Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com."— Presentation transcript:

1 Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com

2 Copyright Silicon Defense 2003. There will Always be Vulnerabilities Murphy’s Law, the fitness of evolving species and the limits of software reliability. R. Brady, R. Anderson, and R. Ball Paper: Shows that under continued random testing at constant rate, vulnerabilities decline at rate 1/t. In some sense, testing finds the fewest possible vulnerabilities that will get the software past the test. Software size is probably growing faster than t! So there will always be worms…

3 Copyright Silicon Defense 2003. Code Red Spread

4 Copyright Silicon Defense 2003. Theory of Random Scanning Worms a = e vS(t-T) /(1+e vS(t-T) ) a is proportion infected t is time Gives sigmoidal graph centered on T 1/vS is time to increase by factor e. v is vulnerability density (8x10 -5 for CRI, 1% would be really big) S is effective scan rate (~6Hz for CRI, ~10kHz for Slammer on well connected networks. Probably get to 50kHz for TCP scans)

5 Copyright Silicon Defense 2003. Sapphire/Slammer 170 Gbps!

6 Copyright Silicon Defense 2003. Enterprise environment Where the real damage can be done –Many companies control critical equipment Firewalls: –Worms often get in, but few starts –Nimda style dedicated firewall crossing function Enterprise address space consists of disjoint smaller pieces (eg two class B nets) –Worm has to find them –Random IP address very unlikely to be in net –Slows it down

7 Copyright Silicon Defense 2003. Subnet scanning Differentially choose a destination address near the source address Code Red II: Choose a random address from –Class B: p = 3/8 –Class A: p = 1/2 –Internet: p = 1/8 Worm can exploit pieces of network it finds Code Red II proportions not optimal

8 Copyright Silicon Defense 2003. Optimal Class B search (v = 0.1%)

9 Copyright Silicon Defense 2003. Optimal Class B search proportion

10 Copyright Silicon Defense 2003. Flash Worm Also theory: due to Silicon Defense Scan all vulnerable servers first Build a map of worm spread Optimize map for routing picture (BGP) Launch worm Worm carries address map with it Limited by bandwidth Tens of seconds to saturation on Internet 100ms to saturate on internal network Topological Worms are similar –Use information on host instead of precomputed map –Slower, less efficient than flash but no prep Flash/Topological not reliably containable at present

11 Copyright Silicon Defense 2003. Worm Containment: Goal Epidemic Threshold: E(Number of Children) < 1 Bad! Good ? Sum(i=0,infinity,a i ) = 1/(1-a) a<1

12 Copyright Silicon Defense 2003. Worm Containment Approaches Host based vs Network based For scanning worms –Block scans –Anything that will block scans will do in principle –HP, IBM, Silicon Defense have dedicated technology –Epidemic threshold = an average scan sees < 1.0 vulnerable machines

13 Copyright Silicon Defense 2003. Basic Facts of Life with Worms Spread faster than any human response –Signatures need not apply Cannot reliably detect novel worm on the first connection through us –Detect unknown badness in arbitrary app. data –Just as hard as getting applications right Depend instead on correlating multiple wormlike anomalies to get reliable detect Doesn’t work well inbound - need outbound Need complete deployment

14 Copyright Silicon Defense 2003. Inbound vs Outbound Containment This is why we need complete deployment to contain - otherwise just lowering v (slowing things down but not containing them).

15 Copyright Silicon Defense 2003. CounterMalice approach Inline device in network Divide network into cells Filters out scans (doesn’t handle Flash etc) Contacting many destinations is odd Contacting many dead destinations is odder If can cut off after T scans, then… E(C) = TvP N < 1

16 Copyright Silicon Defense 2003. Containment Simulation

Download ppt "Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms.

CS-495 Advanced Networking Chi Yin Cheung, Spring 2005 The Top Speed of Flash Worms Introduction Design of Flash Worms UDP Flash Worms TCP Flash Worms.
IP, Wireless The world is the network. From Ethernet up Ethernet uses 6 byte addresses Source, destination, data, and control stuff Local networks only.

IP, Wireless The world is the network. From Ethernet up Ethernet uses 6 byte addresses Source, destination, data, and control stuff Local networks only.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Similar presentations

Ads by Google