worm attack n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Worm Attack PowerPoint Presentation
Download Presentation
Worm Attack

Loading in 2 Seconds...

play fullscreen
1 / 25

Worm Attack - PowerPoint PPT Presentation


  • 253 Views
  • Uploaded on

Worm Attack. Yuan Xue. Background. What is worm? Self-propagating malicious code History Morris worm was one of the first worms distributed over Internet Timeline of notable worms http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms Two examples

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Worm Attack' - adolph


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
worm attack

Worm Attack

Yuan Xue

background
Background
  • What is worm?
    • Self-propagating malicious code
  • History
    • Morris worm was one of the first worms distributed over Internet
    • Timeline of notable worms
      • http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
  • Two examples
    • Code Red – 2001, MS IIS
    • Slammer – 2003, MS SQL
  • Two topics
    • System vulnerability
    • Propagation model
slammer sapphire worm
Slammer (Sapphire) Worm
  • When
    • Jan 25 2003
  • How
    • Exploit Buffer-overflow with MS SQL/MS SQL Server Desktop Engine (known vulnerability, July 2002)
  • Scale
    • At least 74,000 hosts
  • Feature
    • Fast propagation speed (>55million scans per second, two orders of magnitude faster than Code Red worm)
    • No harmful payload
  • Countermeasure
    • Patch
    • Firewall (port blocking)
scale
Scale

The diameter of each circle is a function of the logarithm of the number of infected machines, so large circles visually underrepresent the number of infected cases in order to minimize overlap with adjacent locations

details of slammer worm
Details of Slammer Worm
  • SQL server vulnerability
    • The SSRS (SQL Server Resolution Service (SSRS) ) contains a stack buffer overflow that allows an attacker to execute arbitrary code by sending a crafted request to port 1434/udp
    • The code within such a request will be executed by the server host with the privileges of the SQL Server service account.
  • Slammer worm
    • Crafts packets of 376-bytes and send them to a chosen IP addresses on port 1434/udp
    • Random scanning
      • Randomly select IP addresses
    • If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate.
buffer overflow
Buffer Overflow

Buffer overflow is an anomalous condition where a program writes data beyond the allocated end of a buffer in memory.

  • The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region
    • Heap-based buffer overflow
    • stack-based buffer overflow
  • The program's code and data consisting of the program's instructions and the initialized and uninitialized static and global data
  • Run-time heap (created using malloc/calloc)
  • Users stack. This stack is used whenever a function call is made.

Linux system memory layout

buffer overflow1
Buffer Overflow
  • Stack-based buffer overflow
    • An example

void function (int a, int b, int c){

char buffer1[5]; char buffer2[10];

}

int main(){

function(1,2,3);

}

buffer overflow2
Buffer Overflow
  • Stack-based buffer overflow
    • Overwrite a function's return address, which in turn can alter the program's execution path

void function (char *str) {

char buffer[16]; strcpy (buffer, str);

}

int main () {

char *str = "I am greater than 16 bytes"; // length of str = 27 bytes

function (str);

}

  • Function's return address is the address of the next instruction in memory, which is executed immediately after the function returns.
buffer overflow3
Buffer Overflow
  • Stack-based buffer overflow
    • Overwrite a function's return address, which in turn can alter the program's execution path
    • Hacker can spawn a shell (with root permissions) by jumping the execution path to such code.
    • If there is no such code in the program to be exploited
      • Place the code we are trying to execute in the buffer's overflowing area.
      • Overwrite the return address so it points back to the buffer and executes the intended code.
      • Such code can be inserted into the program using environment variables or program input parameters.
propagation model
Propagation Model
  • Random Scanning
    • Initially spread exponentially, slows as the worms retry infected or immune addresses
  • Probes of Slammer worm from Dshield data set
  • Initially matched random scanning worm
  • Soon slowed down due to bw saturation and network failures

Probe rate of Code red worm

(a typical random-scanning worm)

why slammer was so fast
Why Slammer Was So Fast?
  • Bandwidth constraint vs. delay constraint
    • Slammer 404 bytes (376 payload) UDP based-- bandwidth constraint
    • Code Red 4K bytes TCP based – delay constraint
    • UDP vs. TCP
how to defend
How to Defend?
  • Buffer Overflow
    • Write secure code
      • Use of safe libraries
    • Compiler tools
      • Choice of programming language
    • Dynamic run-time checks
      • Executable space protection
      • Stack-smashing protection
  • Worm
    • Patch
      • MS has released the patch before the worm attack happens
    • Firewall
    • IDS
      • Deep packet inspection
    • Architecture
      • Address space layout randomization
reference
Reference
  • Worm
    • A Taxonomy of Computer Worms
    • en.wikipedia.org/wiki/Computer_worm
  • Slammer Worm
    • http://www.microsoft.com/sql/prodinfo/previousversions/letter.mspx
    • http://www.cert.org/advisories/CA-2003-04.html
    • Inside the Slammer Worm, IEEE S&P 2003
overview
Overview
  • Denial-of-Service attack
    • The host or the network can no longer serves legitimate users
  • Types
    • Logic attack
      • Exploit existing software flaws
      • Countermeasures: upgrade software
    • Flooding attack
      • Consume the resource of a host or network
        • CPU, memory, network connectivity, network bandwidth, battery energy
      • Hard to address, especially in distributed form
examples
Examples
  • Ping-of-death
    • Logic attack
    • IP packet with a size larger than 65,536 bytes is illegal by standard
    • Many operating system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted.
    • Countermeasure: upgrade software or filter ICMP
examples1
Examples
  • TCP handshake
  • SYN Flood
    • A stream of TCP SYN packets directed to a listening TCP port at the victim
    • The host victim must allocate new data structures to each SYN request
    • legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections
    • Not a bandwidth consumption attack
  • IP Spoofing
attack detection
Attack Detection
  • Local detection/defense
    • The Unix community invented a clever "stateless" TCP connection system known as "SYN-cookies"
    • GENESIS
  • Global collaborative detection
    • Filter spoofed IP address
reference1
Reference
  • Wrong links
  • The Strange Tale of the Denial of Service Attacks Against GRC.com
  • Distributed Reflection Denial of Service