Active Worm and Its Defense 1
Active Worm and Its Defense
CSE651: Network Security
Active Worm and Its Defense 2
Worm vs. Virus
Worm A program that propagates itself over a
network, reproducing itself as it goes Virus
A program that searches out other programs and infects them by embedding a copy of itself in them
Active Worm and Its Defense 3
Active Worm VS [D]DoS
DDoS stands for Distributed Denial of Service attacks
Propagation method Goal: congestion, resource
appropriation Rate of distribution Scope of infection
Active Worm and Its Defense 4
History
http://snowplow.org/tom/worm/history.html Morris Worm, first worm ”virus”, released on
November 2, 1988 by Robert Tappan Morris who was then a 23 year old doctoral student at Cornell University
Code-Red worm in July 2001 infected more than 350,000 Microsoft IIS servers. The attack finished in 14 hours
Slammer worm in January 2003 that infected nearly 75,000 Microsoft SQL servers. Attack finished in less than one hour
MyDoom worm in February 2004 infected lots of hosts which automatically and successfully DDoS attacked a few popular websites
Active Worm and Its Defense 5
The Morris Worm of 1988
First “worm” program Released by Robert T Morris of Cornell University Affected DEC’s VAX and Sun Microsystems’s Sun 3 systems
Spread ~6000 victims i.e., 5-10% of hosts at that time more machines disconnected from the net to avoid
infection
Cost Some estimate: $98 million Other reports: <$1 million
Triggered the creation of CERT (Computer Emergency Response Team)
Active Worm and Its Defense 6
Recent Worms
July 13, 2001, Code Red V1
July 19, 2001, Code Red V2
Aug. 04, 2001, Code Red II
Sep. 18, 2001, Nimbda
…
Jan. 25, 2003, SQL Slammer
More recent SoBigF, MSBlast …
Active Worm and Its Defense 7
How an Active Worm Spreads
Autonomous No need of human interaction
infected machine machine
scanprobe
transfer copy
Active Worm and Its Defense 8
Basic Propagation Method
Network Worm: Using port scan to find vulnerabilities of the targets
Application Worm: Propagate through email, Instance Messaging, file sharing on operation systems, P2P file sharing systems, or other applications
Hybrid Worm
Active Worm and Its Defense 9
Delivery Method
How is worm code is delivered to vulnerable hosts
Self-contained Self-propagation: Each newly infected host becomes the new source and sends worm code to other hosts infected by it
Embedded: Embedded with infected files, such as emails, shared files
Second Channel: The newly infected host uses second channel such as TFTP (Trivial File Transfer Protocol) to download the worm code from a center source
Active Worm and Its Defense 10
Scanning Strategy (1)
Random scanning Probes random addresses in the IP address space (CRv2)
Selective random scanning A set of addresses that more likely belong to existing
machines can be selected as the target address space.
Hitlist scanning Probes addresses from an externally supplied list
Topological scanning Uses information on the compromised host (Email worms)
Local subnet scanning Preferentially scans targets that reside on the same
subnet. (Code Red II & Nimbda Worm)
Active Worm and Its Defense 11
Scanning Strategy (2)
Routable scanning Choose routable IP addresses as the target of scan
DNS scanning Choose hosts with DNS name as the target of scan
Permutation scanning Each new infected host gets a different IP addresses block
Active Worm and Its Defense 12
Synchronization between Infected Hosts (or Worm Instances)
Asynchronized Each infected host behavior individually
without synchronization with other infected hosts
Synchronized Infected hosts synchronized with each
other by central server etc.
Active Worm and Its Defense 13
Propagation Activity Control
Non-stopping Keep port scanning and never stop
Time Control Preset stopping timer and restart timer and use
those timers to control the port scan activities
Self-Adjustment Self-control according to the environment (Atak
worm) or the estimation of the infected host amount (Self-Stop worm)
Centralized Control Controlled by the attacker
Active Worm and Its Defense 14
Scan Rate
Constant Scan Rate Each infected host keeps a constant scan rate
which is limited by the computation ability and outgoing bandwidth of the host.
Random Varying Scan Rate Randomly change the scan rate.
Smart Varying Scan Rate Change the scan rate smartly according to certain
rule according to the attack policy and the environment.
Controlled Varying Scan Rate Change the scan rate according to the attacker’s
control command.
Active Worm and Its Defense 15
Modularity
Non-Modular Modular
Use modular design in the worm code, so that new attack modules can be sent to the infected hosts and plugged in after the infection.
Active Worm and Its Defense 16
Organization
Decentralized There is no organization or cooperation
among infected hosts, and there is no communication between the infected hosts and the attacker.
Centralized Organization Organized by Internet Relay Chat (IRC) or
other methods like botnets do, so that the attacker can control the infected hosts.
Active Worm and Its Defense 17
Payload with the worm code
Spamming Code competent to carry out spamming.
DDoS Attack Code competent to carry out DDoS attacks.
Sniffing Code competent to watch for interesting clear-text
data passing by the infected hosts. Spyware
Spyware code. Keylogging
Code competent to remember and retrieve the passwords on the infected hosts.
Data Theft Code competent to steal privacy data.
