ETRI meeting (Feb 16, 2005) -- Dongkee LEE 1 Sapphire/Slammer worm impact on Internet routing Dongkee LEE.

Slides:

Advertisements

Similar presentations

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Advertisements

Measurement: Techniques, Strategies, and Pitfalls Nick Feamster CS 7260 February 7, 2007.

Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.

Routing Basics.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

BGP route propagation between neighboring domains Renata Teixeira Laboratoire LIP6 – CNRS University Pierre et Marie Curie – Paris 6 with Steve Uhlig (Delft.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Experimental Study of Internet Stability and Wide-Area Backbone Failure Craig Labovitz, Abha Ahuja Merit Network, Inc Presented by Changchun Zou.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.

Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.

Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

BGP in 2009 Geoff Huston APNIC May Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada ISP-Friendly Peer Matching without ISP Collaboration Mohamed Hefeeda (Joint.

Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK

Analysis of BGP Routing Tables

CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.

Delayed Internet Routing Convergence Craig Labovitz, Abha Ahuja, Abhijit Bose, Farham Jahanian Presented By Harpal Singh Bassali.

Dynamics of Hot-Potato Routing in IP Networks Renata Teixeira (UC San Diego) with Aman Shaikh (AT&T), Tim Griffin(Intel),

02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.

A a secure peering. RIB table dump by attributes in order to save space. References 1. RouteViews, 2. RIPE,

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 Network Topology Measurement Yang Chen CS 8803.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

TCOM 515 Lecture 6.

Authors Renata Teixeira, Aman Shaikh and Jennifer Rexford(AT&T), Tim Griffin(Intel) Presenter : Farrukh Shahzad.

Path Stitching: Internet-Wide Path and Delay Estimation from Existing Measurements DK Lee, Keon Jang, Changhyun Lee, Sue Moon, Gianluca Iannaccone* ASIAFI.

Real-Time BGP Data Access 1 Mikhail Strizhov Colorado State University.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Dongkee LEE 1 BorderGuard: Detecting Cold Potatoes from Peers Nick Feamster, et al.

Dynamic Routing Protocols Why Dynamic Routing Protocols? –Each router acts independently, based on information in its router forwarding table –Dynamic.

Issues with Inferring Internet Topological Attributes Lisa Amini ab, Anees Shaikh a, Henning Schulzrinne b a IBM T.J. Watson Research Center b Columbia.

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

APAN 2000 Conference1 Internet Backbone Routing Masaki Hirabaru ISIT, Japan / Merit Network, US.

Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

A Measurement Study on the Impact of Routing Events on End-to-End Internet Path Performance Feng Wang 1, Zhuoqing Morley Mao 2 Jia Wang 3, Lixin Gao 1,

台灣電腦網路危機處理中心暨協調中心 Taiwan Computer Emergency Response Team / Coordination Center Impacts of slammer worm in Taiwan The first message about the worm we got.

Detection of Routing Loops and Analysis of Its Causes Sue Moon Dept. of Computer Science KAIST Joint work with Urs Hengartner, Ashwin Sridharan, Richard.

By, Matt Guidry Yashas Shankar.  Analyze BGP beacons which are announced and withdrawn, usually within two hour intervals.  The withdraws have an effect.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Internet Protocols. ICMP ICMP – Internet Control Message Protocol Each ICMP message is encapsulated in an IP packet – Treated like any other datagram,

CSE534- Fundamentals of Computer Networking Lecture 12-13: Internet Connectivity + IXPs (The Underbelly of the Internet) Based on slides by D. Choffnes.

An internet is a combination of networks connected by routers. When a datagram goes from a source to a destination, it will probably pass through many.

ETRI meeting (Sep 14, 2004) -- Dongkee LEE 1 Internet Routing Anomaly Monitoring System Dongkee LEE.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

The New Policy for Enterprise Networking Robert Bays Chief Scientist June 2002.

1 Agenda for Today’s Lecture The rationale for BGP’s design –What is interdomain routing and why do we need it? –Why does BGP look the way it does? How.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Defending against Hitlist Worms using NASR Khanh Nguyen.

A Measurement Study on the Impact of Routing Events on End-to-End Internet Path Performance Feng Wang 1, Zhuoqing Morley Mao 2 Jia Wang 3, Lixin Gao 1,

10-Year History of Internet Delay 1 April 24, 2010, DK Lee, Kenjiro Cho*, Gianluca Iannaccone**, Sue Moon CAIDA-WIDE-CASFI Joint Workshop.

1 Investigating occurrence of duplicate updates in BGP announcements Jong Han Park 1, Dan Jen 1, Mohit Lad 2, Shane Amante 3, Danny McPherson 4, Lixia.

BGP security some slides borrowed from Jen Rexford (Princeton U)

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

1 On the Impact of Route Monitor Selection Ying Zhang* Zheng Zhang # Z. Morley Mao* Y. Charlie Hu # Bruce M. Maggs ^ University of Michigan* Purdue University.

