Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Worm Overview

advertisement 
Worm Overview
Stuart Staniford
Silicon Defense
Copyright Silicon Defensewww.silicondefense.com
2003.
There will Always be Vulnerabilities
Paper:
Murphy’s Law, the fitness of evolving species and the limits
of software reliability.
R. Brady, R. Anderson, and R. Ball
Shows that under continued random testing at constant rate,
vulnerabilities decline at rate 1/t. In some sense, testing finds
the fewest possible vulnerabilities that will get the software
past the test.
Software size is probably growing faster than t!
So there will always be worms…
Copyright Silicon Defense 2003.
Code Red Spread
Cas.org probe data
600000
500000
400000
Nscans
RS Theory
300000
200000
100000
Copyright Silicon Defense 2003.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Theory of Random Scanning
Worms
• a = e vS(t-T) /(1+evS(t-T))
•
•
•
•
•
a is proportion infected
t is time
Gives sigmoidal graph centered on T
1/vS is time to increase by factor e.
v is vulnerability density (8x10-5 for CRI, 1% would
be really big)
• S is effective scan rate (~6Hz for CRI, ~10kHz for
Slammer on well connected networks. Probably get
to 50kHz for
TCP
scans)
Copyright
Silicon
Defense 2003.
Sapphire/Slammer
170 Gbps!
Copyright Silicon Defense 2003.
Enterprise environment
• Where the real damage can be done
– Many companies control critical equipment
• Firewalls:
– Worms often get in, but few starts
– Nimda style dedicated firewall crossing function
• Enterprise address space consists of disjoint
smaller pieces (eg two class B nets)
– Worm has to find them
– Random IP address very unlikely to be in net
– Slows it Copyright
downSilicon Defense 2003.
Subnet scanning
• Differentially choose a destination address
near the source address
• Code Red II: Choose a random address from
– Class B: p = 3/8
– Class A: p = 1/2
– Internet: p = 1/8
• Worm can exploit pieces of network it finds
• Code Red II proportions not optimal
Copyright Silicon Defense 2003.
Optimal Class B search (v = 0.1%)
120
100
80
60
40
20
0
0
0.1
0.2 Copyright
0.3 Silicon
0.4Defense
0.5
2003. 0.6
0.7
0.8
0.9
1
Optimal Class B search proportion
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0.00001
0.0001
0.001
0.01
Copyright Silicon Defense 2003.
0.1
1
Flash Worm
•
•
•
•
•
•
•
•
•
•
Also theory: due to Silicon Defense
Scan all vulnerable servers first
Build a map of worm spread
Optimize map for routing picture (BGP)
Launch worm
Worm carries address map with it
Limited by bandwidth
Tens of seconds to saturation on Internet
100ms to saturate on internal network
Topological Worms are similar
– Use information on host instead of precomputed
map
– Slower, less efficient than flash but no prep
•
Flash/Topological not reliably containable at
present
Copyright Silicon Defense 2003.
Worm Containment: Goal
?
Good
Bad!
Epidemic Threshold: E(Number of Children) < 1
Sum(i=0,infinity,ai) = 1/(1-a) a<1
Copyright Silicon Defense 2003.
Worm Containment Approaches
• Host based vs Network based
• For scanning worms
– Block scans
– Anything that will block scans will do in
principle
– HP, IBM, Silicon Defense have dedicated
technology
– Epidemic threshold
= an average scan sees < 1.0 vulnerable machines
Copyright Silicon Defense 2003.
Basic Facts of Life with Worms
• Spread faster than any human response
– Signatures need not apply
• Cannot reliably detect novel worm on the
first connection through us
– Detect unknown badness in arbitrary app. data
– Just as hard as getting applications right
• Depend instead on correlating multiple
wormlike anomalies to get reliable detect
• Doesn’t work well inbound - need outbound
• Need complete
deployment
Copyright Silicon
Defense 2003.
Inbound vs Outbound Containment
This is why we need complete deployment to contain otherwise justCopyright
lowering
v (slowing things down but
Silicon Defense 2003.
not containing them).
CounterMalice approach
•
•
•
•
•
•
Inline device in network
Divide network into cells
Filters out scans (doesn’t handle Flash etc)
Contacting many destinations is odd
Contacting many dead destinations is odder
If can cut off after T scans, then…
E(C) = TvPN < 1
Copyright Silicon Defense 2003.
Containment Simulation
0.2
0.15
0.1
0.05
0
0
0.1
0.2
0.3
0.4
0.5
0.6
v=0.15
v=0.2 Defense
v=0.25 2003.
v=0.3
Copyright
Silicon
0.7
v=0.35
0.8
v=0.4
0.9
1
Related documents
Homework problems (1 and 2)
Homework problems (1 and 2)
Download
advertisement