Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang ()

advertisement 
Fast Worm Propagation In IPv6 Networks
Malware Project Presentation
Jing Yang (jy8y@cs.virginia.edu)
Outline





Introduction
Performance Of Current Worms In IPv6
Speedup Of Worms’ Propagation In IPv6
Interim from IPv4 to IPv6
Conclusion
Fast-propagate Worms VS IPv6 (1)

Facts
–
–
–

Almost all fast-propagate worms use some form of Internet
scanning
The larger address space is, the less efficient scanning is
IPv6 has a huge address space
Optimistic vision
–
Worms may experience significant barriers to propagate fast
in IPv6
Fast-propagate Worms VS IPv6 (2)

Facts
–
–
–

Some design features of IPv6 automatically decrease its huge
address space
A variety of techniques can be employed by a worm to improve its
propagation efficiency
Other progress of the future Internet can eliminate the current
bottleneck of worms’ fast propagation
Pessimistic vision
–
Fast-propagate worms will remain one of the main threats to the
Internet in IPv6
Motivation

Importance
–

Usefulness
–

Since IPv6 is the basement for next generation Internet, it is
important to see whether its huge address space really makes it
immune to fast-propagate worms
There is still sometime for IPv6’s widely deployment, so design
changes are still possible
Worthiness
–
There still has not been comprehensively analysis of fastpropagate worms in IPv6
Goal

IPv6 design features analysis
–
–

Possibility of fast-propagate worm in IPv6
–

Identify the bad design choices and design tradeoffs that speed up
worms’ propagation
Figure out what modifications can prevent them from being taken
advantage of
Based on a reasonable IPv6 design, can a worm still compromise
all the vulnerable hosts even before human actions are ready to
taken?
The achievement of both goals are interleaved in the project
Outline





Introduction
Performance Of Current Worms In IPv6
Speedup Of Worms’ Propagation In IPv6
Interim From IPv4 To IPv6
Conclusion
Model Used

Random constant spread (RCS) model
–
–
–
Also called susceptible-infected (SI) model
No treatment or removal
Reasonable because fast worm propagation is usually
beyond human time scale
 ( t T )
di
  i (1  i )
dt
i(t ) 
e

1 e
( t T )
Representative Of Current Worm

Quickest worm in the wild – Sapphire
–
–
–
–
–
–
Doubled every 8.5 seconds
Infected more than 90 percent of vulnerable hosts within 10
minutes
Based on random scanning
Attack via 404-byte UDP packet
Size of total vulnerable population: 75,000
Scan rate: 4,000 scans per second
Sapphire in IPv4
Both the results from the formula and simulations match the real data collected
during Sapphire’s spread – the infected population doubles in size every 8.5
(±1) seconds and scanning rate reaches its peak within 3 minutes
80000
80000
70000
70000
60000
60000
Infected Hosts
50000
40000
seed = 0
seed = 1
seed = 2
seed = 3
50000
seed = 4
40000
seed = 5
30000
seed = 6
10000
20000
seed = 7
0
10000
5
6
7
8
Time (30 seconds)
β = 2.1, T = 5.35
9 10 11 12 13
seed = 9
0
seed = 10
Time (30 seconds)
14
4
12
3
10
2
8
1
6
0
seed = 8
4
20000
2
30000
0
Infected Hosts

seed = 11
β = 2.1, T = 5.35
Sapphire in IPv6
We assume Sapphire spreads in a /64 IPv6 sub-network, which is the
smallest sub-network in IPv6 – it will take 30 thousand years to
compromise most of the vulnerable hosts
80000
70000
60000
50000
40000
30000
20000
10000
Time (thousand years)
β = 0.513, T = 21.88
48
45
42
39
36
33
30
27
24
21
18
15
12
9
6
3
0
0
Infected Hosts

IPv6 Is Keeping Ahead


If IPv6 is perfectly designed
If no other techniques can speedup worms’
propagation
– Fast-propagate worm is impossible in IPv6
Outline





Introduction
Performance Of Current Worms In IPv6
Speedup Of Worms’ Propagation In IPv6
Interim From IPv4 To IPv6
Conclusion
Analysis Of RCS Model




Original unknown parameters in RCS model: β and T
  r*
N
P
2
T is related to the initially infected hosts
Four real factors that affect worms’ performance based on RCS
model
–
–
–
–
Scan rate: r
Size of total vulnerable population: N
Real address space: P
Initially infected hosts: I0
Taxonomy Based On RCS Model

A variety of IPv6 design features and scanning
techniques can speedup worms’ propagation in IPv6

Most of their effects can be mapped to the four
factors of RCS model

Some of them can not be fitted into RCS model –
RCS model should be extended or simulations
should be done
Features/mechanisms Fitted Into RCS Model (1)

Increase the scan rate: r
–

High bandwidth network, such as Gigabit Ethernet
Increase the total vulnerable population: N
–
–
Sophisticated hybrid worms that attack several vulnerabilities
Target vulnerability in the core of widely deployed systems cased
by monoculture
Features/mechanisms Fitted Into RCS Model (2)

