Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms.

Published byGloria Fowler Modified over 9 years ago

Similar presentations

Presentation on theme: "CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms."— Presentation transcript:

1 CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms Worm Resilience Avoiding Containment Defenses

2 CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 Introduction Controlling 1 million hosts can cause enormous damage –DDoS Attack –Stealing and modifying data –Can be leveraged for cyber-warfare Worms can be used to gain such control in a very short period of time Is much more dangerous –why?

3 CS-495 Advanced Networking Remote Control Distributed control –Each worm knows about other worms *it* has infected –Analysis: High connectivity, Average degree= 4 –Without a single point of communication, updates can be passed Programatic Updates –Worms as “computing capsules” –Can send arbitrary code !

4 CS-495 Advanced Networking Random Scanning Not the most effective, but is easiest to implement Efficiency depends on the quality of random number generator Potential for repeats and invalid addresses

5 CS-495 Advanced Networking Permutation Scanning Random scanning inefficient  lot of overlap  All worms share a common pseudo – random permutation / use cipher + key to generate addresses. Worms start scanning after their point in permutation 32 bit block cipherkey Permutation scanning Index IP Address

6 CS-495 Advanced Networking Worm Scanning methods Hit List Scanning –“getting off the ground” very fast –Say first 10,000 hosts –Pre-select 10,000-50,000 vulnerable machines –First worm carries the entire hit list –Hit list split in half on each infection –Can establish itself in few seconds

7 CS-495 Advanced Networking Combining techniques Combination of hit-list scanning and permutation scanning produces “Warhol” worm Capable of attacking most vulerable targets in < 15mins Uses hit list to improve initial spread, then switches to permutation scanning to ensure high infection rate. Future worms will be faster and better (hence more dangerous) – introducing Flash worms

8 CS-495 Advanced Networking Flash Worms Fastest Method  Entire internet in 10s of seconds Obtain hit-list of vulnerable servers in advance 2 hours for entire IP space on OC-12 link (622 mbps) List would be big ( ~ 48 MB ) Divide into n blocks –Infect first of each block and hand over the block to the new worm –Repeat for each block Alternative: Store pre-assigned chunks on a high BW server Two limitations –Large list size –Latency Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link

9 CS-495 Advanced Networking Worm spread using a hit list For 3 million hosts, just 7 layers deep ( n = 10)

10 CS-495 Advanced Networking Design of Flash Worms Flash worm concepts derived from 2 prominent worms –Slammer worm (Jan 2003)– fastest scanning worm to date. Infects via UDP –Witty worm (2000) Authors uses information from these 2 worms to model their potential flash worm characteristics

11 CS-495 Advanced Networking Flash worms: what are they? Most effort are directed against random scanning worms: guess and attack Flash worms: precompiled list of vulnerable addresses to infect Flash worms interesting because: –Fastest possible worms –Spread map can be calculated offline, can be used to explore worse case performance of containment defenses

12 CS-495 Advanced Networking UDP Flash Worms Key issue in single packet flash worm design is the time between packets from a host is small compared to the time to cross the Internet Computation of average latency distribution in different regions motivates a shallow and broad infection tree Attacker should launch from a host with high data capacity and good connection to the Internet.

13 CS-495 Advanced Networking UDP Flash Worms The UDP worm will contain the address list to be infected after code Worm injector will copy a subset of the address list into each copy of worm before sending it out Given author assumptions about the worm and network conditions, the worm can infect 1 million hosts in less than 1 second. Worm will not be limited by congestion in network core (total bandwidth required by worm will only be O(10 Gbps) according to authors.

14 CS-495 Advanced Networking UDP Flash Worms

15 CS-495 Advanced Networking TCP Flash Worms TCP worms are larger and slower than UDP worms, but more services to exploit 2 Types of TCP worms –Small worms, where k (no of packets) < Window –Large worms, where k > W Packet loss will affect worm speed – esp large worms No direct guidance due to absence of “ack clocking” from TCP slow start, so might overflow buffers Solution: round robin through connection to avoid overflowing senders Author believes a TCP worm can be not much larger than Slammer

16 CS-495 Advanced Networking TCP Flash worms Small worms Window Small worm (smaller than window) Window Large worm (larger than window) Large worms Whilst large worms can make transmission faster by disregarding window size and send the whole worm (provided the receiver can receive fast enough), packet loss will degrade performance of worm because window will not move forward

17 CS-495 Advanced Networking TCP Flash Worms TCP worms are slower than UDP worms because of TCP latency But TCP worms are still fast, author simulation show 99% compromise after 3.3s

18 CS-495 Advanced Networking TCP Flash Worms

19 CS-495 Advanced Networking Worm Resilience Address list is imperfect –Why? Unreliable diagnostic, aging 2 Situations: –False negative –False positive False positives can hamper worm spread –Especially true for deep and narrow spread trees –Broad / shallow trees are more resilient –Binary spread trees are too fragile (what if a node close to source is invulnerable?)

20 CS-495 Advanced Networking Worm Resilience Making Flash worms resilient –Shallow spread tree Flash worms? Add acknowledgements – have infected nodes send back copy of worm to initial host –If no ack, substitute address Acks are not good for deep spread trees –Too slow / must gather acks effectively Solution: Double infection –Have each intermediate node infect one of its siblings as well

21 CS-495 Advanced Networking Worm Resilience To compute probability r that a given node ends up uninfected, the authors propose this equation Graphs are shown on the next page

22 CS-495 Advanced Networking Worm Resilience It is readily apparent that a shallow tree is less fragile than a deep, binary tree, where an invulnerable host can prune entire branches of the tree.

23 CS-495 Advanced Networking Worm Resilience

24 CS-495 Advanced Networking Worm Resilience K independent K-way trees –In K-way tree, non-leaf nodes use a fraction 1/K of the total nodes –K independent internal sets –Can start worms using such trees simultaneously to increase resilience Cost: increased code complexity Graphs show that they are more effective than the binary tree scheme (except the 2 way tree compared to doubling up infections)

25 CS-495 Advanced Networking Worm Resilience

26 CS-495 Advanced Networking Worm Resilience Note that the 2-2 way tree’s performance is worse than doubling up. This might be because it is less likely to get 2 invulnerable hosts at the same level than to get 2 invulnerable hosts (one one each tree) on each path to a host.

27 CS-495 Advanced Networking Multitree Approach Implications Multitree approach may not increase bandwidth required by worm, except for single packet UDP worm (increase bandwidth by factor of K) Multitree approachDoes not slow the worm – it might actually make it faster by offering the benefits of a shallower tree But may make worm easier to detect

28 CS-495 Advanced Networking Avoiding Containment Defenses Methods of avoiding containment –Slowing the worm –Reduce the degree K at each node –Add redundancy to route around defenses Flash worm using binary tree / low-K tree will avoid scan-detection algs (no of victims contacted below threshold for detection) Avoids dark-address detectors because addresses contacted will mostly be valid

29 CS-495 Advanced Networking Avoiding Containment Defenses 2 possible detectors: –EarlyBird detector –Honeyfarm detector EarlyBird searches for statistical anomalies in common content pattern freq Honeypot will detect worms by letting worm to propagate to it. But detection is not enough – it must respond to infection by stopping the spread –EarlyBird is too slow to stop worm –Honeypot cannot tell rest of network of worm fast enough

30 CS-495 Advanced Networking Implications One solution for Flash Worm writers –Ignore containment defenses –Make worm fast and reliable –Don’t avoid detection (by slowing worm etc) Consider systems with defense as resistant, counter using resilience mechanisms Best chance defender has is to hide list of vulnerable addresses from any potential attackers (ie no good solution)

31 CS-495 Advanced Networking Related work Study of fast worms that spread via IM clients Sizable buddy lists and short latency for sending messages 6-157s to saturate 500, 000 machines, based on author assumptions

32 CS-495 Advanced Networking Conclusions Flash worms can spread extremely quickly, provided that they have a good hit list UDP worms infects in < 1s TCP worms infects in a few seconds Shallow trees are resilient to list errors, but less resilient to containment defenses Deep trees are harder to contain, but is less resilient to list errors Deep trees can tolerate modest proportions of list errors and containment defenses

33 CS-495 Advanced Networking Exploiting P2P systems for infection Large set, all running same software Only single exploit now needed More favorable for infection: –Interconnect with large number of peers –Transfer large files –Not mainstream protocols –Execute on desktops, not servers Potentially immense size

Download ppt "CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms."

Similar presentations

TCP/IP MODEL Maninder Kaur www.eazynotes.com.

TCP/IP MODEL Maninder Kaur
Introduction 2 1: Introduction.

Introduction 2 1: Introduction.
The Internet Protocol.

The Internet Protocol.
Spring 2000CS 4611 Introduction Outline Statistical Multiplexing Inter-Process Communication Network Architecture Performance Metrics.

Spring 2000CS 4611 Introduction Outline Statistical Multiplexing Inter-Process Communication Network Architecture Performance Metrics.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Resilient Peer-to-Peer Streaming Paper by: Venkata N. Padmanabhan Helen J. Wang Philip A. Chou Discussion Leader: Manfred Georg Presented by: Christoph.

Resilient Peer-to-Peer Streaming Paper by: Venkata N. Padmanabhan Helen J. Wang Philip A. Chou Discussion Leader: Manfred Georg Presented by: Christoph.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Internetworking Fundamentals (Lecture #1) Andres Rengifo Copyright 2008.

Internetworking Fundamentals (Lecture #1) Andres Rengifo Copyright 2008.
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Network Topologies.

Network Topologies.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Lect3..ppt - 09/12/04 CIS 4100 Systems Performance and Evaluation Lecture 3 by Zornitza Genova Prodanoff.

Lect3..ppt - 09/12/04 CIS 4100 Systems Performance and Evaluation Lecture 3 by Zornitza Genova Prodanoff.
12-21-2001 CS 838-21 An Overlay Routing Scheme For Moving Large Files Su Zhang Kai Xu.

CS An Overlay Routing Scheme For Moving Large Files Su Zhang Kai Xu.

Similar presentations

Ads by Google