internet quarantine: requirements for containing self-propagating code
DESCRIPTION
Internet Quarantine: Requirements for Containing Self-Propagating Code. David Moore et. al. University of California, San Diego. Internet Quarantine: Requirements for Containing Self-Propagating Code. Aleksandar Kuzmanovic Rice University, COMP 629. Outline. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/1.jpg)
Internet Quarantine: Requirements for Containing Self-Propagating Code
David Moore et. al.University of California, San Diego
![Page 2: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/2.jpg)
Internet Quarantine: Requirements for Containing Self-Propagating Code
Aleksandar KuzmanovicRice University, COMP 629
![Page 3: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/3.jpg)
Outline
Background about worm, esp. Code-Red– What’s worm, esp. Code-Red– Prevention, Treatment and Containment of the worm.
SI epidemic model and Code Red propagation model.
Simulations on Code Red Propagation and Containment System Deployment.
Conclusion.
![Page 4: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/4.jpg)
Background: what is worm?
Worm is a self-replicating software designed to spread through the network.
Worm vs Virus and Trojan horse– Virus and Trojan horse rely on human intervention
to spread.– Worm is autonomous.
![Page 5: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/5.jpg)
Background: Code-Red v1
Outbreak: June 18, 2001
How it works:– Buffer overflow exploit on Microsoft IIS web server.– Upon infected a machine, randomly generate a list of IP
addresses.– Probe each of the addresses from the list.
Payload: DDoS attack against www1.whitehouse.gov.
Damage: little– Fixed random seed.
![Page 6: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/6.jpg)
Background: Code-Red v2
Outbreak: July 19, 2001
How it works:– Similar to Code-Red v1, but with a random seed.– Generates 11 probes for second.
Damage: severe– 359,000 machines were infected within 14 hours.
![Page 7: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/7.jpg)
How to mitigate the threat of worms(1)
Three approaches– Prevention:
Reduce the size of the vulnerable population. E.g. A single vulnerability in a popular software system
can result in millions of vulnerable hosts. E.g. Code Red attacks millions of MS IIS web server.
![Page 8: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/8.jpg)
How to mitigate the threat of worms (2)
Treatment:– E.g. virus scanner.– The time required to design, develop and test a security
flaw is usually for too slow than the spread of the worm.
Containment:– E.g. firewall, filters– Containment is used to protect individual networks, and
isolate infected hosts.
![Page 9: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/9.jpg)
SI Model (1)
NIS
dtdI
NIS
dtdS
In this work, a vulnerable machine is described as susceptible (S) machine.
A infected machine is described as infected (I). Let N be the number of vulnerable machines. Let S(t) be the number of susceptible host at time t, and s(t) be
S(t)/N, where N = S(t) + I(t). Let I(t) be the number of infected hosts at time t, and i(t) be I(t)/N. Let be the contact rate of the worm. Define:
![Page 10: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/10.jpg)
SI Model (2)
)1(
)()(1
iidtdi
titsNN
SIdtdi
)(
)(
1)( Tt
Tt
eeti
Solving the differential equation:
where T is a constant
![Page 11: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/11.jpg)
Code Red Propagation Model (1)
Code Red generates IPv4 address by random. Thus, there are totally 2^32 addresses.
Let r be the probe rate of a Code Red worm. Thus:
322Nr
![Page 12: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/12.jpg)
Code Red Propagation Model (2)
Two problems– Cannot model preferential targeting algorithm.
E.g. select targets form address ranges closer to the infected host.
– The rate only represents average contact rate. E.g. a particular epidemic may grow significantly more
quickly by making a few lucky targeting decisions in early phase.
![Page 13: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/13.jpg)
Code Red Propagation Model (3)
Example on 100 simulations on Code Red propagation model:
After 4 hours: 55% on average 80% in 95th percentiles 25% in 5th percentiles
![Page 14: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/14.jpg)
Modeling Containment Systems (1)
A containment system has three important properties:
– Reaction time – the time necessary for Detection of malicious activity, Propagation of the containment information to all hosts
participating the system, and Activating any containment strategy.
![Page 15: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/15.jpg)
Modeling Containing Systems (2)
– Containing Strategy
Address blacklisting– Maintain a list of IP addresses that have been identified as
being infected.– Drop all the packets from one of the addresses in the list.– E.g. Mail filter.– Advantage: can be implemented easily with existing
firewall technology.
![Page 16: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/16.jpg)
Modeling Containing Systems (3)
Content filtering– Requires a database of content signatures known to
represent particular worms.– This approach requires additional technology to
automatically create appropriate content signatures.– Advantage: a single update is sufficient to describe any
number of instances of a particular worm implementation.
Deployment scenarios– Ideally, a global deployment is preferable.– Practically, a global deployment is impossible.– May be deploying at the border of ISP networks.
![Page 17: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/17.jpg)
Idealized Deployment (1)
Simulation goal– To find how short the reaction time is necessary to effectively
contain the Code-Red style worm.
Simulation Parameters:– 360,000 vulnerable hosts out of 232 hosts.– Probe rate of a worm : 10 per sec.
Containment strategy implementation– Address blacklisting
Send IP addresses to all participating hosts.– Content filtering
Send signature of the worm to all participating hosts.
![Page 18: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/18.jpg)
Idealized Deployment (2)
Result: content filtering is more effective.
20 min 2 hr
Number ofsusceptiblehost decreases
Wormsunchecked
![Page 19: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/19.jpg)
Idealized Deployment (3)
Next goal:– To find the relationship between containment
effectiveness and worm aggressiveness.– Figures are in log-log scale.
![Page 20: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/20.jpg)
Idealized Deployment (4)
Percentage of infected hosts
Address blacklisting is hopelesswhen encountering aggressive worms.
![Page 21: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/21.jpg)
Practical Deployment (1)
Network Model– AS sets in the Internet:
routing table on July 19,2001 1st day of the Code Red v2 outbreak.
– A set of vulnerable hosts and ASes: Use the hosts infected by Code Red v2 during the initial
24 hours of propagation. A large and well-distributed set of vulnerable hosts.
– 338,652 hosts distributed in 6,378 ASes.
![Page 22: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/22.jpg)
Practical Deployment (2)
Deployment Scenarios– Use content filtering only.– Filtering firewall are deployed on the borders of
both the customer networks, and ISP’s networks.
Deployment of containment strategy.
![Page 23: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/23.jpg)
Practical Deployment (3)
Reaction time: 2hrs
Difference inperformancebecause of thedifference in pathcoverage.
![Page 24: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/24.jpg)
Practical Deployment (4)
System fails to containthe worm.
![Page 25: Internet Quarantine: Requirements for Containing Self-Propagating Code](https://reader035.vdocuments.us/reader035/viewer/2022070502/56812c2c550346895d90abaa/html5/thumbnails/25.jpg)
Conclusion
Explore the properties of the containment system– Reaction time– Containment strategy– Deployment scenario
In order to contain the worm effectively– Require automated and fast methods to detect and react to
worm epidemics.– Content filtering is the most preferable strategy.– Have to cover all the Internet paths when deploying the
containment systems.