Post on 15-Jan-2016
description
How to 0wn the Internet in your spare time & A worst case worm
Stuart Staniford, Vern Paxson,
Nicholas WeaverPresented by: Jesus Morales
Overview How to 0wn the Internet in your spare time
Worms Analytical Spread Model Worm improvement Cyber CDC
A worst-case worm Linear cost model The attack Damage estimations
How to 0wn the Internet in your spare time
The Problem: an attacker controlling high numbers of hosts on the Internet could cause much damage DDOS attacks: shut down much of the
Internet Access/disperse sensitive information Corrupt information
The way: worms
Worms [Worms]
Worms, formally known as “Automated Intrusion Agents”, are software components that are capable of, using their
own means, for infecting a computer system and using it in an automated fashion to infect another system.
A virus by contrast can’t spread/infect on its own.
Code Red I (July 2001) [Worms]
Began : July 12, 2001 Exploit : Microsoft IIS webservers (buffer overflow) Named “Code Red” because :
the folks at eEye security worked through the night to identify and analyze this worm drinking “code red” (mountain dew) to stay up.
the worm defaced some websites with the phrase “Hacked by Chinese”
Launched 99 threads on infected host, which all generated random IP addresses and tried to compromise them.
Version 1 did not infect too many hosts due to use of static seed in the random number generator. Version 2 came out on July 19th with this “bug” fixed and spread rapidly.
The worm behavior each month: 1st to 19th --- spread by infection 20th to 28th --- launch DOS on www.whitehouse.gov 28th till end-of-month --- take rest.
Infected 359,000 hosts in under 14 hours.
Code Red: Analytical model
Simplifying assumptions: No patching No firewalls No churn
Infection rate is proportional to
# hosts already infected
# hosts not infected, but susceptible
Result: Logistic equation Well known for epi-demics
in finite systems)1( aaK
dt
da )(
)(
1 TtK
TtK
e
ea
Saturation
Initial compromise rate
Infected fraction
Code Red I: Initial and reemergence outbreaks
Improvements: Localized scanning [Network Security II ]
Observation: Density of vulnerable hosts in IP address space is not uniform
Idea: Bias scanning towards local network
Used in CodeRed II P=0.50: Choose address from local class-A network (/8) P=0.38: Choose address from local class-B network
(/16) P=0.12: Choose random address
Allows worm to spread more quickly
Code Red II (August 2001) [Worms]
Began : August 4th, 2001 Exploit : Microsoft IIS webservers (buffer
overflow) Named “Code Red II” because :
It contained a comment stating so. However the codebase was new.
Infected IIS on windows 2000 successfully but caused system crash on windows NT.
Installed a root backdoor on the infected machine.
Improvements: Multi-vector [Network Security II ]
Idea: Use multiple propagation methods simultaneously
Example: Nimda IIS vulnerability Bulk e-mails Open network shares Defaced web pages Code Red II backdoor
Onset of Nimda
Time (PDT) 18 September, 2001
HTTP c
onnect
ions/
seco
nd s
een
at
LBN
L(o
nly
confi
rmed N
imda a
ttack
s)
1/2 hour
Improvements: Hit-list scanning [Network Security II ]
Problem: Spread is slow during initial phase
Idea: Collect a list of promising targets before worm is released
Low-profile 'stealthy' scan
Distributed scan Spider/crawler Surveys or databases Attacks from other
worms Low overhead, since list
shrinks quickly
Improvements: Permutation scanning [Network
Security II ]
Problem: Many addresses are scanned multiple times
Idea: Generate random permutation of all IP addresses, scan in order
Hit-list hosts start at their own position in the permutation When an infected host is found, restart at a random point Can be combined with divide-and-conquer approach
H0 H4 H1 H3 H2H1 (Restart)
Warhol worms [Network Security II ]
Worm using both hit-list and permutation scanning could infect most vulnerable targets in <1 hour
Simulation: Compare 10 scans/second
(Code Red) 100 scans/second 100 scans/second
plus 10,000 entry hit list (Warhol worm)
First Warhol worm 'in the wild': SQLSlammer
"In the future, everyone will have 15 minutes of fame"
-- Andy Warhol
Num
ber
of
Inst
ance
s
Time (hours)
Flash worms [Network Security II ]
A flash worm would start with a hit list that contains most/all vulnerable hosts
Realistic scenario: Complete scan takes 2h with an OC-12 Internet warfare?
