Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | amanda-robertson |
View: | 217 times |
Download: | 0 times |
1
Very Fast containment of Scanning Worms
By: Artur ZakModified by: David Allen
Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI
2
Abstract
Worms – malicious, self-propagating programs.
Represent threat to large networks.
Containment – one form of defense; limit a worm’s spread by isolating it in a small subsection of the network.
3
Scanning Worms
Operate by picking “random” address and attempt to infect the machine.
Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local
addresses Worms will find small holes in firewall and
routers. Complete infection of local network from
single original source.
4
Scanning Worms Common properties of scanning worms:
Most scanning attempts result in failure. Infected machines will institute many
connection attempts.
Containment looks for a class of behavior rather than specific worm signature. Able to stop new worms.
5
Worm Containment (virus throttling)
Must to be Automated. Worms propagate more rapidly than
human response. Works by detecting that a worm is
operating in the network and then block the infected machines from contacting further hosts.
“Defense in depth”. Used in addition to other network protection mechanisms.
6
Mechanism Requirements Break the network into many cells
Within each cell a worm can spread unimpeded.
Between cells, containment limits infections by blocking outgoing connections from infected cells.
Works best with small cells. Must have very low false positive rate.
Blocking suspicious machines or ports can cause a DoS if false positive rate is high.
7
Epidemic Threshold
Worm-suppression device must necessarily allow some scanning before it triggers a response. Worm may find a victim during that time. Epidemic occurs if each infection results
in a single child. Exponential epidemic occurs if each
infection results in more than one child.
8
Epidemic Threshold
The epidemic threshold depends on: The sensitivity of the containment
response devices The density of vulnerable machines on
the network The degree to which the worm is able to
target its efforts into the correct network, and even into the current cell.
9
Sustained Scanning Threshold If worm scans slower than
sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained
scanning threshold as possible. For this implementation threshold set
to 1 scan per minute. Other methods often no better than 1
per second.
10
Scan Suppression
Portscans have two basic types: Horizontal – search for identical
service on large number of machines. Vertical – examine an individual
machine to discover running services. Scan Suppression – responding to
detected portscans by blocking future scanning attempts.
11
Implementation Scan detection and suppression
algorithm derived from Threshold Random Walk (TRW) scan detection. TRW operates by using an oracle to
determine if a connection will fail or succeed.
Walk down for a good connection. Walk up for a failed connection. Threshold set on deviation.
12
Implementation
Implementation easier than TRW. Suitable for both hardware and
software implementation. Simplified algorithm caused increased
false negative rate. No changes in the false positive rate.
13
Hardware Implementation
Constraints: Must be very fast to keep up with high
packet rates. Memory access speed.
During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations. (4 accesses for full duplex).
SRAM can be used to solve the problem, but more expensive.
14
Hardware Implementation
Approximate cache: a cache for which collisions cause imperfections.
Indexing into cache is done with a 32-bit block cipher and a secret key. Helps protect against collision attack.
Collisions will only result in false-negatives.
15
Connection Cache
IP’s hashed with port to create index.
Aliasing result in combination.
Age is incremented each minute.
Age is zeroed each time a packet is seen.
Old entries are removed. (10 min)
16
Address Cache Lookup
External IP encrypted to create index and tag.
Each index may reference four entries.
Counter tracks differences between misses and hits.
When necessary, most negative entries are evicted.
17
Address Cache Lookup
Assumption is that legitimate traffic succeeds more often than scanning traffic.
Threshold is used to block traffic.
10 internal 5 internal
Hard limit on negative counts. (-20)
Positive counts are decayed over time. (1 min)
18
Results Attacks are detected after only 10 scans. Blocking:
New connections are blocked. Current established connections are allowed.
System accurately detected real attacks. False-positives on DNS and SMTP servers
due to fan-out. Need to be white-listed. Tighter thresholds had more false-
positives, but only for odd traffic.
19
Attacking the Containment Malicious False Negative:
The worm slips by even thought containment is active.
Scan at a rate slower than sustained scanning threshold.
With the threshold set to 1 per minute, growth will be very slow.
Scans to white-listed can be used for liveness testing before attack begins.
Offset misses by making valid connections.
20
Attacking the Containment
Malicious false positive: False positive create a DoS target. Forged packets can be a problem and
must be prevented in the network. Web page or html formatted email
could initiate multiple connections to non-existent addresses.
21
Cooperation
Containment systems can cooperate to reduce thresholds during an attack.
Communication between systems must be efficient to stay ahead of spread.
Must be done carefully to avoid cooperative collapse – a cascade in sensitivity increase.