Worm Defenses

Zach Lovelady and Nick Oliver

cs239 – Network Security – Spr2003

Worms – what are they?

• Self-propagating code that spreads via the network– Can have malicious payload– Or not

• slammer worm

• Not viruses – which require some sort of user action to propagate

Recent Example

• Code red v2 (July 19th, 2001)– 360,000 hosts compromised in 14 hours

• Doubled in size every 37 minutes

– Peak infection rate of 2000 hosts/min– Costs of recovery ~ $2.6 billion– Exploited buffer overflow in MS IIS

• Patch had been released

Recent Example• Saphire/Slammer worm – Jan 25, 2003

– Fastest spreading worm yet– Affected at least 75,000 hosts

• 90% compromised in first 10 minutes• Doubled in size every 8.5 seconds (first minute)

– Peak scanning rate of 55 million scans/sec after 3 minutes– No malicious payload

• 1 UDP packet• Overloaded networks• Took database servers out of operation• Cancelled airline flights, Out-of-service ATMs, interference with elections

– Exploited buffer overflow in MS SQL Server or MSDE• Patch had been released July 24th, 2002

Recent Example

Worms – Framework for understanding

• Biological Model– SI Model from study of

infectious diseases

– Describes rate of growth of epidemics in finite systems

N

IS

dt

dI N

IS

dt

dS

)1( iidt

di

)(

)(

1)(

Tt

Tt

e

eti

2 equations describebehavior of population:

Or, equivalently:

Solving this equation gives:(for some constant of integration T)

Biological model – accuracy

Figure: Hourly probe rate data for inbound port 80 at the Chemical Abstracts Service, for Code Red I's reemergenceon August 1st. The x-axis the time of day on August 1st

(Central US Time). The y-axis shows the monitored probe rate.

Code Red 1 (re-emergance)

Figure: The early moments of the DShield dataset, matched against the behavior of a random-scanning worm

Slammer/Saphire

Worm – scanning strategies

• Model presented assumes random scanning for other hosts to infect.

• Other, more efficient scanning techniques possible– Localized– Hit-list– Permutation– Warhol worm

Localized Scanning—Code Red II

• A single stage scanning worm that chose random IP addresses and attempted to infect them.

• Also used a localized scanning strategy where it was more likely to attempt to infect addresses relatively close to it. With probability 3/8 it chooses a random IP from with the class B address space of the infected network, ½ for class A, and 1/8 from the whole internet.

• Very successful strategy. Allows the worm to spread very rapidly within a internal network with multiple hosts having the same vulnerability.

Multi-vector worms--Nimda

• Worms are not restricted to a single method of propagation. Nimda used five methods.

• Infecting web servers from infected client hosts via probing for vulnerabilities.

• Bulk e-mailing of itself to addresses found on the host.

• Copied itself across open network shares.• Adding code to web pages to infect clients that

browsed the pages.• Scanning for backdoors left by Code Red II.

Hit-list Scanning

• Worms spend most of their time “getting off the ground”. They spread exponentially but that means the majority of the attack only affects the first tens of thousands of victims.

• Hit-list scanning overcomes this problem by compiling a list of potentially vulnerable hosts before the worm is released. The worm scans the list and divides the list in two when a new host is infected.

• Lists can be created using several methods: stealthy scans, distributed scans from zombies, DNS searches, web crawlers, public surveys, and listening for advertisements.

Permutation Scanning

• Random scanning is naturally inefficient and can not detect when all potential hosts have been attacked.

• Permutation allows a worm to detect when a host is already infected, is self-coordinated, comprehensive, and looks like it is conducting a random scan.

• Worms share a common pseudo random permutation of the IP address space generated by a 32-bit block cipher and a preselected key.

• An infected machine starts scanning just after their position in the permutation. When the worm sees an infected machine is chooses a new random start point.

Warhol Worm

• Combination of a hit-list and permutation scanning.

• “Capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes.”