Active Worm and Its Defense 18
Techniques for Exploiting Vulnerability fingerd (buffer overflow) sendmail (bug in the “debug mode”) rsh/rexec (guess weak passwords)
Active Worm and Its Defense 19
Active Worm Defense
Modeling Infection Mitigation
Active Worm and Its Defense 20
Worm Behavior Modeling (1)
Propagation model
titiNVrtd
tdi 1**)/*(
• V is the total number of vulnerable nodes• N is the size of address space• i(t) is the percentage of infected nodes among V• r is the scan rate of the worm
)/*1(*))(***()(* NVtitdVtirtdiV
Active Worm and Its Defense 21
Worm Behavior Modeling (2)
Propagation model
•M(i): the number of overall infected hosts at time i• N(i): the number of un-infected vulnerable hosts at time i• E(i): the number of newly infected hosts from time tick i to time i+1 .• T: the total number of IP addresses, i.e., 232 for IPv4. • N(0): the number of vulnerable hosts on the Internet before the
worm attack starts. • E(0) = 0, M(0) = M0.
Active Worm and Its Defense 22
Modeling P2P-based Active Worm Attacks
Basic worm attack strategiesPure Random-based Scan (PRS)
• Randomly select the attack victim• Adopted by Code-Red-I and Slammer
P2P based attack strategies Offline P2P-based Hit-list Scan (OPHLS)Online P2P-based Scan (OPS)Both strategies exploit P2P system
features
Active Worm and Its Defense 23
Background: P2P SystemsHost-based overlay systemStructured and unstructuredRich connectivityVery popular
– 3,467,860 users in the FastTrack P2P system; – 1,420,399 users in the eDonkey P2P system; – 1,155,953 users in the iMesh P2P system;
– 103,466 users in the Gnutella P2P system.
Active Worm and Its Defense 24
Two P2P-based Worm Attack Strategies
Offline P2P-based Hit-list Scan (OPHLS) Offline collect P2P host addresses as a hit-list Attack the hit-list first Attack Internet via PRS
Online P2P-based Scan (OPS) Use runtime P2P neighbor information Attack P2P neighbors Extra attack resource applied to attack Internet
via PRS
Active Worm and Its Defense 25
Online-based P2P Worm Attack Strategy
Active Worm and Its Defense 26
Performance Comparison of Attack Strategies
Attack Performance vs. Scan Approaches
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
45 50 55 60 65 70 75
Time
Infe
ctio
n R
atio
PRS
OPHLS
OPSS
• The P2P-based attack strategies overall outperforms the PRS attack strategy
• OPHLS attack strategy achieves the best performance compared to all other online-based attack strategies
Active Worm and Its Defense 27
Sensitivity of Attack to P2P System Size
The Sensitivity of P2P System Size
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
45 50 55 60 65 70
Time
Infe
ctio
n R
atio
PRS
OPSS(1000)
OPSS(5000)
OPSS(10000)
OPUS(1000)
OPUS(5000)
OPUS(10000)
• With the P2P size increases, the attack performance becomes consistently better for all attack strategies
Active Worm and Its Defense 28
Detection
Host-based detection Network-based detection
Detecting large scale worm propagation Global distributed traffic monitoring
framework Distributed monitors and data center Worm port scanning and background port
scanning
Active Worm and Its Defense 29
Distributed Worm Monitoring Systems
Active Worm and Its Defense 30
Detection Schemes
Worm behavior Pure random scan Each worm instance takes part in attack all the time Constant scan rate Overall port scanning traffic volume implies the
number of worm instances (infected hosts). Total number of worm instances and overall port
scanning traffic volume increase exponentially during worm propagation.
Count-based and trend-based detection schemes
Active Worm and Its Defense 31
Infection Mitigation
Patching Filtering/intrusion detection (signature based)
DAW (Distributed Anti-Worm Architecture)
TCP/IP stack reimplementation, bound connection requests
Active Worm and Its Defense 32
Goals of DAW
Impede worm progress, allow human intervention
Detect worm-infected clients Ensure congestion issues minimized –
little routing performance impact
Shigang Chen and Yong Tang. Slowing down internet worms. In Proceedings of 24th International Conference on Distributed Computing Systems, March 2004.
Active Worm and Its Defense 33
DAW
Requirements Distributed, sensors act independently NIDS (rather than HIDS) Limited responsibility, ensures availability of
nodes
Active Worm and Its Defense 34
DAW
Active Worm and Its Defense 35
Active Worm Detection in DAW
User behavior Few failed
connections (DNS) Predictable traffic
generation throughout “day”
Relatively uniform intranet traffic distribution
Worm behavior Sampling shows
99.96% failure in scan rate
Spikes in failure:request ratio
Traffic pattern disproportionately favors infected clients
Active Worm and Its Defense 36
Active Worm -Failures
TCP only, random scanning ICMP Unreachable/TCP-RST response 99.96% failure 80/tcp
sf rN
Vr
'1
Active Worm and Its Defense 37
Summary Worms can spread quickly:
359,000 hosts in < 14 hours Home / small business hosts play significant
role in global internet health No system administrator slow response Can’t estimate infected machines by # of unique IP
addresses• DHCP effect appears to be real and significant
Active Worm Defense Modeling Infection Mitigation
Top Related