very fast containment of scanning worms l.
Skip this Video
Loading SlideShow in 5 Seconds..
Very Fast containment of Scanning Worms PowerPoint Presentation
Download Presentation
Very Fast containment of Scanning Worms

Loading in 2 Seconds...

play fullscreen
1 / 33

Very Fast containment of Scanning Worms - PowerPoint PPT Presentation

  • Uploaded on

Very Fast containment of Scanning Worms. Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern Paxson. Outline. Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Very Fast containment of Scanning Worms' - khuyen

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
very fast containment of scanning worms

Very Fast containment of Scanning Worms

Presenter: Yan Gao


Authors: Nicholas Weaver Stuart Staniford Vern Paxson

  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment
scanning worms
What is scanning worm?

--- Operate by picking “random” address and attempt to infect the machine.

Blaster – linear scanning

Code Red – fully random

Code Red II & Nimda – bias toward local addresses

Common properties of scanning worms:

Most scanning attempts result in failure.

Infected machines will institute many connection attempts.

Scanning Worms
scanning worms4
How to mitigate the spread of worms?


Reduce size of vulnerable population

Insufficient to counter worm threat

Why?? … single vulnerability in a popular software system can translate to millions of vulnerable hosts


Once a host is infected, clean it up immediately (Antivirus Software, Patches)

Reduce vulnerable hosts and rate of infection

Limitation… long time to develop cleanup code, and too slow to have a significant impact

People don’t install patches


Scanning Worms
  • Protect individual networks and isolate infected hosts
    • Examples: firewalls, content filters, automated blacklists
  • Most Promising Solution
    • Can be completely automated
    • Containment does not require participation of each and every host on the internet
containment properties
Containment Properties
  • Reaction time
    • Detection of malicious activity
    • Propagation of the containment information to all hosts participating the system
    • Activating any containment strategy.
  • Containing Strategy
    • Address blacklisting
      • Maintain a list of IP addresses that have been identified as being infected.
      • Drop all the packets from one of the addresses in the list.
      • Advantage: can be implemented easily with existing filtering technology.
      • Disadvantage: must be updated continuously to reflect newly infected hosts
containment contd
Containment (contd.)
    • Content filtering
      • Requires a database of content signatures known to represent particular worms.
      • Requires additional technology to automatically create appropriate content signatures.
      • Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation
  • Deployment scenarios
      • Ideally, a global deployment is preferable.
      • Practically, a global deployment is impossible.
      • May be deploying at the border of ISP networks
worm containment
Defense against scanning worms

Works by detecting that a worm is operating in the network and then blocking the infected machines from contacting further hosts;

Leverage the anomaly of a local host attempting to connect to multiple other hosts.

Containment looks for a class of behavior rather than specific worm signature --- able to stop new worms.

Worm Containment
worm containment9
Break the network into many cells

Within each cell a worm can spread unimpeded.

Between cells, containment limits infections by blocking outgoing connections from infected cells.

Must have very low false positive rate.

Blocking suspicious machines can cause a DOS if false positive rate is high.

Need for complete deployment within an enterprise

Integrated into the network’s outer switches or similar hardware elements

Worm Containment
epidemic threshold
Epidemic Threshold
  • Worm-suppression device must necessarily allow some scanning before it triggers a response.
    • Worm may find a victim during that time.
  • The epidemic threshold depends on:
    • The sensitivity of the containment response devices
    • The density of vulnerable machines on the network --- NAT and DHCP
    • The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.
sustained scanning threshold
Sustained Scanning Threshold
  • If worm scans slower than sustained scanning threshold, the detector will not trigger.
    • Vital to achieve as low a sustained scanning threshold as possible.
    • For this implementation threshold set to 1 scan per minute.
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment
hardware implementation
Hardware Implementation
  • Constraints:
    • Memory access speed
      • On duplex gigabit Ethernet, can only access DRAM 4 times
    • Memory size
      • Attempt to keep footprint under 16MB
    • The number of distinct memory banks
hardware implementations
Hardware Implementations
  • Approximate caches

--- collisions cause imperfections (bloom filter)

    • Fixed memory available
    • Allow collisions to cause aliasing
    • Err on the side of false negative
  • Attacker behavior
    • Predicting the hashing algorithm

--- keyed hash function

    • Simply overwhelming the cache
hardware implementations15
Hardware Implementations
  • Efficient small 32 bit block ciphers
    • Prevent attackers from controlling collisions
    • Permute the N-bit value
    • Separate the resulting N-bit value into an index and a tag
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment
scan suppression
Scan Suppression

Responding to detected portscans by blocking future scanning attempts.