Reduce the real address space: P
–
–
–
–

Subnet scanning
Routing worms
The standard method of deriving the EUI field of IPv6 address
from the 48-bit MAC address
Densely allocated IPv6 addresses
Increase the initial infected hosts: I0
–
Pre-generated hit list (Due to the annoying length of the 128-bit
IPv6 address, every host in IPv6 networks may have a DNS
name. So a DNS attack can reveal many host addresses)
Features/mechanisms Beyond RCS Model

Find host addresses during the spread besides scanning
–
–

Topological scanning
Passive worms
Minimize duplication of scanning efforts
–
Permutation scanning
Increase The Scan Rate: r
80000
70000
60000
50000
40000
30000
20000
10000
Time (ten years)
β = 0.385, T = 29.16
β = 3.85, T = 2.92
64
60
56
52
48
44
40
36
32
28
24
20
16
12
8
0
4

0

UDP-based attack – bandwidth limited rather than latency limited
Gigabit Ethernet: scan rate can exceed 300,000 scans per second –
reduce Sapphire’s spread time to 4 hundred years
10 Gigabit Ethernet: scan rate can exceed 3,000,000 scans per
second – reduce Sapphire’s spread time to 40 years
Infected Hosts

Increase The Total Vulnerable Population: N

The effect of doubling N equals the effect of doubling r

Blaster targeted a vulnerability in core Windows components,
creating a more widespread threat than the server software
targeted by previous network-based worms, and resulting in a
much higher density of vulnerable systems

According to IDC, Microsoft Windows represented 94 percent of
the consumer client software sold in the United States in 2002
Reduce The Real Address Space: P (1)


Subnet scanning – focus on a /64 IPv6 sub-network
The standard method of deriving the EUI field of IPv6 address from the
48-bit MAC address – further reduce the address space to 48 bit
Assume a Gigabit Ethernet – 300,000 scans per second
80000
70000
Infected Hosts

60000
50000
40000
30000
20000
10000
0
0 1
2 3
4 5
6 7
8 9 10 11 12 13 14 15 16 17 18 19
Time (five hours)
β = 1.44, T = 7.80
Reduce The Real Address Space: P (2)

Densely allocated IPv6 Addresses – may reduce the real address
space to 32 bit or even 16 bit, which means a few seconds are enough
for the worm to compromise all the vulnerable hosts

Analysis of IPv6 design features
–
–
The auto-configuration design feature of IPv6 scarifies 16 bit address
space in the EUI field, which can dramatically speedup worms’ propagation
– a new design choice which allows auto-configuration while maintaining
the whole address space
Addresses should never be allocated densely in IPv6 – a random
distribution can take advantage of the whole address space
Increase The Initially Infected Hosts: I0 (1)

Due to the annoying length of the 128-bit IPv6 address, every host in
IPv6 networks may have a DNS name. So a DNS attack can reveal
many host addresses
Assume 1,000 initially infected hosts
Infected Hosts

80000
70000
60000
50000
40000
30000
20000
10000
0
0
1
2
3
4
5
6
7
8
9
Time (five hours)
β = 1.44, T = 2.99
10 11 12 13 14
Increase The Initially Infected Hosts: I0 (2)

Analysis of IPv6 design features
–
–
–
Assignment of a DNS name to each host make the 128-bit
IPv6 address tolerable, but it increases the harm of a DNS
attack
Not only public servers, addresses of normal hosts can also
be revealed in a DNS attack
Safe DNS servers are critical in IPv6 to prevent fast worm
propagation
More Practical Scenario (1)





Scan rate r: 300,000 scans per second (assume Gigabit
Ethernet)
Total population M: 20,000 (reasonable in a /64 IPv6 enterprise
network)
Total vulnerable population N: 10,000 (due to monoculture)
Real address space P: 48 (due to auto-configuration
requirement)
Initial infected hosts I0: 501 (assume a 1000-host address list,
500 of them are vulnerable)
More Practical Scenario (2)

By taking advantage of the IPv6 design features and scanning mechanisms
which can be fitted into RCS model, a couple of days are needed to infect the
whole sub-network
Not fast enough – can only compromise 20% of vulnerable hosts within a day
12000
Infected Hosts

10000
8000
6000
4000
2000
0
0
1
2
3
4
5
6
Time (day)
β = 0.92, T = 3.20
7
8
9
Topological Scanning (1)


Every host in IPv6 has a DNS name
DNS cache in Windows XP
–
–
–

CacheHashTableSize – Default: 0xD3 (211 decimal)
CacheHashTableBucketSize – Default: 0xa (10 decimal)
In a default case, the DNS cache in Windows XP has 211 * 10 = 2110
entries
Extension of RCS model – RCS_EX1 model
–
–
Assume DNS cache remains the same during the whole worm spread
process
Parameter F: number of addresses can be found in a newly infected host
X (t )  I (t ) 
N  I (t )
N
dI (t )
N  I (t )  X (t )
 X (t )  X (t ) F
dt
M
Topological Scanning (2)
Assume F = 50
12000
10000
8000
6000
4000
2000
Time (hour)
RCS_EX1
49
44.7
39.8
34.9
30
25.1
20.2
15.3
10.7
7.35
4.71
2.73
1.29
0.23
0
0
Infected Hosts

