Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "How to Own the Internet in your spare time Ashish Gupta Network Security April 2004."— Presentation transcript:

1 How to Own the Internet in your spare time Ashish Gupta Network Security April 2004

2 Overview What is the paper about ? Code Red Analysis Three new techniques for fast spreading Surreptitious worms Summary

3 The threat Millions of hosts  enormous damage –Distributed DOS –Access Sensitive Information –Sow Confusion and Disruption This paper is about –Fast spreading of worms

4 Analysis of Code Red I Compromises MS IIS Web servers Spreads by random IP generation – 99 threads Earlier bug  Code Red I –DDOS attack to whitehouse.gov Modeling  Random Constant Spread (RCS) Gives an exponential eq : Depends only on K, not N

5

6 Better Worms Code Red II –Used a localized scanning technique –3/8  Class B, 1/2  class A, 1/8  rest –Very successful strategy –Affects many vulnerable hosts –Proceeds quicker 3/8 1/2 1/8

7 Nimda Worm Nimda Worm  August 2001 –Maintained itself for months, multi-mode worm –Infected Web servers –Bulk emailing –Infecting Web clients –Using CodeRed II backdoors

8 Onset Very rapid onset Mail based spread  very effective Full functionality  ?

9 Faster Worms

10 Creating Better Worms Hit List Scanning –“getting off the ground” very fast –Say first 10,000 hosts –Pre-select 10,000-50,000 vulnerable machines –First worm carries the entire hit list –Hit list split in half on each infection –Can establish itself in few seconds

11 Permutation Scanning Random scanning inefficient  lot of overlap  All worms share a common pseudo – random permutation 32 bit block cipherkey Permutation scanning Index IP Address

12 How it works: –After first infection, start scanning after their point in permutation –If machine already infected, random starting index Minimizes duplication of effort –W sees W’  W’ already working on the permutation list of W  W re-starts at a random point Keeps infection rate very high, comprehensive scan Permutation key can be changed periodically for effective rescan

13 A Warhol Worm Combination of hit-list and permutation scanning –Can spread widely in less than 15 mins Simulation results

14

15 Topological scanning Use info on victim to identify new targets –Email lists –P2P applications –List of web servers from IE favorites etc.

16 Faster Worms : Recap Fast Startup  Hit List Scanning Extremely Efficient  Permutation scanning Combine the above  Warhol worms exploit local information  Topological scanning

17 Flash Worms Fastest Method  Entire internet in 10s of seconds Obtain hit-list of vulnerable servers in advance 2 hours for entire IP space on OC-12 link (622 mbps) List would be big ( ~ 48 MB ) Divide into n blocks –Infect first of each block and hand over the block to the new worm –Repeat for each block Alternative: Store pre-assigned chunks on a high BW server Two limitations –Large list size –Latency Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link

18 For 3 million hosts, just 7 layers deep ( n = 10)

19 Stealth Worms No peculiar communication patterns Very difficult to detect Working: –Pair of exploits: Es for server, Ec for client ??? –Server  Client  Server, …. Limitations –Pair of threats required –Depends on web surfing

20

21 Exploiting P2P systems Large set, all running same software Only single exploit now needed More favorable for infection: –Interconnect with large number of peers –Transfer large files –Not mainstream protocols –Execute on desktops, not servers Potentially immense size

22 Analysis of KaZaA traffic Immense traffic: 5-10 million conns per day Huge diversity !  9 million distinct hosts contacted in November ( from 5,800 univ hosts ) If Kazaa exploited (variable size headers ? ), than a large number can infected stealthily in a month Starting point : brute force infect all university hosts ??? Actual spread much faster ? Much work remaining  total Kazaa size ?

23 Remote Control Distributed control –Each worm knows about other worms *it* has infected –Analysis: High connectivity, Average degree= 4 –Without a single point of communication, updates can be passed Programatic Updates –Worms as “computing capsules” –Can send arbitrary code !

24 Conclusion Worms present an extremely serious threat to the safety of the Internet

Download ppt "How to Own the Internet in your spare time Ashish Gupta Network Security April 2004."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms.

CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.

Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.
Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.

Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.

A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Similar presentations

Ads by Google