  • Portscans have two basic types:
    • Horizontal – search for identical service on large number of machines.
    • Vertical – examine an individual machine to discover running services.
scan suppression18




Scan Suppression

Protect the enterprise, forget the Internet

  • Preventing scans from Internet is too hard
  • If inside node is infected, filter sees all traffic
  • Cell (local area network) is “outside”, Enterprise larger internet network is “inside”
  • Can also treat entire enterprise as cell, Internet as outside


Scan detectors

scan suppression19
Scan Suppression
  • Derived from Threshold Random Walk (TRW) scan detection.
    • The algorithm operates by using an oracle to determine if a connection will fail or succeed.
    • By modeling the benign traffic as having a different probability of success than attack traffic, TRW can make a decision regarding the likelihood that a particular series of connection attempts from a given host.
  • Assumption: benign traffic has a higher probability of success than attack traffic
scan suppression20
Scan Suppression
  • Strategies:
    • Track connections and addresses using approximate caches;
    • Replace the old addresses and old ports if the corresponding entry has timed out;
    • Track addresses indefinitely as long as we do not have to evict their state from our caches;
    • Detect vertical as well as horizontal TCP scans, and horizontal UDP scans;
    • Implement a “hygiene filter” to thwart some stealthy scanning techniques without causing undue restrictions on normal machines.
connection cache
Connection Cache
  • Recording if we’ve seen a packet in each direction
  • Aliasing turns failed attempt into success (biases to false negative)
  • Age is reset on each forwarded packet
  • Every minute, back ground process purges entries older than Dconn
address cache
Address Cache
  • Track “outside” addresses
  • Counter keeps difference between successes and failures
  • Counts are decremented every Dmiss seconds
parameters and tuning
Parameters and Tuning
  • Parameters:
    • T: miss-hit difference that causes block
    • Cmin: minimum allowed count
    • Cmax: maximum allowed count
    • Dmiss: decay rate for misses
    • Dconn: decay rate for idle connections
    • Cache size and associativity
  • For 6000-host enterprise trace:
    • 1MB connection cache, 4MB 4-way address cache = 5MB total
    • At most 4 memory accesses per packet
    • Operated at gigabit line-speed
    • Detects scanning at rates over 1 per minute
    • Low false positive rate
    • About 20% false negative rate
    • Detects scanning after 10-30 attempts
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment
  • Divide enterprise into small cells
  • Connect all cells via low-latency channel
  • A cell’s detector notifies others when it blocks an address (“kill message”)
  • Blocking threshold dynamically adapts to number of blocks in enterprise:
    • T’ = T(1 –θ)X, for very small θ
    • Changing θ does not change epidemic threshold, but reduces infection density
  • Worm containment
  • Hardware implementations
  • Scan suppression
  • Cooperation
  • Attacking worm containment
attacking worm containment
Attacking worm containment
  • False positives
    • Forge packets (though this does not prevent inside systems from initiating connections)
  • False negatives
    • Use a non-scanning technique (topological, meta-server, passive and hit-list)
    • Scan under detection threshold
    • Use a white-listed port to test for liveness before scanning
attacking cooperation
Attacking Cooperation
  • Attempt to outrace containment if threshold is permissive
  • Flood cooperation channels
  • Cooperative collapse:
    • False positives cause lowered thresholds
    • Lowered thresholds cause more false positives
    • Feedback causes collapse of network
attacking worm containment32
Attacking Worm Containment
  • Detecting containment
    • Try to contact already infected hosts
    • Go stealthy if containment is detected
  • Circumventing containment
    • Embed scan in storm of spoofed packets
    • Two-sided evasion:
      • Inside and outside host initiate normal connections to counter penalty of scanning
      • Can modify algorithm to prevent, but lose vertical scan detection
  • Develop containment algorithms suitable for deployment in high-speed, low-cost network hardware;
  • Devise the mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection.