Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defending against Hitlist Worms using NASR Khanh Nguyen.

Published byMarshall Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Defending against Hitlist Worms using NASR Khanh Nguyen."— Presentation transcript:

1 Defending against Hitlist Worms using NASR Khanh Nguyen

2 Introduction Worms spread fast. Worms spread fast. Code Red and slammer: thousands of computers in less than half an hr. Code Red and slammer: thousands of computers in less than half an hr. Sapphire: 70,000computers/15min. Sapphire: 70,000computers/15min. Research studies estimated: 1 million hosts/<2sec. (Hitlist worm) Research studies estimated: 1 million hosts/<2sec. (Hitlist worm)

3 Hitlist Worm Characteristics Determine a large vulnerable population before it starts spreading. Determine a large vulnerable population before it starts spreading. How does determine the vulnerable machines before attack makes a difference? How does determine the vulnerable machines before attack makes a difference?

4 Defend against Worm Monitor the “dark space” or inactive port Monitor the “dark space” or inactive port Does not work against Hitlist worm Does not work against Hitlist worm Network Address Space Randomization: caused some addresses to be stale at the time of attack Network Address Space Randomization: caused some addresses to be stale at the time of attack

5 NASR Issues Size of routing table, number of routing updates, and the frequency of recomputing routes Size of routing table, number of routing updates, and the frequency of recomputing routes Requires Global coordination Requires Global coordination Easier to implement at local regions Easier to implement at local regions

6 Implementation Modification to a DHCP server (iprand-interval) Modification to a DHCP server (iprand-interval) Implemented an advanced randomization enabled DHCP server based on the standard open source. Implemented an advanced randomization enabled DHCP server based on the standard open source. Provides: activity monitoring and service fingerprinting Provides: activity monitoring and service fingerprinting

7 Activity Monitoring & Service Fingerprinting Activity Monitoring: Activity Monitoring: Keeps track of open connections and tries to avoid forcing an address change Keeps track of open connections and tries to avoid forcing an address change Only consider long-lived TCP connections (ex: FTP) Only consider long-lived TCP connections (ex: FTP) Service Fingerprinting: Service Fingerprinting: Attemps to identify what services are running on each host (ex: TCP connection at port 80 suggests a Web server) Attemps to identify what services are running on each host (ex: TCP connection at port 80 suggests a Web server)

8 Measurements Hitlist construction Hitlist construction Speed of addresses changed (without any form of randomization) Speed of addresses changed (without any form of randomization) How address space is allocated and utilized How address space is allocated and utilized

9 Hitlist Construction Random scanning: Random scanning: using ICMP ECHO msg. using ICMP ECHO msg. Generated 20,000 addresses. Generated 20,000 addresses. Probe the hitlist once every hour Probe the hitlist once every hour

10 Hitlist Construction cont. Passive P2P snooping: Passive P2P snooping: Gathered 200K IP Gathered 200K IP Do a ICMP ECHO probe Do a ICMP ECHO probe

11 Hitlist construction cont. Search-engine harvesting: Search-engine harvesting: Search for “the”, returned millions of results. Search for “the”, returned millions of results. Only 612 unique alive host Only 612 unique alive host Attacker can use random keyword generator Attacker can use random keyword generator

12 Subnet address space utilization The feasibility and effectiveness of network address space randomization depend on how unused addresses there are in NASR-enabled subnet. The feasibility and effectiveness of network address space randomization depend on how unused addresses there are in NASR-enabled subnet. Subnet utilize level Subnet utilize level

13 Result

14 Conclusion Limitation on Global scale Limitation on Global scale Effective on subnet level Effective on subnet level Slows down hitlist worms, and forces them to exhibit scan-like behavior Slows down hitlist worms, and forces them to exhibit scan-like behavior It’s neither a detection mechanism nor an end- system enhancement, which makes it easy to implement. It’s neither a detection mechanism nor an end- system enhancement, which makes it easy to implement.

Download ppt "Defending against Hitlist Worms using NASR Khanh Nguyen."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)

CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Active Worm and Its Defense1 CSE651: Network Security.

Active Worm and Its Defense1 CSE651: Network Security.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Similar presentations

Ads by Google