1. Very Fast containment of Scanning Worms
Artur Zak
Nicholas Weaver Stuart Staniford Vern Paxson
ICSI Nevis Netowrks ICSI

2. Abstract Worms – malicious, self-propagating programs.
Represent threat to large networks.
Containment – one form of defense; limit a worm’s spread by isolating it in a small subsection of the network.

3. Worm Containment (virus throttling)
Needs to be Automated.
Worms propagate more rapidly than human response.
Works by detecting that a worm is operating in the network and then block the infected machines from contacting further hosts.

4. Mechanism Requirements
Break the network into many cells
Within each cell a worm can spread unimpeded.
Between cells, containment limits infections by blocking outgoing connections from infected cells.
Must have very low false positive rate.
Blocking suspicious machines can cause a DOS if false positive rate is high.

5. Scanning Worms
Operate by picking “random” address and attempt to infect the machine.
Blaster – linear scanning
Code Red – fully random
Code Red II & Nimda – bias toward local addresses

6. Scanning Worms Common properties of scanning worms:
Most scanning attempts result in failure.
Infected machines will institute many connection attempts.
Containment looks for a class of behavior rather than specific worm signature.
Able to stop new worms.

7. Epidemic Threshold
Worm-suppression device must necessarily allow some scanning before it triggers a response.
Worm may find a victim during that time.

8. Epidemic Threshold The epidemic threshold depends on:
The sensitivity of the containment response devices
The density of vulnerable machines on the network
The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.

9. Sustained Scanning Threshold
If worm scans slower than sustained scanning threshold, the detector will not trigger.
Vital to achieve as low a sustained scanning threshold as possible.
For this implementation threshold set to 1 scan per minute.

10. Scan Suppression
Scan Suppression – responding to detected portscans by blocking future scanning attempts.
Portscans have two basic types:
Horizontal – search for identical service on large number of machines.
Vertical – examine an individual machine to discover running services.

11. Implementation
Scan detection and suppression algorithm derived from Threshold Random Walk (TRW) scan detection.
The algorithm operates by using an oracle to determine if a connection will fail or succeed.

12. Implementation Scan detection algorithm easier than TRW.
Suitable for both hardware and software implementation.
Simplified algorithm caused increased false negative rate.
No changes in the false positive rate.

13. Hardware Implementation
Constraints:
Memory access speed.
During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations. (4 accesses for full duplex).
Use SRAM to solve the problem. (more expensive)

14. Hardware Implementation
Approximate cache: a cache for which collisions cause imperfections.
Store amounts of data that normally exceeds memory volume.
Bloom filter is a type of approximation cache.

15. Connection Cache

16. Address Cache Lookup

17. Attacking the Containment
Attacker an create false positive
Trigger responses which wouldn’t otherwise occur.
False positive create a DOS target.

18. Attacking the Containment
False Negative:
The worm slips by even thought containment is active.
Scan at a rate slower than sustained scanning threshold.
Requires complicated code by worm writers.