Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Modeling Worms: Two papers at Infocom 2003 Worms

advertisement 
Modeling Worms: Two papers
at Infocom 2003
Worms
Programs that self propagate across the internet by exploiting the
security flaws in widely used services.
Worms can cause an enormous amount of damage
 Launch DDOS attacks
 Access sensitive information
 Cause confusion by corrupting the sensitive information.
Therefore it is important to understand how worms propagate in
order to contain them.
How quickly does each
strategy need to react?

% Infected (95th perc.)
% Infected (95th perc.)
Address Blacklisting:
Reaction time
(minutes)
Content Filtering:
Reaction time (hours)
To contain worms to 10% of vulnerable hosts after 24
hours of spreading at 10 probes/sec (CodeRed):
 Address blacklisting: reaction time must be < 25
minutes.
 Content filtering: reaction time must be < 3 hours
Modeling network worms

Network worms are well modeled as
infectious epidemics


Simplest version: Homogeneous random contacts
Classic SI model





N: population size
S(t): susceptible hosts at time t
I(t): infected hosts at time t
ß: contact rate
i(t): I(t)/N, s(t): S(t)/N
Modeling network worms
dI
IS

dt
N
dS
IS
 
dt
N
e  (t T )
i (t ) 
1  e  (t T )
di
  i (1  i )
dt
courtesy Paxson,
Staniford, Weaver
Epidemiological model
deficiencies

White, one of the authors of the
Epidemiological paper mentioned:

About the mystery of the model in “not”
being able to explain the slow-ness of the
worm spread in a global network
Epidemiological model
deficiencies…

The model assumes “zero” infection time,
which is unrealistic


Even in experiments on practical deployment,
they assume a topology, but further assume
“zero” latencies on all network links !!!
Doesn’t model the simultaneous reduction
in number of vulnerable hosts by
“patching”
Unrealistic assumptions lead
to…


… fascinating negative results
Example 1: When the Top-100 ISP’s
deploy containment strategies, they still
can not prevent a worm spreading at
100 probes/sec from affecting 18% of
the internet

and this is no matter what be the reaction
time of the system towards containment
Analytical Active Worm
Propagation Model (AAWP)
AAWP…



Assume, that you know the result of an infection
in “one” time-tick
At time ‘i’, ni machines are infected and mi is the
total number of vulnerable machines
Probability of a new machine being infected in
one scan: (mi-ni)/232


Total number of scans at time ‘i’: sni
Given, death rate “d” and patching rate “p”


Total number reduced to (1-p)mi
Number infected reduced by pni + dni
AAWP…
Effect of various Parameters on worm spread
1.
HitList Size
2. Patching Rate
3.Time to Complete Infection
(All cases are for 1,000,000 vulnerable machines, a scanning rate of 100
scans/second, and a death rate of 0.001 /second
AAWP versus Epidemiological

Epidemiological is a continuous time
model, while AAWP is a discrete time
model

Epidemiological is less accurate because, a
host can start infecting others even before
it’s completely infected
AAWP versus
Epidemiological…


Epidemiological doesn’t consider
reduction in number of machines by
either patching or death
Epidemiological assumes each time to
infect a new host is “zero”, which
doesn’t model:



Network congestion delays
Size of worm’s copy
Distance between source and destination
Advantages of AAWP over
Epidemiological model
AAWP explains…


The lower prevalence of worms in the
internet
It’s optimistic in the sense that worms
can still be controlled
AAWP’s containment strategy


Deploy sensors in certain networks, which
monitor TCP-SYN probes on port 80 which are
trying to connect to IP-addresses in this network
For a CodeRed like worm with hitlist size=1



Monitor 224 addresses: reaction time=2 min
Monitor 218 addresses: reaction time=1 hr
Monitor 216 addresses: reaction time=2 hr
Conclusions…

Internet Quarantine paper concludes:


Require fast reaction time O(min)
Wide-spread deployment of containment tools



Nearly all AS’s must deploy content filtering
Containment strategy is more effective than address
blacklisting
AAWP paper concludes:

Obtain a secretive /24 network and deploy a sensor
tool like LaBrea to monitor the traffic into the network


Worms using subnet addresses spread
faster than those using random
addresses
AAWP paper differs
Highly virulent worms

Warhol Worm
Combination of Permutation and Hit List Scanning
New Infection Strategies
How do worms spread

Using Random Port Scans
i.e. transmission of messages by worms to a PC or network to
determine any open ports that will accept a connection
The infection rate of the worm can be increased in one of
the following ways


Increase the scan rate
Optimized Scanning Routines:Instead of Random Port scanning, use
following algorithms
 Localized Scanning
 Hitlist Scanning
 Permutation Scanning
 Topological Scanning
New Infection Strategies ..

Localized Scanning-Code Red II
Preferentially scans targets that reside on the same subnet
Code Red II used this technique. Specifically,

1/8 of the time, address used was completely random

1/2 of the time, address used was in its own class A /8
network

3/8 of the time, address used was in /16 network
New Infection Strategies ..

Topological Scanning e.g. Morris Worm
In this, the worm uses the information contained in the
victim’s machine to select new machines
Morris Internet worm enumerated targets by examining
local configuration files and active network connections on
each compromised host
email worms use this technique
Peer to peer systems are highly vulnerable to this kind of
scanning
New Infection Strategies .

Hit List Scanning
The author of the worm collects the list of around 10,000 50,000 potentially vulnerable machine ideally the ones with
very good network connection, before releasing the worm
The worm when released initially attacks these machine. So
the initial infection is higher
Techniques to generate Hit List
 Stealthy Scans
 Distributed Scanning
 Public Surveys
 Just Listen
New Infection Strategies

Permutation Scanning
In this all worms share a common pseudorandom
permutation of the IP address space
Any machine infected during the hit list phase starts
scanning after their point in the permutation, looking for
vulnerable machines
Permutation scanning ensures that the same addresses are
not probed multiple times
Worms seen in the past.
Morris Worm
Topological Scanning
Code Red –I
Random Scanning
Code Red-II
Localised Scanning
Slammer/Sapphire worm
Random Scanning
Related documents
Doc, 36kB - Telecommunications & Information Technology Institute
Doc, 36kB - Telecommunications & Information Technology Institute
Natural Selection and the “rare enemy effect”
Natural Selection and the “rare enemy effect”
10.1 -- Linear Population Growth
10.1 -- Linear Population Growth
Reading online - practising skimming and scanning in a variety of
Reading online - practising skimming and scanning in a variety of
Brendan Innen Scan
Brendan Innen Scan
Platynote - AspenbiologyII
Platynote - AspenbiologyII
Download
advertisement