Internet Security & Worms Prasad S. Athawale Department of Computer Science, University at Buffalo...
-
Upload
gillian-chase -
Category
Documents
-
view
216 -
download
2
Transcript of Internet Security & Worms Prasad S. Athawale Department of Computer Science, University at Buffalo...
Internet Security & Worms
Prasad S. AthawaleDepartment of Computer Science,University at BuffaloState University of New York, Buffalo
Outline
Security Overview Intent History Worms Vs Viruses Worm Modelling Simulation techniques Results/Deductions Future of Worms Possible Research Work
Internet Security
Covers a broad range of issues – from Data Integrity to Availability
Attack types Denial of Service Viruses/Worms Snooping/Sniffing etc
Intent
The primary intent of this presentation is to explore the world of Internet Worms, in
particular look at current research areas, their propagation mechanisms etc and
defense measure if any
History
Morris Worm 2 November 1988 Exploited flaws in fingerd and
sendmail Password guessing /etc/passwd file Trusted Hosts
The Internet Worm Incident Technical Report CSD-TR-933*Eugene H. SpaffordDepartment of Computer SciencesPurdue University
Definition
Worms: Programs that self-propagate across the internet by exploiting security flaws in widely used services1
John Bruner in his novel “The Shockwave Rider” coined the term “worm”
How to Own the Internet in your Spare Time
Stuart Staniford, Vern Paxson, Nicholas Weaver
Worms Vs Viruses
A Virus is a malicious program that spreads using a propagation technique that generally requires user intervention, and always possess a malicious intent
A worm on the other hand, has ability to self-propagate, and may or may not have malicious intent
Requirements!!!
Autonomy Replicability Reconnaissance Capabilities Attack Capabilities
Worms as Attack Vectors: Theory, Threats, and DefensesMatthew Todd, Ph.D.January 31, 2003
Intended Uses/Applications ?
Launch a D-DoS Access to Sensitive Information Spread Disinformation Unknown reasons
Mechanism?
Target Selection Exploit Propagation Mechanism Deployment Tactics Defensive Measures ?
Mechanism of Operation
Worm Propagation and Countermeasures – GSEC Practical – Glenn Gebhart – SANS Institute
Spread of a Worm
Red Dots indicate the infected machines
Bottom left corner number of infected hosts
……
Display Propagation Speed
Why Study Worms ?
Capable of severely hampering the working of the internet
To unable us to build better defense systems
To unable possible good application The worst is yet to come!
Applications of a self propagating piece of code – capable of reaching everywhere really fast ?
Current research Focus
Modelling Scanning Techniques Propagation Mechanisms Prevention Techniques ?
Modelling
Simple Epidemic Model Uses the time tested model of
Infectious diseases to model Worm propagation
Three possible states – Susceptible, Infected, Quarantined/Removed
Simple Epidemic Model
“infectious” hosts: continuously infect others. “removed” hosts in epidemic area:
Recover and immune to the virus. Dead because of the disease.
“removed” hosts in computer area: Patched computers that are clean and immune to the
worm. Computers that are shut down or cut off from worm’s
circulation.
susceptible
infectious
removed
Code Red Worm Propagation Modeling and Analysis – Cliff Zou
Epidemic modeling introduction
Homogeneous assumption: Any host has the equal probability to contact any
other hosts in the system.
Number of contacts I S
Infectious
ISusceptible
Scontact
Code Red Worm Propagation Modeling and Analysis – Cliff Zou
Deterministic epidemic models — Simple epidemic model
State transition:
N: population; S(t): susceptible hosts; I(t): infectious hosts
dI(t)/dt = S(t) I(t) S(t) + I(t) = N
I(t) S(t) symmetric Problems:
Constant infection rate
No “removed” state.
susceptible infectious
0 5 10 15 20 25 30 35 40
1
2
3
4
5
6
7
8
9
10x 10
5
t
I(t)
Code Red Worm Propagation Modeling and Analysis – Cliff Zou
Deterministic epidemic models —Kermack-McKendrick epidemic model
State transition:
R(t): removed from infectious; removal rate
dI(t)/dt = S(t) I(t) – dR(t)/dtdR(t)/dt = I(t); S(t) + I(t) + R(t) = N
Epidemic threshold: No outbreak if S(0) < / Major Out Break if S(0)> /
Problems: Constant infection rate
susceptible infectious removed
0 10 20 30 40
1
2
3
4
5
6
7
8
9
10x 10
5
=0=N/16=N/4=N/2
I(t)
tsusceptible removed
Code Red Worm Propagation Modeling and Analysis – Cliff Zou
No
Consider human countermeasures
Human countermeasures: Clean and patch: download cleaning program, patches. Filter: put filters on firewalls, gateways. Disconnect computers.
Reasons for: Suppress most new viruses/worms from outbreak. Eliminate virulent viruses/worms eventually.
Removal of both susceptible and infectious hosts.
susceptible
infectious
removed
Code Red Worm Propagation Modeling and Analysis – Cliff Zou
?
Consider human countermeasures
Model (extended from KM model): Q(t): removal from susceptible hosts. R(t): removal from infectious hosts. I(t): infectious hosts. J(t) I(t)+R(t): Number of infected hosts
hosts that have ever been infected
dS(t)/dt = S(t) I(t) - dQ(t)/dtdR(t)/dt = I(t)dQ(t)/dt = S(t)J(t) S(t) + I(t) + R(t) + Q(t) = N
Code Red Worm Propagation Modeling and Analysis – Cliff Zou
Beta is still considered Constant
Two-factor worm model
Worm may cause congestion: Huge number of scan packets with unused IP addresses.
Routing table cache misses. ( about 30% of IP space is used) Generation of ICMP (router error) in case of invalid IP.
Effect: slowing down of worm propagation rate: (t)
Two-factor worm model:
dS(t)/dt = -(t)S(t)I(t) - dQ(t)/dtdR(t)/dt = I(t) dQ(t)/dt = S(t)J(t) (t) = 0 [ 1 - I(t)/N ]
S(t) + I(t) + R(t) + Q(t) = N
is used to adjust the level of congestion in the network
Perfect Worm ?
A ‘perfect worm’ would have: All vulnerable hosts known No dual scanning Immediate infection Using Code Red parameters,N=360000,initially infected = 10 and
scan rate of 358/minTime Taken = 1.758 seconds!!
On the Performance of Internet Worm Scanning StrategiesCliff Changchun Zou., Don Towsley†, Weibo Gong..Department of Electrical & Computer Engineering†Department of Computer ScienceUniv. Massachusetts, Amherst
Perfect Worm – with delay
Scanning Techniques
Hit-List Based Scanning Stealthy Scans – using nmap ? Distributed Scanning – multiple
attackers ? DNS Searches Spiders Just Listen!
Scanning Techniques
Sequential Scanning Hit List Based Scanning Permutation Scanning Preferential Subnet Scanning
Co-ordinated Permutation Scanning
Assumption – A copy of the worm can detect whether a given host is infected
Common permutation of IP address space known to all worms
Any machine starts scanning just after it’s point of infection. If an infected host is found, there onwards random point scanning
‘Self –Coordinating', as minimizing duplication of effort
Number of such infected hosts – stops scanning assuming infection complete
Partitioned Scanning – Initially responsible for some set – divides and hands over to child worm
Subnet Scanning
Cross Network Scanning is too noisy Can create congestion killing own
spread Use different probabilities to target
IP’s in own subnet’s e.g. Code Red own class B 3/8, class A ½, others 1/8 – Code Red, Nimda
Defense Mechanisms
La Brea Tarpit – We can actually do something about it!
Hold Connection Attempts from a Infected Computer
A byte stream flow of only 1215 bytes/hour is sufficient to keep the connection alive
Defense Mechanisms
LaBrea can be defeated using asynchronous mode
Dependent on per host throttling – each host restricts the rate at which a host can connect to new hosts – universal deployment may reduce scanning speed by an order of magnitude
Defense Mechanism
Automatically detecting infected hosts and using firewall filters to contain spread
Practical ApplicationCisco’s NBAR – Network Based Application Recognition Ability to block particular TCP streams
active on a router based on signature recognition
Defense: Internet Quarantine
Prevention This aims to reduce the size of the vulnerable
population Treatment
Generally patches take days to release – only now that relatively reliable distribution networks for patches are springing up
Containment Firewalls, Content Filtering, Automated Routing
Blacklists Intervention ?
Code Red Propagation
Address Blacklisting
Code Red Propagation
Content Filtering
Address Blacklisting
Generalized Worm Containment
Generalized Worm Containment
Content Filtering
Containment Results
Not possible to limit infection to less than 18% of the vulnerable hosts for sufficiently aggressive worms (100 scans/second)
Used scenarios: ‘Top 100 ISPs’ and 50% home users – for address blacklisting
Reason: 99.7% paths blocked but there still exist alternate paths for propagation – works even when reaction time reduced to 0!
Dynamic Quarantine
Based on Methods used in Epidemic Control – ‘Assume guilty till proven innocent’
Non-Intrusive : Block certain ports for a short time, automatic release
Able to reduce/control the propagation speed
Assumption : System is assumed homogeneous and contact rate is constant
Defense Mechanisms
A lot of researchers have researched this area – Staniford, Kephart and White, Wang
Epidemiological analysis of Computer Viruses – suggested that it can be contained but only till the infection rate doesn’t exceed a critical threshold
Containment
Automated mechanisms required Content Filtering works the best Blocking Point – At Core ISPs
Defense: Active Worm Detection
Uses ICMP Destination Unreachable Messages
Collection Point for all ICMP-T3 packets
Correlator – identify threshold crossing occurrences
ICMP T3 copy generated for collector by router
Multiple Cases One IP to Many IP’s on port p Many IPs to 1 IP on port p One IP to other IP on number of ports p Many IPs to 1 IP on a number of ports If instances of such activity exceed
threshold N, an alert is generated 4-6 alerts have shown good response
Defense: Active Worm Detection
Active Vs Passive
Passive – Prevent spreading of Worms by blocking Worm Traffic
Active – Proactive approach by patching vulnerable systems or quickly removing infected systems
Comparison of Active and Passive Mechanisms
Content Filtering defense mechanism limits infections
Address filtering defense requires near perfect deployment
Content Filtering mechanism deployed in the top 30 most connected ASes can outperform active defense
Active defense worms might have to be pre-deployed in the network to be activated as required
Force Multipliers!!
Multiple Attack Capabilities Defense Command Interface Polymorphism
Worms as Attack Vectors: Theory, Threats, and DefensesMatthew Todd, Ph.D.January 31, 2003
Upgrade
Modular Design Multiple vulnerabilities pre-identified Subsequent ‘0’ day exploits could
be released Signature Alteration (Polymorphism)
Communication Channels
‘Drop-Box’ Concept E-Mail IRC Specific channels on IRC KaZaa File shares Covert Channels ?
Communication Channels
Encrypted channels Public Key, Simple XOR ?
Encrypted data might draw attention – simple XOR might help protect entropy
Distributed Hash Tables Principle used by software like Kazaa to
determine location of files etc
Curious Yellow Vs Curious Blue
Curious Yellow – a high co-ordination worm – uses techniques for fast propagation, and distributed control
Curious Blue to counter it – with distribution of patches carried out in a similar manner
Since both accept updates – can be easily
Proposed ‘Conceptual’ Worms
Flash Warhol BGP Curious Yellow
Flash Worms
Closest thing to a perfect worm IP addresses of all vulnerable hosts
known beforehand Scanning space reduced 99% hosts infected in 2.53 seconds
assuming no delay
Tremendous speed of infection – no time for human intervention
Warhol Worm
Uses combination of Hit-List & Permutation Scanning
This combination improves initial speed – quickly achieving a set base & permutation scanning keeps the worms infection rate high for longer period
Provides a very practical design of a worm – and achieves 99% infection in around 15mins
BGP Routing Worm
Based on BGP Routing Tables Freely Available on the Internet Geographical Information – ISP,AS,
company, country etc.
Reduce the scanning space to 28.6% of all IP space
Routing Worm: A Fast, Selective Attack Worm based on IP Address InformationCliff C. Zou., Don Towsley†, Weibo Gong., Songlin Cai.,.Department of Electrical & Computer Engineering†Department of Computer Science, Univ. Massachusetts, Amherst
Contagion
Slowly spreading worm to avoid detection P2P based High Bandwidth traffic usual – not detected One client/server program may dominate
e.g. KaZaa Not strictly a worm – but can be used to
support a worm! Potential ? - A University 9 million distinct
IP’s in one month!
Takeaway
Stealth would play a major role in the next generation of Worms
Bandwidth, Network Capacity, Widespread use of Computers & a predominantly Ignorant User Community are a given, and these would be exploited to the maximum
Proactive defense mechanisms rather than ‘observing’ mechanisms –
Observe ‘periphery’ of ones network ? For Content Based Systems – Ability to identify
signatures at an early stage Espionage, Rivalry & Enemity + Non-cooperative
Govts/Corporations Design to Security has to be the additional component
along with Reliability, Scalability and Availability
References Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense
Cliff Changchun Zou, Weibo Gong, Don Towsley, Univ. Massachusetts Amherst, MA
On the Performance of Internet Worm Scanning StrategiesCliff Changchun Zou., Don Towsley†, Weibo Gong.Univ. Massachusetts, Amherst
Modelling the Spread of Active WormZesheng Chen (Georgia Tect), Lixin Gai(U Mass), Kevin Kwiat (AFRL)
Slowing down Internet WormsShigang Chen, Yong Tang (UFL, Gainsville)
Comparing Active and Passive Worm DefensesMichael Liljenstam David M. Nicol (UIUC, Urbana Champaigne)
Internet Qurantine:Requirements for Containing Self- Propagating CodeDavid Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, UCSD
Routing Worm: A Fast, Selective Attack Worm based on IP Address InformationCliff C. Zou., Don Towsley†, Weibo Gong., Songlin CaiUniv. Massachusetts, Amherst
Worms as Attack Vectors: Theory, Threats, and DefensesA Practical Assignment, submitted in partial requirement for GSEC certification (GIAC Security
Essentials Certification Matthew Todd, Ph.D. "I don't think I really love you“ or writing internet worms for fun and profit (C) 1998-2000
Michal Zalewski The Internet Worm Incident Technical Report CSD-TR-933*
Eugene H. Spafford Purdue University How to Own the Internet in your Spare Time
Stuart Staniford (Silicon Defense), Vern Paxson (ICSI Center for Internet Research), Nicholas Weaver (UC Berkeley)
The Future of Internet WormsJose Nazario, with Jeremy Anderson, Rick Wash and Chris ConnellyCrimelabs research
Curious Yellow: The first coordinated Worm DesignBy Brandon Wiley