Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Published byAgnes Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558."— Presentation transcript:

1 How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558

2 What could you do if you 0wn’d a million hosts? ► Distributed DOS attacks ► Access sensitive information ► Confuse-Corrupt the information Makes it valuable tool in Cyber warfare

3 How to 0wn a million hosts? Worms ► Programs that self-propagate across the Internet exploiting security flaws in widely- used services (As opposed to viruses, which require user action to spread.) (As opposed to viruses, which require user action to spread.)

4 Code Red I ► Initial version released July 13, 2001. ► Exploited known bug in Microsoft IIS Web servers. ► But: failure to seed random number generator.All worms attempted to compromise the same sequence of hosts. ► Linear spread, didn’t get very far

5 Code Red I v2 ► Released July 19, 2001. ► Same codebase but:  random number generator correctly seeded.  DDoS payload targeting IP address of www.whitehouse.gov www.whitehouse.gov ► That night, Code Red dies (except for hosts with inaccurate clocks!) ► It just takes one of these to restart the worm come the first of the next month!

6 Random Constant Spread Model ► N: Total number of Vulnerable servers in Internet ► K: Initial Compromise Rate: Rate at which a infected host is able to infect new hosts at the start of the incident ► a: Proportion of machines already compromised ► T: Time at which the incident happens ► Equation: Nda = (Na)K(1-a)dt ► Solution: a = e (K(t-T)) / 1 + e (K(t-T)) ► Good enough model (Works for Code Red I)

7 ► K=1.8 T=11.9 ► Max probe rate:510.000 scans per hour ► Came close to saturation before turning off

8 ► Reawake on Aug 1 st, K=0.7 ► Number of vulnerable systems was less than 40% as many as the first time ► Code Red more or less followed the model.

9 ► Released August 4, 2001. ► Comment in code: “Code Red II.”But in fact completely different code base. ► Payload: a root backdoor allowing unrestricted remote access ► Bug: crashes NT, only works right on Windows 2000. ► Used localized scanning strategy Code Red II

10 ► Attempt to infect addresses close to it  With probability 3/8 it chooses a random IP from with the class B address space of the infected machine  With probability ½ from class A  And with probability 1/8 from the whole internet ► Localized spreading works - hosts around it are often similar,topologically faster,spreads fast in internal network once it gets through the firewall Localized Scanning

11 Nimda ► Released September 18, 2001. ► Multi- mode spreading:  attack IIS servers via infected clients.  email itself to address book as a virus  copy itself across open network shares  modifying Web pages on infected servers in order to infect clients  scanning for Code Red II and sadmind backdoors (!)

12 ► Average - 100 connections per second ► About 3X number of Code Red probes ► Full functionality still not known!

13 ► Since Nimda spreads by multiple vectors,the counts shown for it may be an underestimate

14 ► Why Red Code I continues to gain strength each month remains unknown

15 Ways of reducing time ► Hit List scanning ► Permutation scanning ► Topological Scanning ► Internet scale hit-lists

16 Hit List scanning Idea: reduce slow startup phase. Idea: reduce slow startup phase. ► The author of the worm collects the list of around 10,000 - 50,000 potentially vulnerable machines ideally the ones with very good network connection, before releasing the worm ► The worm when released initially attacks these machines.So the initial infection is higher.When it infects a machine it divides the hit-list in half

17 Ways to get Hit list  Distributed Scanning - use zombies  Stealthy Scan- spread it over several months  DNS searches - e. g., www. domain. com  Spiders - ask the search engines  Just Listening-P2P, or exploit existing worms

18 Permutation Scanning Idea: reduce redundant scanning. ► Permutation allows a worm to detect when a host is already infected. ► Worms share a common permutation of the IP address space. ► An infected machine starts scanning just after their position in the permutation. When the worm sees an infected machine is chooses a new random start point.

19 Warhol Worm ► Based on:  Hit List &  Permutation Scanning ► Simulation Environment ► Results of Simulation

20 ► So now we already have methods to in <15 minutes. ► So now we already have methods to attack most vulnerable targets in <15 minutes.

21 Topological Scanning ► Alternative to hit-list scanning ► Use addresses available on victim’s machines. ► Use this as a start point before using Permutation Scanning. ► Peer to peer systems are highly vulnerable to this kind of scanning

22 ► Idea: use an Internet- sized hit list. ( entire address space scan roughly 2hr) ( entire address space scan roughly 2hr) ► Initial copy of the worm has the entire hit list. ► Each generation, infects n from the list, gives each 1/n. (Or, point them to a well- connected servers that serves up portions of the list.) ► If n=10 requires 7 generations to infect 10^7 hosts (less than 30 seconds! ) Flash Worms:The Real Danger

23 ► All those worms use singular communication patterns ► This forms the basis for automatic detection ► How can we remove that weakness from worms? Still need better worms

24 Contagion Worms ► Suppose you have two exploits:  Es : exploit in web server  Ec: exploit in client ► You infect a server (or client) with Es (Ec) ► Then you…wait. (Perhaps you bait, e. g., host porn.) ► When vulnerable client arrives, infect it. ► You send over both Es and Ec ► As client happens to visit other vulnerable servers infects ► Clearly there are no unusual communication patterns to be observed (other than slightly larger- than- usual transfers)

25 ► They become Dangerous with P2P systems because:  Likely only need a single exploit, not a pair.  Often, peers running identical software.  Often used to transfer large files.  Often give access to user’s desktop rather than server.  and can be Very Large Contagion Worms

26 ► KazaA: 9 million distinct IP connections with university hosts (5800) in a single month ► If you 0wn’d a single university, then in November, 2001 you could have 0wn’d 9 million additional hosts. ► How fast? Faster than 1 month. Contagion Worms

27 Updating and control ► Distributed control  Each worm has a list of other copies  Ability to create encrypted communication channels to spread info  Commands cryptographically signed by author.  Each worm copy, confirms signature,spreads to other copies and then executes the command ► Programmatic Updates  Operating systems allow dynamic code loading  New encrypted attack modules from Worm author

28 Centre for Disease Control ► Roles it is expected to perform  Identifying outbreaks  Rapidly Analyzing pathogens  Fighting Infections  Anticipating new vectors  Resisting future threats

29 How open? ► Have a open website (accessible to all)? ► Drawbacks:  Attacker targets the site  How correct an information placed on site is  Attacker also gains understanding  Some sources may not be willing to make their information public ► How International.

Download ppt "How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.

Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Similar presentations

Ads by Google