Download - Slammer Simulation
![Page 1: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/1.jpg)
Population: N=100,000 Scan rate = 4000/sec, Initially infected: I0=10 Monitored IP space 220, Monitoring interval: = 1 second
Slammer Simulation
Infected hosts estimation
![Page 2: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/2.jpg)
Viruses vs Worms vs TrojansTypes of virusesVirus detectionVirus defenseGood viruses = bad idea
2
Summary From the Last Lecture
![Page 3: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/3.jpg)
Due tomorrowMake sure you mention the venue in the
title:oConference or journal name, year of publicationoIf from workshop, mention also the main
conference that this workshop is associated withMake sure you include citations if youoUse figures or equations from paperoUse some text verbatimoTalk about ideas from another related paperoLike this “In [2] authors say that …” and then
have reference [2] in the reference section
3
Report 2
![Page 4: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/4.jpg)
Spread on July 12 and 19, 2001Exploited a vulnerability in Microsoft
Internet Information Server that allows attacker to get full access to the machine (turned on by default)
Two variants – both probed random machines, one with static seed for RNG, another with random seed for RNG (CRv2)
CRv2 infected more than 359,000 computers in less than 14 hourso It doubled in size every 37 minuteso At the peak of infection more than 2,000 hosts
were infected each minute4
Code Red
![Page 5: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/5.jpg)
5
Code Red v2
![Page 6: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/6.jpg)
43% of infected machines were in US47% of infected machines were home
computersWorm was programmed to stop spreading
at midnight, then attack www1.whitehouse.govo It had hardcoded IP address so White House was
able to thwart the attack by simply changing the IP address-to-name mapping
Estimated damage ~2.6 billion
6
Code Red v2
![Page 7: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/7.jpg)
Spread on January 25, 2003The fastest computer worm in history
o It doubled in size every 8.5 seconds. o It infected more than 90% of vulnerable hosts
within 10 minuteso It infected 75,000 hosts overall
Exploited buffer overflow vulnerability in Microsoft SQL server, discovered 6 months earlier
7
Sapphire/Slammer Worm
![Page 8: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/8.jpg)
No malicious payloadThe aggressive spread had severe
consequenceso Created DoS effecto It disrupted backbone operationo Airline flights were canceledo Some ATM machines failed
8
Sapphire/Slammer Worm
![Page 9: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/9.jpg)
9
Sapphire/Slammer Worm
![Page 10: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/10.jpg)
Both Slammer and Code Red 2 use random scanningo Code Red uses multiple threads that invoke TCP
connection establishment through 3-way handshake – must wait for the other party to reply or for TCP timeout to expire
o Slammer packs its code in single UDP packet – speed is limited by how many UDP packets can a machine send
o Could we do the same trick with Code Red?Slammer authors tried to use linear
congruential generators to generate random addresses for scanning, but programmed it wrong
10
Why Was Slammer So Fast?
![Page 11: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/11.jpg)
43% of infected machines were in US59% of infected machines were home
computersResponse was fast – after an hour sites
started filtering packetsfor SQL server port
11
Sapphire/Slammer Worm
![Page 12: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/12.jpg)
12
BGP Impact of Slammer Worm
![Page 13: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/13.jpg)
13
Stuxnet WormDiscovered in June/July 2010Targets industrial equipmentUses Windows vulnerabilities (known and
new) to break inInstalls PLC (Programmable Logic
Controller) rootkit and reprograms PLCoWithout physical schematic it is impossible to tell
what’s the ultimate effectSpread via USB drivesUpdates itself either by reporting to server
or by exchanging code with new copy of the worm
![Page 14: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/14.jpg)
Many worms use random scanningThis works well only if machines have very
good RNGs with different seedsGetting large initial population represents
a problemo Then the infection rate skyrocketso The infection eventually reaches saturation
since all machines are probing same addresses
14
Scanning Strategies
“Warhol Worms: The Potential for Very Fast Internet Plagues”, Nicholas C Weaver
![Page 15: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/15.jpg)
15
Random Scanning
![Page 16: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/16.jpg)
Worm can get large initial population with hitlist scanning
Assemble a list of potentially vulnerable machines prior to releasing the worm – a hitlisto E.g., through a slow scan
When the scan finds a vulnerable machine, hitlist is divided in half and one half is communicated to this machine upon infectiono This guarantees very fast spread – under one
minute! 16
Scanning Strategies
![Page 17: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/17.jpg)
17
Hitlist Scanning
![Page 18: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/18.jpg)
Worm can get prevent die-out in the end with permutation scanning
All machines share a common pseudorandom permutation of IP address space
Machines that are infected continue scanning just after their point in the permutationo If they encounter already infected machine they
will continue from a random pointPartitioned permutation is the
combination of permutation and hitlist scanningo In the beginning permutation space is halved, later
scanning is simple permutation scan18
Scanning Strategies
![Page 19: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/19.jpg)
19
Permutation Scanning
![Page 20: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/20.jpg)
Worm can get behind the firewall, or notice the die-out and then switch to subnet scanning
Goes sequentially through subnet address space, trying every address
20
Scanning Strategies
![Page 21: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/21.jpg)
Several ways to download malicious codeo From a central servero From the machine that performed infectiono Send it along with the exploit in a single packet
21
Infection Strategies
![Page 22: Slammer Simulation](https://reader035.vdocuments.us/reader035/viewer/2022062302/56816692550346895dda6f0b/html5/thumbnails/22.jpg)
Three factors define worm spread:o Size of vulnerable population
Prevention – patch vulnerabilities, increase heterogeneity
o Rate of infection (scanning and propagation strategy) Deploy firewalls Distribute worm signatures
o Length of infectious period Patch vulnerabilities after the outbreak
Worm Defense