Transcript containment

Very Fast containment of
Scanning Worms
Presenter: Yan Gao
------------------------------------------------
Authors: Nicholas Weaver
Stuart Staniford
Vern Paxson
Outline





Worm containment
Hardware implementations
Scan suppression
Cooperation
Attacking worm containment
Scanning Worms

What is scanning worm?
--- Operate by picking “random” address and attempt to
infect the machine.
 Blaster – linear scanning
 Code Red – fully random
 Code Red II & Nimda – bias toward local addresses

Common properties of scanning worms:


Most scanning attempts result in failure.
Infected machines will institute many connection
attempts.
Scanning Worms

How to mitigate the spread of worms?

Prevention




Treatment





Reduce size of vulnerable population
Insufficient to counter worm threat
Why?? … single vulnerability in a popular software system can
translate to millions of vulnerable hosts
Once a host is infected, clean it up immediately (Antivirus
Software, Patches)
Reduce vulnerable hosts and rate of infection
Limitation… long time to develop cleanup code, and too slow
to have a significant impact
People don’t install patches
Containment
Containment

Protect individual networks and isolate
infected hosts


Examples: firewalls, content filters, automated
blacklists
Most Promising Solution


Can be completely automated
Containment does not require participation of
each and every host on the internet
Containment Properties

Reaction time




Detection of malicious activity
Propagation of the containment information to all
hosts participating the system
Activating any containment strategy.
Containing Strategy

Address blacklisting




Maintain a list of IP addresses that have been identified
as being infected.
Drop all the packets from one of the addresses in the list.
Advantage: can be implemented easily with existing
filtering technology.
Disadvantage: must be updated continuously to reflect
newly infected hosts
Containment (contd.)

Content filtering




Requires a database of content signatures known to
represent particular worms.
Requires additional technology to automatically create
appropriate content signatures.
Advantage: a single update is sufficient to describe any
number of instances of a particular worm implementation
Deployment scenarios



Ideally, a global deployment is preferable.
Practically, a global deployment is impossible.
May be deploying at the border of ISP networks
Worm Containment

Defense against scanning worms



Works by detecting that a worm is operating in
the network and then blocking the infected
machines from contacting further hosts;
Leverage the anomaly of a local host attempting
to connect to multiple other hosts.
Containment looks for a class of behavior rather
than specific worm signature --- able to stop new
worms.
Worm Containment

Break the network into many cells



Must have very low false positive rate.


Within each cell a worm can spread unimpeded.
Between cells, containment limits infections by blocking
outgoing connections from infected cells.
Blocking suspicious machines can cause a DOS if false
positive rate is high.
Need for complete deployment within an enterprise

Integrated into the network’s outer switches or similar
hardware elements
Epidemic Threshold

Worm-suppression device must necessarily
allow some scanning before it triggers a
response.


Worm may find a victim during that time.
The epidemic threshold depends on:



The sensitivity of the containment response
devices
The density of vulnerable machines on the
network --- NAT and DHCP
The degree to which the worm is able to target its
efforts into the correct network, and even into the
current cell.
Sustained Scanning Threshold

If worm scans slower than sustained
scanning threshold, the detector will not
trigger.


Vital to achieve as low a sustained
scanning threshold as possible.
For this implementation threshold set to 1
scan per minute.
Outline





Worm containment
Hardware implementations
Scan suppression
Cooperation
Attacking worm containment
Hardware Implementation

Constraints:

Memory access speed


Memory size


On duplex gigabit Ethernet, can only access
DRAM 4 times
Attempt to keep footprint under 16MB
The number of distinct memory banks
Hardware Implementations

Approximate caches
--- collisions cause imperfections (bloom filter)




Fixed memory available
Allow collisions to cause aliasing
Err on the side of false negative
Attacker behavior


Predicting the hashing algorithm
--- keyed hash function
Simply overwhelming the cache
Hardware Implementations

Efficient small 32 bit block ciphers



Prevent attackers from controlling collisions
Permute the N-bit value
Separate the resulting N-bit value into an
index and a tag
Outline





Worm containment
Hardware implementations
Scan suppression
Cooperation
Attacking worm containment
Scan Suppression

Responding to detected portscans by
blocking future scanning attempts.
Portscans have two basic types:


Horizontal – search for identical service on
large number of machines.
Vertical – examine an individual machine to
discover running services.
Scan Suppression
Protect the enterprise,
forget the Internet




Preventing scans from
Internet is too hard
If inside node is infected,
filter sees all traffic
Cell (local area network)
is “outside”, Enterprise
larger internet network is
“inside”
Can also treat entire
enterprise as cell,
Internet as outside
Interne
t
Outside
Inside
Outside
Scan detectors
Scan Suppression

Derived from Threshold Random Walk (TRW)
scan detection.



The algorithm operates by using an oracle to
determine if a connection will fail or succeed.
By modeling the benign traffic as having a
different probability of success than attack traffic,
TRW can make a decision regarding the likelihood
that a particular series of connection attempts
from a given host.
Assumption: benign traffic has a higher
probability of success than attack traffic
Scan Suppression

Strategies:





Track connections and addresses using
approximate caches;
Replace the old addresses and old ports if the
corresponding entry has timed out;
Track addresses indefinitely as long as we do not
have to evict their state from our caches;
Detect vertical as well as horizontal TCP scans,
and horizontal UDP scans;
Implement a “hygiene filter” to thwart some
stealthy scanning techniques without causing
undue restrictions on normal machines.
Connection Cache




Recording if we’ve seen a packet in each direction
Aliasing turns failed attempt into success (biases to false
negative)
Age is reset on each forwarded packet
Every minute, back ground process purges entries older than
Dconn
Address Cache



Track “outside”
addresses
Counter keeps
difference
between
successes and
failures
Counts are
decremented
every Dmiss
seconds
Algorithm Pseudo-code
Parameters and Tuning

Parameters:






T: miss-hit difference that causes block
Cmin: minimum allowed count
Cmax: maximum allowed count
Dmiss: decay rate for misses
Dconn: decay rate for idle connections
Cache size and associativity
Evaluation

For 6000-host enterprise trace:







1MB connection cache, 4MB 4-way address cache
= 5MB total
At most 4 memory accesses per packet
Operated at gigabit line-speed
Detects scanning at rates over 1 per minute
Low false positive rate
About 20% false negative rate
Detects scanning after 10-30 attempts
Outline





Worm containment
Hardware implementations
Scan suppression
Cooperation
Attacking worm containment
Cooperation




Divide enterprise into small cells
Connect all cells via low-latency channel
A cell’s detector notifies others when it blocks
an address (“kill message”)
Blocking threshold dynamically adapts to
number of blocks in enterprise:


T’ = T(1 – θ)X, for very small θ
Changing θ does not change epidemic threshold,
but reduces infection density
Cooperation – Effect of θ
Outline





Worm containment
Hardware implementations
Scan suppression
Cooperation
Attacking worm containment
Attacking worm containment

False positives


Forge packets
(though this does not prevent inside
systems from initiating connections)
False negatives



Use a non-scanning technique (topological,
meta-server, passive and hit-list)
Scan under detection threshold
Use a white-listed port to test for liveness
before scanning
Attacking Cooperation



Attempt to outrace containment if
threshold is permissive
Flood cooperation channels
Cooperative collapse:



False positives cause lowered thresholds
Lowered thresholds cause more false
positives
Feedback causes collapse of network
Attacking Worm Containment

Detecting containment



Try to contact already infected hosts
Go stealthy if containment is detected
Circumventing containment


Embed scan in storm of spoofed packets
Two-sided evasion:


Inside and outside host initiate normal connections to
counter penalty of scanning
Can modify algorithm to prevent, but lose vertical scan
detection
Conclusion


Develop containment algorithms
suitable for deployment in high-speed,
low-cost network hardware;
Devise the mechanisms for cooperation
that enable multiple containment
devices to more effectively detect and
respond to an emerging infection.