Slide 1 - The Fengs

Download Report

Transcript Slide 1 - The Fengs

Very Fast containment of
Scanning Worms
By: Artur Zak
Modified by: David Allen
Nicholas Weaver
ICSI
Stuart Staniford
Nevis Netowrks
Vern Paxson
ICSI
1
Abstract



Worms – malicious, self-propagating
programs.
Represent threat to large networks.
Containment – one form of defense;
limit a worm’s spread by isolating it in a
small subsection of the network.
2
Scanning Worms

Operate by picking “random” address and
attempt to infect the machine.





Blaster – linear scanning
Code Red – fully random
Code Red II & Nimda – bias toward local addresses
Worms will find small holes in firewall and
routers.
Complete infection of local network from single
original source.
3
Scanning Worms

Common properties of scanning worms:



Most scanning attempts result in failure.
Infected machines will institute many connection
attempts.
Containment looks for a class of behavior
rather than specific worm signature.

Able to stop new worms.
4
Worm Containment

Must to be Automated.



(virus throttling)
Worms propagate more rapidly than human
response.
Works by detecting that a worm is
operating in the network and then block
the infected machines from contacting
further hosts.
“Defense in depth”. Used in addition to
other network protection mechanisms.
5
Mechanism Requirements

Break the network into many cells




Within each cell a worm can spread unimpeded.
Between cells, containment limits infections by
blocking outgoing connections from infected
cells.
Works best with small cells.
Must have very low false positive rate.

Blocking suspicious machines or ports can cause
a DoS if false positive rate is high.
6
Epidemic Threshold

Worm-suppression device must
necessarily allow some scanning before
it triggers a response.



Worm may find a victim during that time.
Epidemic occurs if each infection results in
a single child.
Exponential epidemic occurs if each
infection results in more than one child.
7
Epidemic Threshold

The epidemic threshold depends on:



The sensitivity of the containment
response devices
The density of vulnerable machines on the
network
The degree to which the worm is able to
target its efforts into the correct network,
and even into the current cell.
8
Sustained Scanning Threshold

If worm scans slower than sustained
scanning threshold, the detector will not
trigger.



Vital to achieve as low a sustained
scanning threshold as possible.
For this implementation threshold set to 1
scan per minute.
Other methods often no better than 1 per
second.
9
Scan Suppression

Portscans have two basic types:



Horizontal – search for identical service on
large number of machines.
Vertical – examine an individual machine to
discover running services.
Scan Suppression – responding to
detected portscans by blocking future
scanning attempts.
10
Implementation

Scan detection and suppression
algorithm derived from Threshold
Random Walk (TRW) scan detection.




TRW operates by using an oracle to
determine if a connection will fail or
succeed.
Walk down for a good connection.
Walk up for a failed connection.
Threshold set on deviation.
11
Implementation

Implementation easier than TRW.



Suitable for both hardware and software
implementation.
Simplified algorithm caused increased false
negative rate.
No changes in the false positive rate.
12
Hardware Implementation

Constraints:


Must be very fast to keep up with high
packet rates.
Memory access speed.


During transmission of minimum-sized gigabit
Ethernet packet, need to access a DRAM at 8
different locations. (4 accesses for full duplex).
SRAM can be used to solve the problem, but
more expensive.
13
Hardware Implementation


Approximate cache: a cache for which
collisions cause imperfections.
Indexing into cache is done with a 32bit block cipher and a secret key.


Helps protect against collision attack.
Collisions will only result in falsenegatives.
14
Connection Cache





IP’s hashed with port to
create index.
Aliasing result in
combination.
Age is incremented
each minute.
Age is zeroed each time
a packet is seen.
Old entries are
removed. (10 min)
15
Address Cache Lookup




External IP encrypted to
create index and tag.
Each index may reference
four entries.
Counter tracks differences
between misses and hits.
When necessary, most
negative entries are evicted.
16
Address Cache Lookup


Assumption is that legitimate
traffic succeeds more often
than scanning traffic.
Threshold is used to block
traffic.




10 internal
5 internal
Hard limit on negative
counts. (-20)
Positive counts are decayed
over time. (1 min)
17
Results


Attacks are detected after only 10 scans.
Blocking:





New connections are blocked.
Current established connections are allowed.
System accurately detected real attacks.
False-positives on DNS and SMTP servers due
to fan-out. Need to be white-listed.
Tighter thresholds had more false-positives,
but only for odd traffic.
18
Attacking the Containment

Malicious False Negative:

The worm slips by even thought
containment is active.




Scan at a rate slower than sustained scanning
threshold.
With the threshold set to 1 per minute, growth
will be very slow.
Scans to white-listed can be used for liveness
testing before attack begins.
Offset misses by making valid connections.
19
Attacking the Containment

Malicious false positive:



False positive create a DoS target.
Forged packets can be a problem and must
be prevented in the network.
Web page or html formatted email could
initiate multiple connections to nonexistent addresses.
20
Cooperation



Containment systems can cooperate to
reduce thresholds during an attack.
Communication between systems must
be efficient to stay ahead of spread.
Must be done carefully to avoid
cooperative collapse – a cascade in
sensitivity increase.
21