Lecture 17:Lecture 17:Internet OutbreaksInternet OutbreaksCSE 120: Principles of Operating SystemsAlex C. SnoerenHW 4 Due NOWCSE 120 – Lecture 17: Internet Outbreaks 2Paradise LostParadise LostCCIEDCCIED’’s s GoalGoalDevelop the understanding and technology toDevelop the understanding and technology toaddress large-scale subversion of Internet hostsaddress large-scale subversion of Internet hostsCSE 120 – Lecture 17: Internet Outbreaks 3Threat TransformationThreat Transformation Traditional threats◆ Attacker manually targets high-valuesystem/resource◆ Defender increases cost tocompromise high-value systems◆ Biggest threat: insider attacker Modern threats◆ Attacker uses automation totarget all systems at once(can filter later)◆ Defender must defend allsystems at once◆ Biggest threats: softwarevulnerabilities & naïve usersCSE 120 – Lecture 17: Internet Outbreaks 4Large-Scale EnablersLarge-Scale Enablers Unrestricted high-performance connectivity◆ Large-scale adoption of IP model for networks & apps◆ Internet is high-bandwidth, low-latency◆ The Internet succeeded! Software homogeneity & user naiveté◆ Single bug mass vulnerability in millions of hosts◆ Trusting users (“ok”) mass vulnerability in millions of hosts Lack of meaningful deterrence◆ Little forensic attribution/audit capability Effective anonymity◆ No deterrence, minimal riskCSE 120 – Lecture 17: Internet Outbreaks 5Driving Economic ForcesDriving Economic Forces Emergence of profit-making payloads◆ Spam forwarding (MyDoom.A backdoor, SoBig), Credit Cardtheft (Korgo), DDoS extortion, (many) etc…◆ “Virtuous” economic cycle transforms nature of threat Commoditization of compromised hosts◆ Fluid third-party exchange market (millions)» Going rate for Spam proxying 3 -10 cents/host/week Seems small, but 25k botnet gets you $40k-130k/yr» Raw bots, .01$+/host, Special orders ($50+)◆ Hosts effectively becoming a criminal platform Innovation in both host substrate and its uses◆ Sophisticated infection and command/control networks◆ DDoS, SPAM, piracy, phishing, identity theft are all applicationsCSE 120 – Lecture 17: Internet Outbreaks 6Botnet Botnet Spammer Rental RatesSpammer Rental Rates 3.6 cents per bot week 6 cents per bot week 2.5 cents per bot week>20-30k always online SOCKs4, url is de-duped and updated every >10 minutes. 900/weekly, Samples will be sent on request. >Monthly payments arranged at discount prices.>$350.00/weekly - $1,000/monthly (USD) >Always Online: 5,000 - 6,000>Updated every: 10 minutes>$220.00/weekly - $800.00/monthly (USD)>Always Online: 9,000 - 10,000>Updated every: 5 minutesSeptember 2004 postings to SpecialHam.com, Spamforum.bizCSE 120 – Lecture 17: Internet Outbreaks 7Why Worms?Why Worms? All of these “applications” depend on automatedmechanisms for subverting large numbers of hosts Self-propagating programs continue to be the mosteffective mechanism for host subversion Prevent automated subversion severely underminephishing, DDoS, extortion, etc. Our Goal: Develop the understanding and technologyto address large-scale subversion of Internet hostsCSE 120 – Lecture 17: Internet Outbreaks 8TodayToday Worm outbreaks◆ What are we up against? Framing the worm problem…and solutions◆ What can we do? Potemkin: Large-scale high-fidelity honeyfarm◆ Fundamental basis for understanding of and defense againstlarge-scale Internet attacksCSE 120 – Lecture 17: Internet Outbreaks 9How How tto o detectdetect new outbreaks? new outbreaks? Both defense and deterrence are predicated on getting goodintelligence◆ Need to detect, characterize and analyze new malware threats◆ Need to be do it quickly across a very large number of events Classes of monitors◆ Network-based◆ Endpoint-based Monitoring environments◆ In-situ: real activity as it happens» Network/host IDS◆ Ex-situ: “canary in the coal mine”» HoneyNets/HoneypotsCSE 120 – Lecture 17: Internet Outbreaks 10Network TelescopesNetwork Telescopes Idea: Unsolicited packets evidence of global phenomena◆ Backscatter: response packets sent by victims provide insight intoglobal prevalence of DoS attacks (and who is getting attacked)◆ Scans: request packets can indicate an infection attempt from aworm (and who is current infected, growth rate, etc.) Very scalable: CCIED Telescope monitors 17M+ IP addrs(> 1% of all routable addresses of the Internet)CSE 120 – Lecture 17: Internet Outbreaks 11Worm OutbreaksWorm Outbreaks CodeRed worm released in July 2001◆ Exploited buffer overflow in Microsoft IIS◆ Infects 360,000 hosts in 14 hours (CRv2)» Propagation is limited by latency of TCP handshakeMoore et al, CodeRed: a Case study on the Spread of an Internet Worm, IMW 2002 andStaniford et al, How to 0wn the Internet in your Spare Time, USENIX Security 2002CSE 120 – Lecture 17: Internet Outbreaks 12Fast WormsFast Worms Slammer/Sapphire released in January 2003◆ First ~1 min behaves like classic scanning worm» Doubling time of ~8.5 seconds◆ >1 min worm saturates access bandwidth» Some hosts issue > 20,000 scans/sec» Self-interfering◆ Peaks at ~3 min» >55 million IP scans/sec◆ 90% of Internet scanned in <10 minsMoore et al, The Spread of the Sapphire/Slammer Worm, IEEE Security& Privacy, 1(4), 2003CSE 120 – Lecture 17: Internet Outbreaks 13Understanding WormsUnderstanding Worms Worms are well modeled as infectious epidemics◆ Homogeneous random contacts Classic SI model◆ N: population size◆ S(t): susceptible hosts at time t◆ I(t): infected hosts at time t◆ β: contact rate◆ i(t): I(t)/N, s(t): S(t)/N)()(1)(TtTteeti!!+=""Staniford, Paxson, Weaver, How to 0wn the Internetin Your Spare Time, USENIX Security 2002CSE 120 – Lecture 17: Internet Outbreaks 14What Can We Do?What Can We Do?1) Reduce number of susceptible hosts S(t)◆ Prevention2) Reduce number of infected hosts I(t)◆ Treatment3) Reduce the contact rate β◆ ContainmentCSE 120 – Lecture 17: Internet Outbreaks 15PreventionPrevention Reduce # of susceptible hosts S(t) Software quality: eliminate vulnerability◆ Static/dynamic testing [e.g., Cowan, Wagner, Engler]◆ Active research community, taken seriously in industry» Security code review alone for Windows Server 2003 ~ $200M◆ Traditional problems: soundness, completeness, usability Software updating: reduce window of
View Full Document