Lecture 17 Internet Outbreaks CSE 120 Principles of Operating Systems Alex C Snoeren HW 4 Due NOW Paradise Lost CCIED s Goal Develop the understanding and technology to address large scale subversion of Internet hosts CSE 120 Lecture 17 Internet Outbreaks 2 Threat Transformation Traditional threats Attacker manually targets high value system resource Defender increases cost to compromise high value systems Biggest threat insider attacker Modern threats CSE 120 Lecture 17 Internet Outbreaks Attacker uses automation to target all systems at once can filter later Defender must defend all systems at once Biggest threats software vulnerabilities na ve users 3 Large Scale Enablers Unrestricted high performance connectivity Software homogeneity user naivet Single bug mass vulnerability in millions of hosts Trusting users ok mass vulnerability in millions of hosts Lack of meaningful deterrence Large scale adoption of IP model for networks apps Internet is high bandwidth low latency The Internet succeeded Little forensic attribution audit capability Effective anonymity No deterrence minimal risk CSE 120 Lecture 17 Internet Outbreaks 4 Driving Economic Forces Emergence of profit making payloads Spam forwarding MyDoom A backdoor SoBig Credit Card theft Korgo DDoS extortion many etc Virtuous economic cycle transforms nature of threat Commoditization of compromised hosts Fluid third party exchange market millions Going rate for Spam proxying 3 10 cents host week Seems small but 25k botnet gets you 40k 130k yr Raw bots 01 host Special orders 50 Hosts effectively becoming a criminal platform Innovation in both host substrate and its uses Sophisticated infection and command control networks DDoS SPAM piracy phishing identity theft are all applications CSE 120 Lecture 17 Internet Outbreaks 5 Botnet Spammer Rental Rates 20 30k always online SOCKs4 url is de duped and updated every 10 minutes 900 weekly Samples will be sent on request Monthly payments arranged at discount prices 3 6 cents per bot week 350 00 weekly 1 000 monthly USD Always Online 5 000 6 000 Updated every 10 minutes 6 cents per bot week 220 00 weekly 800 00 monthly USD Always Online 9 000 10 000 Updated every 5 minutes 2 5 cents per bot week September 2004Outbreaks postings to SpecialHam com Spamforum biz CSE 120 Lecture 17 Internet 6 Why Worms All of these applications depend on automated mechanisms for subverting large numbers of hosts Self propagating programs continue to be the most effective mechanism for host subversion Prevent automated subversion severely undermine phishing DDoS extortion etc Our Goal Develop the understanding and technology to address large scale subversion of Internet hosts CSE 120 Lecture 17 Internet Outbreaks 7 Today Worm outbreaks Framing the worm problem and solutions What are we up against What can we do Potemkin Large scale high fidelity honeyfarm Fundamental basis for understanding of and defense against large scale Internet attacks CSE 120 Lecture 17 Internet Outbreaks 8 How to detect new outbreaks Both defense and deterrence are predicated on getting good intelligence Classes of monitors Need to detect characterize and analyze new malware threats Need to be do it quickly across a very large number of events Network based Endpoint based Monitoring environments In situ real activity as it happens Network host IDS Ex situ canary in the coal mine HoneyNets Honeypots CSE 120 Lecture 17 Internet Outbreaks 9 Network Telescopes Idea Unsolicited packets evidence of global phenomena Backscatter response packets sent by victims provide insight into global prevalence of DoS attacks and who is getting attacked Scans request packets can indicate an infection attempt from a worm and who is current infected growth rate etc Very scalable CCIED Telescope monitors 17M IP addrs 1 of all routable addresses of the Internet CSE 120 Lecture 17 Internet Outbreaks 10 Worm Outbreaks CodeRed worm released in July 2001 Exploited buffer overflow in Microsoft IIS Infects 360 000 hosts in 14 hours CRv2 Propagation is limited by latency of TCP handshake Moore et al CodeRed a Case study on the Spread of an Internet Worm IMW 2002 and Staniford et al How to 0wn the Internet in your Spare Time USENIX Security 2002 CSE 120 Lecture 17 Internet Outbreaks 11 Fast Worms Slammer Sapphire released in January 2003 First 1 min behaves like classic scanning worm Doubling time of 8 5 seconds 1 min worm saturates access bandwidth Some hosts issue 20 000 scans sec Self interfering Peaks at 3 min 55 million IP scans sec 90 of Internet scanned in 10 mins Moore et al The Spread of the Sapphire Slammer Worm IEEE Security Privacy 1 4 2003 CSE 120 Lecture 17 Internet Outbreaks 12 Understanding Worms Worms are well modeled as infectious epidemics Homogeneous random contacts Classic SI model N population size S t susceptible hosts at time t I t infected hosts at time t contact rate i t I t N s t S t N e t T i t 1 e t T Staniford Paxson Weaver How to 0wn the Internet in Your Spare Time USENIX Security 2002 CSE 120 Lecture 17 Internet Outbreaks 13 What Can We Do 1 Reduce number of susceptible hosts S t Prevention 2 Reduce number of infected hosts I t Treatment 3 Reduce the contact rate Containment CSE 120 Lecture 17 Internet Outbreaks 14 Prevention Reduce of susceptible hosts S t Software quality eliminate vulnerability Static dynamic testing e g Cowan Wagner Engler Active research community taken seriously in industry Security code review alone for Windows Server 2003 200M Software updating reduce window of vulnerability Most worms exploit known vulnerability 10 days 6 months Sapphire Vulnerability patch July 2002 worm January 2003 Some activity Shield Wang04 yet critical problem Is finding security holes a good idea Rescorla04 Traditional problems soundness completeness usability Software heterogeneity reduce impact of vulnerability Artificial heterogeneity Forrest02 Exploit existing heterogeneity Junqueira05 CSE 120 Lecture 17 Internet Outbreaks 15 Treatment Reduce of infected hosts I t Disinfection Remove worm from infected hosts Develop specialized vaccine in real time Distribute at competitive rate Counter worm anti worm Code Green CRclean Worm vs Worm Castaneda04 Exploit vulnerability patch host propagate Seems tough Legal issues of using exploits even if well intentioned Propagation race problem Automatically patch vulnerability Keromytis03 Sidiroglou05 Auto generate and test patches in sandbox Apply within administration domain Requires source
View Full Document
Unlocking...