Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms

Presenter: Yan Gao

------------------------------------------------Authors: Nicholas Weaver Stuart Staniford Vern

Paxson

Outline

Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Scanning Worms What is scanning worm?

--- Operate by picking “random” address and attempt to infect the machine.

Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses

Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection

attempts.

Scanning Worms How to mitigate the spread of worms?

Prevention Reduce size of vulnerable population Insufficient to counter worm threat Why?? … single vulnerability in a popular software

system can translate to millions of vulnerable hosts Treatment

Once a host is infected, clean it up immediately (Antivirus Software, Patches)

Reduce vulnerable hosts and rate of infection Limitation… long time to develop cleanup code, and

too slow to have a significant impact People don’t install patches

Containment

Containment

Protect individual networks and isolate infected hosts Examples: firewalls, content filters,

automated blacklists Most Promising Solution

Can be completely automated Containment does not require

participation of each and every host on the internet

Containment Properties Reaction time

Detection of malicious activity Propagation of the containment information

to all hosts participating the system Activating any containment strategy.

Containing Strategy Address blacklisting

Maintain a list of IP addresses that have been identified as being infected.

Drop all the packets from one of the addresses in the list.

Advantage: can be implemented easily with existing filtering technology.

Disadvantage: must be updated continuously to reflect newly infected hosts

Containment (contd.) Content filtering

Requires a database of content signatures known to represent particular worms.

Requires additional technology to automatically create appropriate content signatures.

Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation

Deployment scenarios Ideally, a global deployment is preferable. Practically, a global deployment is impossible. May be deploying at the border of ISP networks

Worm Containment Defense against scanning worms

Works by detecting that a worm is operating in the network and then blocking the infected machines from contacting further hosts;

Leverage the anomaly of a local host attempting to connect to multiple other hosts.

Containment looks for a class of behavior rather than specific worm signature --- able to stop new worms.

Worm Containment Break the network into many cells

Within each cell a worm can spread unimpeded. Between cells, containment limits infections by

blocking outgoing connections from infected cells. Must have very low false positive rate.

Blocking suspicious machines can cause a DOS if false positive rate is high.

Need for complete deployment within an enterprise

Integrated into the network’s outer switches or similar hardware elements

Epidemic Threshold Worm-suppression device must

necessarily allow some scanning before it triggers a response. Worm may find a victim during that time.

The epidemic threshold depends on: The sensitivity of the containment response

devices The density of vulnerable machines on the

network --- NAT and DHCP The degree to which the worm is able to

target its efforts into the correct network, and even into the current cell.

Sustained Scanning Threshold

If worm scans slower than sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained

scanning threshold as possible. For this implementation threshold set

to 1 scan per minute.

Outline

Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Hardware Implementation

Constraints: Memory access speed

On duplex gigabit Ethernet, can only access DRAM 4 times

Memory size Attempt to keep footprint under 16MB

The number of distinct memory banks

Hardware Implementations Approximate caches

--- collisions cause imperfections (bloom filter) Fixed memory available Allow collisions to cause aliasing Err on the side of false negative

Attacker behavior Predicting the hashing algorithm

--- keyed hash function Simply overwhelming the cache

Hardware Implementations

Efficient small 32 bit block ciphers Prevent attackers from controlling

collisions Permute the N-bit value Separate the resulting N-bit value into

an index and a tag

Outline

Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Scan Suppression

Responding to detected portscans by blocking future scanning attempts.

Portscans have two basic types: Horizontal – search for identical service

on large number of machines. Vertical – examine an individual machine

to discover running services.

Scan SuppressionProtect the enterprise, forget the Internet

Preventing scans from Internet is too hard

If inside node is infected, filter sees all traffic

Cell (local area network) is “outside”, Enterprise larger internet network is “inside”

Can also treat entire enterprise as cell, Internet as outside

Internet

Inside

Scan detectorsOutside

Outside

Scan Suppression Derived from Threshold Random Walk

(TRW) scan detection. The algorithm operates by using an oracle

to determine if a connection will fail or succeed.

By modeling the benign traffic as having a different probability of success than attack traffic, TRW can make a decision regarding the likelihood that a particular series of connection attempts from a given host.

Assumption: benign traffic has a higher probability of success than attack traffic

Scan Suppression Strategies:

Track connections and addresses using approximate caches;

Replace the old addresses and old ports if the corresponding entry has timed out;

Track addresses indefinitely as long as we do not have to evict their state from our caches;

Detect vertical as well as horizontal TCP scans, and horizontal UDP scans;

Implement a “hygiene filter” to thwart some stealthy scanning techniques without causing undue restrictions on normal machines.

Connection Cache

Recording if we’ve seen a packet in each direction Aliasing turns failed attempt into success (biases to

false negative) Age is reset on each forwarded packet Every minute, back ground process purges entries older

than Dconn

Address Cache Track

“outside” addresses

Counter keeps difference between successes and failures

Counts are decremented every Dmiss seconds

Algorithm Pseudo-code

Parameters and Tuning

Parameters: T: miss-hit difference that causes block Cmin: minimum allowed count Cmax: maximum allowed count Dmiss: decay rate for misses Dconn: decay rate for idle connections Cache size and associativity

Evaluation For 6000-host enterprise trace:

1MB connection cache, 4MB 4-way address cache = 5MB total

At most 4 memory accesses per packet Operated at gigabit line-speed Detects scanning at rates over 1 per minute Low false positive rate About 20% false negative rate Detects scanning after 10-30 attempts

Outline

Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Cooperation Divide enterprise into small cells Connect all cells via low-latency channel A cell’s detector notifies others when it

blocks an address (“kill message”) Blocking threshold dynamically adapts

to number of blocks in enterprise: T’ = T(1 – θ)X, for very small θ Changing θ does not change epidemic

threshold, but reduces infection density

Cooperation – Effect of θ

Outline

Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment

Attacking worm containment

False positives Forge packets (though this does not prevent

inside systems from initiating connections)

False negatives Use a non-scanning technique

(topological, meta-server, passive and hit-list)

Scan under detection threshold Use a white-listed port to test for

liveness before scanning

Attacking Cooperation Attempt to outrace containment if

threshold is permissive Flood cooperation channels Cooperative collapse:

False positives cause lowered thresholds

Lowered thresholds cause more false positives

Feedback causes collapse of network

Attacking Worm Containment Detecting containment

Try to contact already infected hosts Go stealthy if containment is detected

Circumventing containment Embed scan in storm of spoofed packets Two-sided evasion:

Inside and outside host initiate normal connections to counter penalty of scanning

Can modify algorithm to prevent, but lose vertical scan detection

Conclusion

Develop containment algorithms suitable for deployment in high-speed, low-cost network hardware;

Devise the mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection.