Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.

Published byBryce Parsons Modified over 9 years ago

Similar presentations

Presentation on theme: "The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks."— Presentation transcript:

1 The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks

2 Why Worm Based Intrusions Relative ease —“Write once, run everywhere” promise can come true Penetration —Right past firewalls via laptops, find the weakest link Persistence —Worms keep working so you don’t have to Coverage —Attack everything eventually

3 Why Worms are Successful  Missing patches  Rogue access  Missing access control

4 Evolution of Worm Threats Previously, worms were simple clones Worms have become more complicated systems —Multi-vector Grow your potential target base —DDoS tool propagation Utilize the army of machines —Dynamic Thwart static detection mechanisms —Counterworms Fight back with the same strategy

5 Multi-vector Worms Goal is to thwart simple defenses and infect more machines Code Red vs. Nimda (2001) —Code Red: one attack vector (IIS) —Nimda: multiple attack vectors (IIS, mail, IE, open shares) Sircam (2001) —Mass mailer, also spread via open shares Blaster (2003) —MS-RPC or WebDAV attacks

6 DDoS Tool Propagation Use the worm to attack an adversary Code Red (2001) —SYN flood against a static IP Blaster (2003) —SYN flood against a static domain —Variants carried a DDoS toolkit Sapphire, Welchia (2003) —The worm’s spread is a DDoS

7 Dynamic Worm Appearances Try and develop a worm with longevity by evading defenses Hybris (2000) —Used alt.comp.virus to spread code updates Lirva (2003) —Attempted to download new packages from website Sobig (2003) —Contacted website for next set of instructions

8 Counterworms Fight the worm with a fast, scalable attack Code Green (2001) —Anti-Code Red worm Cheese (2001) —Anti-L1on worm Welchia (2003) —Anti-Blaster worm Cause more traffic and problems than they attempt to solve

9 Worm Authors Are Learning It’s growing easier to build worms —Recycle an exploit, automation code, build, launch Use flexible targeting for DoS attacks No need to target multiple platforms —One platform works well enough Multiple infection vectors lead to longevity —Nimda still present two years later Local bias effective at enterprise penetration —Worms will be carried into the enterprise —Laptops, VPN connections

10 Vectors of Control

11 Current Visibility Control Classic firewall strategy for the Internet —Minimally protect the DMZ —Maximally protect the internal network DMZ for exposed services —Control data flow between trusted, untrusted networks Hardened wall against internal, external networks

12 Classic Vulnerability Control Minimized setups on system rollouts —Construct an image with minimal software Patch maintenance —Worms typically attack known holes Aggressive known vulnerability inventorying —Regular system inventories, comparisons against vulnerability databases (e.g. CVE)

13 Controlling Infectability Hardened systems —OS level changes Non-executable stack Permissions for any subsystem Hardened applications —Application configurations Strengthened configurations —Services and privileges for any system

14 Going Beyond the Firewall Traditional firewall configuration methods —Decide policy, install filters —Adjust by reading logs, tweak as needed —Broken applications or upset users Informed firewall configurations —Measure traffic, infer usage —Determine policy, install policy Assisted by Peakflow X

15 Intelligent Risk Assessment Traditional vulnerability scanners —Scan for a service, list machines offering that service —Banner grab, report service type, report potential vulnerabilities Usage, policy-aware vulnerability scanners —Scan for services, compare against usage and policy, report differences —Performed by Peakflow X

16 Combating Worms Minimize visibility —Tune access filters to a minimal set —Externally reachable —Internally used Minimize vulnerability —Track used services —Identify, remove unused services —Couple to strong patch management

17 Detecting Worms Challenge —In the face of dynamic behaviors, reliably detect the presence of a worm Solution —Every worm attempts to spread from host to host —Specific forms of traffic will increase —Not every host will have sent this traffic before Example: web server becoming a web client Therefore —Detect the cascading change in host behaviors

18 Data Gathering for Worm Detection Blackhole networks —No background traffic —Collect attempts from worm trying random hosts Live enterprise networks —Traffic and relationship modeling Live backbone networks —Interface and topology statistics —Traffic modeling and analysis

19 Principles of Correlation Analysis Two types of correlations to qualify events —Auto-correlation Frequency and sources for any single type of anomaly Example: scan frequencies —Cross-correlation Frequency and sources of related anomalies Example: scans followed by traffic increases During worm outbreaks, these frequencies will increase from a growing number of hosts

20 Worm Detection by Peakflow X Uses correlation analysis —Partially based on an expert system —Extendable by the user via a filter language Produces a detailed report —Pattern of the worm’s behavior —Hosts matching this pattern Dynamically grows —Amount of traffic caused by the worm Couple to flow log for additional forensics

21 Safe Quarantine Interactions  Control plane interactions  Specific filters  Preserve legitimate service

22 Conclusions Worm authors are getting smarter —Worms are getting easier to write, more effective Worm detection mechanisms are getting more sophisticated and robust IDS and firewall mechanisms are advancing to develop worm defense techniques

Download ppt "The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks."

Similar presentations

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.
Expose the Vulnerability Paul Hogan Ward Solutions.

Expose the Vulnerability Paul Hogan Ward Solutions.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
EDUCAUSE Security 2006 Internet John Brown University.

EDUCAUSE Security 2006 Internet John Brown University.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep

Similar presentations

Ads by Google