View
219
Download
0
Embed Size (px)
Citation preview
Outline Internet Quarantine: Requirements for
Containing Self-Propagating Code
Netbait: a Distributed Worm Detection Service
Midgard Worms: Sudden Nasty Surprise from a Large Resilient Zombie Army
Discussion
Internet Quarantine Outline
SI epidemic model and Code Red propagation model.
Simulations on Code Red Propagation and Containment System Deployment.
Conclusion
How to mitigate the threat of worms
Three approaches Prevention Treatment Containment:
E.g. firewall, filters, others? Containment is used to protect individual
networks, and isolate infected hosts Most viable of the three strategies
Automated Do not require universal deployment on hosts
SI Model (1)
N
IS
dt
dI N
IS
dt
dS
In this work, a vulnerable machine is described as susceptible (S) machine.
A infected machine is described as infected (I). Let N be the number of vulnerable machines. Let S(t) be the number of susceptible host at time t,
and s(t) be S(t)/N, where N = S(t) + I(t). Let I(t) be the number of infected hosts at time t, and
i(t) be I(t)/N. Let be the contact rate of the worm. Define:
SI Model (2)
)1(
)()(1
iidt
di
titsNN
SI
dt
di
)(
)(
1)(
Tt
Tt
e
eti
Solving the differential equation:
where T is a constant
Code Red Propagation Model (1)
Code Red generates IPv4 address by random. Thus, there are totally 2^32 addresses.
Let r be the probe rate of a Code Red worm.
Thus:
322
Nr
Code Red Propagation Model (2)
Two problems Cannot model preferential targeting
algorithm. E.g. select targets form address ranges closer
to the infected host.
The rate only represents average contact rate. E.g. a particular epidemic may grow
significantly more quickly by making a few lucky targeting decisions in early phase.
Code Red Propagation Model (3)
Example on 100 simulations on Code Red propagation model:
After 4 hours: 55% on average 80% in 95th percentiles 25% in 5th percentiles
The Problem Is…
How effectively can any containment approach counter a worm epidemic on the Internet?
What properties should be considered?
Modeling Containment Systems (1)
A containment system has three important properties:
Reaction time – the time necessary for Detection of malicious activity, Propagation of the containment information
to all hosts participating the system, and Activating any containment strategy.
Modeling Containing Systems (2)
Containing Strategy
Address blacklisting Maintain a list of IP addresses that have been
identified as being infected. Drop all the packets from one of the
addresses in the list. E.g. Mail filter. Advantage: can be implemented easily with
existing firewall technology.
Modeling Containing Systems (3)
Content filtering Requires a database of content signatures known to
represent particular worms. This approach requires additional technology to
automatically create appropriate content signatures. Advantage: a single update is sufficient to describe
any number of instances of a particular worm implementation.
Deployment scenarios Ideally, a global deployment is preferable. Practically, a global deployment is impossible. May be deploying at the border of ISP networks.
Idealized Deployment (1)
Simulation goal To find how short the reaction time is necessary to
effectively contain the Code-Red style worm.
Simulation Parameters: 360,000 vulnerable hosts out of 232 hosts. Probe rate of a worm : 10 per sec.
Containment strategy implementation Address blacklisting
Send IP addresses to all participating hosts. Content filtering
Send signature of the worm to all participating hosts.
Assumptions
A perfect containment system Universally deployed systems The information is distributed
simultaneously
Idealized Deployment (2)
Result: content filtering is more effective.
20 min 2 hr
Number ofsusceptiblehost decreases
Wormsunchecked
Idealized Deployment (3)
Next goal: To find the relationship between
containment effectiveness and worm aggressiveness.
Figures are in log-log scale.
Idealized Deployment (4)
Percentage of infected hosts
Address blacklisting is hopelesswhen encountering aggressive worms.
Practical Deployment (1)
Network Model AS sets in the Internet:
routing table on July 19,2001 1st day of the Code Red v2 outbreak.
A set of vulnerable hosts and ASes: Use the hosts infected by Code Red v2 during
the initial 24 hours of propagation. A large and well-distributed set of vulnerable
hosts. 338,652 hosts distributed in 6,378 ASes.
Practical Deployment (2)
Deployment Scenarios Use content filtering only. Filtering firewall are deployed on the
borders of both the customer networks, and ISP’s networks.
Deployment of containment strategy.
Practical Deployment (3)
Reaction time: 2hrs
Difference inperformancebecause of thedifference in pathcoverage.
Conclusion
Explore the properties of the containment system Reaction time Containment strategy Deployment scenario
In order to contain the worm effectively Require automated and fast methods to detect
and react to worm epidemics. Content filtering is the most preferable strategy. Have to cover all the Internet paths when
deploying the containment systems.
Outline Internet Quarantine: Requirements for
Containing Self-Propagating Code
Netbait: a Distributed Worm Detection Service
Midgard Worms: Sudden Nasty Surprise from a Large Resilient Zombie Army
Discussion
Main Idea
Netbait: A planetary-scale service for
distributed detection of Internet worm Identify the machines on a given network
been comprised Based on the collective view of a set of
geographically distributed machines An efficient distributed query processing
system
Worm detection Internet worms: probe remote machines
and explore remote system flaws Intrusion detection systems, such as
Snort, can detect the exploits The problem is: how to identify those
infected machines? Why use multiple machines? Why use multiple distributed machines?
NETBAIT Design A distributed query processing system Each node keeps a logical database table
of intrusion detection system data Queries are expressed using SQL Queries are processed parallely, with the
query results compressed Load balanced clients
Data Collection and Indexing
Each node observes the requests for network services
Log the matches into the database Two types of data
Without signature With signature
Overlay Construction and Maintenance
A spanning tree structure, capable of Multicasting of queries Collection of results
Use Tapestry Node-ID Every node as the root node of its own
unique spanning tree Tree construction Tree maintainence
Distributed Query Processing
Queries are distributed to the nodes for evaluation
Two classes of queries The logical Table Load balancing
“Netbait root” “Tapestry root”
Aggregation and Encoding
Discussion
Netbait and Sequoia The similarity
Distributed Sharing security information
What could we learn from it? Overlay construction
Outline Internet Quarantine: Requirements for
Containing Self-Propagating Code
Netbait: a Distributed Worm Detection Service
Midgard Worms: Sudden Nasty Surprise from a Large Resilient Zombie Army
Discussion
Midgard worms
Midgard The worms which build up a highly
resilient code dissemination structure based on creating an overlay network of compromised nodes
Structure
A resilient self-organizing overlay of zombie nodes
The attacker could disseminating the exploit code to the zombies
Could be trees, hypercube, butterflies or a random graph
One kind: Revere
Formation and Dissemination Discover other zombies
The “physical parent Wait for infection and probing Three-way-handshake procedure Share lists of zombies
Parent selection Some permanent parents Exchange subset of parent list
Push-based design Public key + authenticity
Defending against Midgard
Limit the spread of Midgard Finding Midgard Worm Zombies
Searching for Listeners Searching for heartbeats Traffic analysis Tracing the Overlay
Zombie Disinfection Protecting Uninfected Machines
Outline Internet Quarantine: Requirements for
Containing Self-Propagating Code
Netbait: a Distributed Worm Detection Service
Midgard Worms: Sudden Nasty Surprise from a Large Resilient Zombie Army
Discussion