Problem: Size of the hit list 9 million hosts 36 MB Compression works: 7.5MB Can be sent over a 256kbps DSL link in 3
seconds Extremely fast:
Full infection in tens of seconds!
Surreptitious worms [Network Security II
]
Idea: Hide worms in inconspicuous traffic to avoid detection
Leverage P2P systems?
High node degree Lots of traffic to hide in Proprietary protocols Homogeneous
software Immense size
(30,000,000 Kazaa downloads!)
Conclusion: A Cyber-CDC? [Network Security II ]
Paper advocates creation of a CDC equivalent for computer worms and -viruses
Responsibilities of the CDC: Deploy sensors to detect outbreaks quickly Rapidly analyze new pathogens Propagate signatures to isolate the worm/virus Do research in the field
CDC should be collaborative, but not all information should be available to the public "Partially open" approach
Worst-case worm Question: how much economic damage to
the US in a worst-case worm attack? Estimates based on:
Worst-case worm Linear damage model
Lost productivity Repair time Lost data Damage to systems
Assumption: Murphy’s Law
Cost model Dtotal = total cost of damage Ninf = number of systems infected Dsystem = damage per system Ppenetration = fraction of systems infected Nvulnerable = potential infectees Drec = cost of system recovery Ttime = total downtime (hr) Dtime = cost of downtime per hour Pdata = probability of unrecoverable data loss Ddata = cost of data loss Pbios = probability of system loss due to hardware
damage Dbios = replacement value of the computer
Cost model (cont)
Dtotal = Ninf * Dsystem
Ninf = Ppenetration * Nvulnerable
Dsystem = Drec + Ttime*Dtime + Pdata*Ddata + Pbios*Dbios
The attack: target Target
Windows SMB/CIFS file sharing server Part of all distributions since Windows
98 Desktop file sharing, printer sharing,
centralized Windows file servers. Is on by default Assumption: the attacker knows a
“zero day” exploit for SMB/CIFS
The attack: Propagation Internet spread
Slammer infected 10’s of thousands of servers in less than 10 minutes.
Flash worms: spread < 1 minute Spread through gateways
Slow phase: mail and web vectors require some level of human action within an organization
Conservative upper bound: 1 day. Probably much faster.
Intranet spread Nearly instantaneous Fast LANs: infection of a new victim < 1 second.
Can use hit-list to spread even faster
Damage Estimations:
Penetration (Ppenetration): .60 of all vulnerable machines
Number of vulnerable machines (Nvulnerable): 85 mill
Consider only business and gov’t (2001) Not considering home computers
Recovery (Drec): $20 per system Down time:
Dtime: 35 $/hr Ttime: 16 hr (2 days)
Damage (cont.)
Data loss (Ddata): $2,000 Percentage of unrecoverable data
(Plost_data): 0.1 Percentage of unrecoverable
machines (Pbios): 0.1 Cost for lost machines (Dbios):
$2,400
Damage (cont.)
Conclusion Damage potential is huge Need preventive measures
Solid data back ups Protect BIOSes Mail-worm defenses Improved recovery procedures Reduce monocultures Vulnerable spots (SMB/CIFS) are ubiquitous
hence merit special defenses
References Network Security II: lecture 22
COMP529 - Computer Network Protocols and Systems. Andreas Haeberlen www.cs.rice.edu/~eugeneng/teaching/f04/comp529/lectures/lecture22.ppt
WormsPandurang Kamat www.scd.ucar.edu/nets/presentations/Security-for-I2techs/Security-for-I2techs.ppt