Connecting an Enterprise Network to an ISP Network

Border Gateway Protocol

Lixin Gao ECE Dept. UMASS, Amherst

Taking Down the Internet

COMP/ELEC 429/556 Introduction to Computer Networks

DDoS Attack and Its Defense

CSE551: Introduction to Information Security

Sapphire/Slammer Worm

Presentation transcript:

ETRI meeting (Feb 16, 2005) -- Dongkee LEE 1 Sapphire/Slammer worm impact on Internet routing Dongkee LEE

ETRI meeting (Feb 16, 2005) -- Dongkee LEE  Introduction to Sapphire/Slammer worm.  Analysis methods  Results  Discussion

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Sapphire worm Also called Slammer, SQLSlammer, W32.Slammer  Began at 5:30 AM (UTC) on Saturday Jan 25 th.  System affected Microsoft SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000 Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376 bytes and send them to randomly chosen IP address on port 1434/udp. - CERT Advisory CA reference [1], [2]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Sapphire worm Sat Jan 05:29: (UTC) Infected with Sapphire: 0 Most vulnerable machines was infected with 10-minutes of the worm’s release. Sat Jan 06:30: (UTC) Infected with Sapphire: reference [1], [2]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Sapphire worm Cause considerable harm simply by overloading networks and taking database servers out of operation. Many individual sites lost connectivity as their access bandwidth was saturated by local copies of the worm. Outbound traffic to external addresses on UDP port Large amount of ICMP Unreachable messages aimed at server systems. SQL resolution service failure. Performance degradation. Scanning.

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Previous works 정보통신망 침해사고 합동조사단 – ‘ 정보통신망 침해사고 조사결과 ’ But, How about Sapphire impact on ‘Internet Routing’ ?

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Routeviews - 1  University of Oregon – Route Views project. Routing information repository for … Analysis of BGP routing table dynamics. Work on routing table growth. Analysis of geographic cope of routing announcements.  Routeviews routers route-views.eqix.routeviews.orgroute-views.isc.routeviews.org route-views.linx.routeviews.orgroute-views.oregon-ix.net route-views.wide.routeviews.orgroute-views2.oregon-ix.net route-views3.routeviews.org reference

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Routeviews - 2 peer list – route-views2.oregon-ix has no Korean peers. reference

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Korean ASes  Korean ASes  8 Major Korean ASes AS4766 KORNETAS3786 DACOM AS9457 DREAMXAS9277 THRUNET AS9318 HANANETAS7563, 9768 PUBNET AS4670, 4664 SHINBIROAS9848 ENTERPRISENET  16 Other Korean ASes AS KANETAS4663 ELIMNET AS10038 FWINetAS17864 HANVITINB AS9695 KITINETAS5051 KOLNET AS9488 KRENAS1237, 7623, KREONET AS9701 KRLINEAS7557 KTNET AS9316 PUBNETPLUSAS9689 QRIXNET AS10171 SKTelinkAS10049 SKNETWORKS AS9644 SKSpeedNetAS6619 SAMSUNGNETWORKS reference NIDA and ISIS

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP4MP| |A| |16150 | /22| |IGP| |0|0|3549: : : : : :65321|NAG|| BGP4MP| |A| |16150 | /24| |IGP| |0|0|3549: : : : : :65321|AG| | BGP4MP| |A| |1668 | /24| |IGP| |0|25||NAG|| BGP4MP| |W| |2914| /24 BGP4MP| |W| |2914| /24 BGP4MP| |W| |2914| /23 Announced prefix AS-PATHorigin-AS

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP Updates (Announcements and Withdrawals) reference [6]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP (origin) matched Announcements BGP Announcements and Withdrawals are increased during Sapphire impact. reference [6]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP RIB Entries About prefixes are transited by Korean ASes. Number prefixes can be accessed through Korea from abroad.

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP RIB Origin matched entries - 1 D1 D2 D3 SE 50 hours S  D104 hours D1  R112 hours R1  D204 hours D2  R202 hours R2  D312 hours R1 R2 16 hours 14 hours

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP RIB Origin matched entries - 2

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP RIB Origin matched entries - 3

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Korean Top 8 ASes

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Other Korean ASes

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Totally Blackout-ed Korean ASes About 15/213 ASes are totally blackouted during Sapphire/Slammer impact. Stub AS AS P1 Peering session X

ETRI meeting (Feb 16, 2005) -- Dongkee LEE Other Non-Korean ASes Similar phenomenon is also observed from Other Non-Korean ASes D1 D2D3

ETRI meeting (Feb 16, 2005) -- Dongkee LEE During Sapphire/Slammer worm impact, massive increase in the number of BGP updates and decrease in BGP RIB entries is observed. There are 3 unrecognized dipping points in RIB snapshots. ‘D1’ isn’t surprising. But, Why ‘D2’ and ‘D3’ ?

ETRI meeting (Feb 16, 2005) -- Dongkee LEE BGP doesn’t show sufficient statistics, BGP Withdrawals do not contain ‘AS-PATH’, mapping between BGP withdrawals and RIB counts is ambiguous. Routing data of Korea isn’t accessible. Well organized monitoring infra. is needed.

ETRI meeting (Feb 16, 2005) -- Dongkee LEE [1] Analysis of the Sapphire Worm – A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UCSD CSE [2] CERT Advisory CA MS-SQL Server Worm. [3] Sapphire worm code disassembled – [4] University of Oregon – Route Views Project page – [5] 정보통신망 침해사고 합동조사단, 정보통신망 침해사고 조사결과. [6] RIPE NCC RIS, Sapphire/Slammer Worm Impact on Internet Performance –

ETRI meeting (Feb 16, 2005) -- Dongkee LEE  The END