1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation, 63(7), , July 2006 Presenter: Cliff Zou for CDA6133, Spring’08
2 Motivation Hackers have tried various scanning strategies in their scan-based worms Uniform scan Code Red, Slammer Local preference scan Code Red II Sequential scan Blaster Possible scanning strategies: Target preference scan (selective attack from a routing worm) Divide-and-conquer scan How do they affect a worm’s propagation? Mean value analysis ( based on law of large number ) Numerical solutions; Simulation studies.
3 Epidemic Model Introduction Model for homogeneous system Model for interacting groups : # of infectious : infection ability : # of hosts : scan rate For worm modeling: : scanning space
4 Infinitesimal Analysis of Epidemic Model From time t to t+ : Vulnerable hosts [N-I(t)]; infected hosts I(t). An infected host infects vulnerable hosts. Negligible of Prob. “two scans hitting the same vulnerable host”. Newly infected hosts: Negligible of Prob. “two infected hosts infect the same vulnerable host”. Thus I(t+ ) is : # of hosts : scan rate : scanning space : # of infectious : small time interval Prob. p of a worm copy hitting a specific IP address during :
5 Uniform Scan Worm Traditional worm: Code Red, Slammer Uniformly scans the entire IPv4 space ( = 2 32 ) Hit-list worm – increase I(0): [Staniford et al. 2002] Knowing IP addresses of a fraction of vulnerable hosts. Has a large number of initially infected hosts I(0). Routing worm – decrease : [Zou et al. 2003] Using BGP routing table to only scan BGP routable space. Currently, only 32% of IPv4 space is routable. Has a bigger infection ability
6 Hitlist, routing worm Code Red style worm = 358/min N = 360,000 hitlist, I(0) = 10,000 routing, =.29 £ 2 32 Defense: Crucial to prevent attackers from Identifying IP addresses of a large number of vulnerable hosts Flash worm, Hit-list worm Obtaining address information to reduce a worm’s scanning space Routing worm
7 Local Preference Scan Worm Model: epidemic in interacting groups Analysis: assume K “/n” networks Prob. p : uniformly scan local “/n” network Prob. ( 1-p ): uniformly scan others Conclusions: Vulnerable hosts uniformly distributed: No difference as long as the worm spreads out to every network. Vulnerable hosts not uniformly distributed: Analysis: hosts uniformly distributed in m out of K networks Local preference scan increases a worm’s speed.
8 Local preference scan increases speed (when vulnerable hosts are not uniformly distributed) Local scan on Class A ( “/8”) networks: p* 1 Local scan on Class B ( “/16” ) networks: p* 0.85 Code Red II: p =0.5 (Class A), p =0.375 (Class B) Smaller than p* Local Preference Scan Worm Class A local scan (K=256, m=116) Class B local scan (K=2 16, m=116 £ 2 8 )
9 Sequential Scan Worm Sequential scan: Sequentially scans IP addresses from a starting point. Blaster worm selects its starting point locally with p =0.4 Such local preference slows down worm propagation. Reason: child worm copies are more likely to be wasted on repeating their parents’ scanning trails. Sequential scan is equivalent to uniform scan when Vulnerable hosts uniformly distributed in IPv4 space. The worm selects starting point uniformly.
10 Simulations agree with our analyses. Analysis limitation (mean value analysis): No consideration of variability. Sequential Scan Worm Simulation Study Comparison of uniform scan, sequential scan with/without local preference (100 simulation runs; vulnerable hosts uniformly distributed in entire IPv4 space)
11 Sequential Scan Worm Simulation Study Observations: Local preference in selecting starting point is a bad idea. Mean value analysis cannot analyze variability. Uniform scan, sequential scan with/without local preference (100 simulation runs) Vulnerable hosts uniformly distributed in BGP routable IP space (28.6% of IPv4 space)
12 Witty worm modeling Witty’s destructive behavior: 1). Send 20,000 UDP scans to 20,000 IP addresses 2). Write 65KB in a random point in hard disk Consider an infected computer: Constant bandwidth constant time to send 20,000 scans Random point writing infected host crashes with prob. Crashing time approximate by Exponential distribution ( )
13 Witty worm modeling hours Memoryless property : # of crashed infected computers at time t # of vulnerable at t *Witty trace provided by U. Michigan “Internet Motion Sensor”
14 Two Guidelines in Defense Prevent attackers from Identifying IP addresses of a large number of vulnerable hosts Flash worm, Hit-list worm Obtaining address information to reduce a worm’s scanning space Routing worm Worm monitoring system IP space coverage is not the only issue Should monitor as many as possible well distributed IP blocks non-uniform scan worm
15 Summary Modeling basis: Law of large number; mean value analysis; infinitesimal analysis. Epidemic model: Conclusions: All about worm scanning space or density of vulnerable population) Flash worm, Hit-list worm, Routing worm Local preference, divide-and-conquer, selective attack Monitoring challenge: sequential scan worm
16 Contributions Provided comprehensive analysis of worm propagation with different scanning strategies Uniform scan, local preference scan, sequential scan, BGP routing scan, hit-list.. Revealed the underlying connections between different worm scanning strategies Host distribution, scanning space Provided several defense guidelines
17 Weaknesses Mean-value analysis, not suitable for small-scale worm propagation Mathematical analysis makes some assumptions Host uniform distribution, equal scan rate No consideration of topology Not suitable for virus, P2P worm, etc. No model on defense systems Didn’t provide practical defense systems Only basic guidelines, intuitive clear
18 How to improve Stochastic modeling for small-scale propagation Topological modeling Present detailed defense methods