thought containment is active.

Scan at a rate slower than sustained scanning threshold.

With the threshold set to 1 per minute, growth will be very slow.

Scans to white-listed can be used for liveness testing before attack begins.

Offset misses by making valid connections.

20

Attacking the Containment

Malicious false positive: False positive create a DoS target. Forged packets can be a problem and

must be prevented in the network. Web page or html formatted email

could initiate multiple connections to non-existent addresses.

21

Cooperation

Containment systems can cooperate to reduce thresholds during an attack.

Communication between systems must be efficient to stay ahead of spread.

Must be done carefully to avoid cooperative collapse – a cascade in sensitivity increase.