Topological Scanning (3)

Extension of RCS_EX1 model
–
Assume a hybrid worm, which can reveal host addresses from all
machines it touches but only control a portion of them via another
vulnerability – RCS_EX2_1 model
X (t )  I (t ) 
N  I (t )
N
Y (t )  I (t )  
dI (t )
N  I (t )  X (t )
 X (t )  Y (t ) F
dt
M
–
M  T (t )
M
dT (t )
M  T (t )  Y (t )
 Y (t )  Y (t ) F
dt
M
DNS cache is updated when a host is touched more than once –
RCS_EX2_2 model
X (t )  I (t ) 
N  I (t )
N
dI (t )
N  I (t )  X (t )
I (t ) N  I (t )  X (t )
 X (t )  X (t ) F
 I (t ) 
F
dt
M
N
M
Topological Scanning (5)
F’ – Number of addresses updated when a host is touched
again, assume it is 10
8000
6000
4000
2000
Time (hour)
RCS_EX2_1
29
27.2
24.3
21.4
18.5
15.6
12.7
9.8
6.9
3
5.15
1.63
0.87
0.32
0
0
12000
10000
8000
6000
4000
2000
0
Time (hour)
RCS_EX2_2
29
Infected Hosts
10000
0.05
Infected Hosts
12000
0.
22 0
5
1. 37
29
2. 41
73
3
4. 2
70
7. 7
35
10 14
.2
13 51
.1
16 51
.0
18 51
.9
21 51
.8
24 51
.7
27 51
.6
51

Topological Scanning (4)

Extension of RCS_EX2 model
–
Combine RCS_EX2_1 model and RCS_EX2_2 model – RCS_EX3 model
X (t )  I (t ) 
N  I (t )
N
Y (t )  I (t )  
M  T (t )
M
dI (t )
N  I (t )  X (t )
T (t ) N  I (t )  X (t )
 X (t )  Y (t ) F
 I (t )  
F
dt
M
M
M
dT (t )
M  T (t )  Y (t )
T (t ) M  T (t )  Y (t )
 Y (t )  Y (t ) F
 I (t )  
F
dt
M
M
M
Time (hour)
RCS_EX3
29
28.5
25.6
22.7
19.8
16.9
14
11.1
8.19
5.96
4.33
2.77
1.6
0.86
0.32
0.05
0
Infected Hosts
Topological Scanning (6)
12000
10000
8000
6000
4000
2000
0
Permutation Scanning




Permutation scanning can dramatically decrease the
duplication of scanning efforts
Permutation scanning is somewhat controversial to topological
scanning – duplicate touches can reveal new host addresses
due to cache update
Combination of permutation scanning and topological scanning
– worm maintains a thread on infected machines to wait for
cache update
Simulation is on-going
Outline





Introduction
Performance Of Current Worms In IPv6
Speedup Of Worms’ Propagation In IPv6
Interim From IPv4 To IPv6
Conclusion
Things To Be Taken Care Of During Interim

Never use easy-to-remember IPv6 address
–
–

It is common to derive IPv6 address directly from IPv4 address when a
IPv4 network is newly updated to a IPv6 network
This easy update limits real IPv6 address space to the original IPv4
address space
IPv6 networks are not isolated when most of the Internet is still IPv4
–
–
–
6to4 automatic SIT tunnel (2002::/16 prefix) enables IPv4 hosts to connect
to IPv6 networks (such as 6Bone) without external IPv6 support
Gate ways are established for communication among three global prefixes
(2002::/16 for 6to4, 2001::/16 for Internet6, 3fff::/16 for 6Bone)
Many current operation systems support 6to4 SIT autotunnel
Outline





Introduction
Performance Of Current Worms In IPv6
Speedup Of Worms’ Propagation In IPv6
Interim From IPv4 To IPv6
Conclusion
Conclusion

Fast-propagate worm is definitely possible in IPv6, at least in /64
enterprise networks

Factors that speedup the propagation
–
–
A variety of scanning techniques, some of them are theoretical and have
not been found in the wild nowadays
Bad design choices in IPv6 – can be eliminated easily


–
Densely allocated IPv6 addresses
Easy-to-remember IPv6 addresses
Tradeoffs in IPv6 design – can hardly be eliminated unless innovative
methods are developed to meet both requirements in a tradeoff


Derivation of 64-bit EUI field from 48-bit MAC address
Each host has a DNS name
Related documents
ITU-T IPv6 Workshop Abstract Speaker: Session:
ITU-T IPv6 Workshop Abstract Speaker: Session:
ITU-T IPv6 Workshop Abstract Speaker: Session:
ITU-T IPv6 Workshop Abstract Speaker: Session:
ITU-T IPv6 Workshop Abstract Speaker: Session: 1.4
ITU-T IPv6 Workshop Abstract Speaker: Session: 1.4
Download
advertisement