Worms – how to stop them

• From epidemiology – 3 factors determine the spread of an infectious pathogen– Vulnerability of population

– Length of infectious period

– Rate of infection

Worms – how to stop them (2)Factor Intervention Example

Vulnerability of population

(size of vulnerable population)

Prevention - Patch software- Engineer software with fewer vulnerabilities (don’t use gets() )- Increase heterogeneity of software on internet (get rid of Microsoft, and all popular networked software)

Length of infectious period Treatment - software patches (after outbreak) – but human timescales are too slow (16 days for most hosts to eliminate code red vulnerability)- automatic patches ( virus software model)

Rate of infection containment -firewalls, content filters, automated routing blacklists-Coordination among pervasive systems-Slow or stop spread of infection

Containment Approach

• Paper (“Internet Quarantine: Reqmts for Containing Self Propagating Code” )seeks to establish how well any containment approach can hope to perform against worms

• Looks at 3 main parameters– Reaction time– Containment strategy

• Address blacklisting– Requires continuous updates

• Content filtering– Requires effective signatures

– Deployment

Containment strategies – Simulation Results

• Idealized deployment– Every node on network has

containment software

• Info distributed instantly

• Code Red v2 style worm– 360,000 vulnerable hosts

out of 2^32

– 10 probes/sec per infected host

Containment strategies – Simulation Results

Percentage of infected hosts after 24 hours.

Containment strategies – Simulation Results

• Practical deployment• Use real internet topology

of AS connectivity• Look at 2 deployment

strategies– Filter at customer edge

networks– Filter in exchange point

routers of major (highest outdegree) Ass

• Same worm

All customer networks in XX% of ASs implement containment filtering

Containment strategies – Simulation Results

• Reaction times required for effective worm containment

• Notice that near-total containment is virtually impossible with aggressive worms in either deployment scenario

Worm Defenses

• One possible approach– Peer-to-peer defense network

Cooperative Response Strategies for Large Scale Attack Mitigation

D. Norjiri, J. Rowe, K. Levitt

UC Davis

Cooperative Peer-to-peer Strategies

• Direct cooperation occurs only between a limited number of friend organizations.

• Organizations receiving an alert report act according to their own local policy—there are no central authorities.

• “When a site detects suspicious worm-like behavior, its initial cooperation strategy is to share the information with its friend organizations…sharing produces a propagating mitigating response whose rate of spread is similar to that of the worm itself.”

Simulated Models of Mitigation Strategies

• Investigate the global properties when complex decision making by cooperating members is involved.

• Topology: Thousands of vulnerable hosts and hundreds of cooperating members are simulated. Members share worm reports. When the number of worm reports exceed some threshold a member’s response device protects its collection of vulnerable hosts from infection. Response devices are directly connected.

Response Devices

• Two states: normal and alerted.• Normal: receives alerts and raises alert level but does not

send alerts.• Alerted: Blocks worm infection attempts using ingress and

egress filtering and shares alerts with neighbors.• In the abscense of worm activities the device backs off its

alert level and can return to normal.• Model parameters: 1) average number of vulnerable hosts

protected by device, 2) number of cooperating friends, 3) threshold for state change, 4) back-off rate, 5) alert severity.

False Alarms

• Always a problem with security systems including this model.

• See figure 6. Assume that 5% of all members incorrectly report a worm attack to their friends. With a lower alert threshold as many as 75% of all members begin blocking ‘worm’ attacks.

• Reducing the sensitivity reduces the poor operation of false positives but increases the risk of succumbing to attack.

Conclusion

• Mathematical model shows that large scale worm attacks can be slowed by unleashing a controlled “white worm” that propagates at a faster rate.

• Simulations model more complex response and shows that some defense benefits can be achieved when cooperating directly with peers.

• Slow, stealthy worms and false positives are not well received.

Closing thoughts/Questions

• Containing worms difficult – especially in partial deployment– All or most IP-IP paths should be filtered

• Containment/Prevention/Treatment? What’s best? • How do we contain multi-vector worms?• How do we deal with stealthy, slow spreading

worms?• A more malicious Slammer – how much damage

could it do?

References• BGP picture: http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html

• Vern Paxson, Stuart Staniford, and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium (Security '02).

• David Moore, Colleen Shannon, Geoffrey Voelker and Stefan Savage, Internet Quarantine: Requirements for Containing Self-Propagating Code, to appear in Proceedings of the 2003 IEEE Infocom Conference, San Francisco, CA, April 2003

• D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, technical report, February 2003