How Chicken Little sees the Internet…Why Chicken Little is a naïve optimistz Imagine the following species:z Poor genetic diversity; heavily inbredz Lives in “hot zone”; thriving ecosystem of infectious pathogensz Instantaneous transmission of diseasez Immune response 10-1M times slowerz Poor hygiene practicesz What would its long-term prognosis be?z What if diseases were designed…z Trivial to create a new disease z Highly profitable to do soThreat transformationz Traditional threatsz Attacker manually targets high-value system/resource z Defender increases cost to compromise high-value systemsz Biggest threat: insider attackerz Modern threatsz Attacker uses automation to target all systems at once (can filter later)z Defender must defend allsystems at once z Biggest threats: software vulnerabilities & naïve usersLarge-scale technical enablersz Unrestricted connectivityz Large-scale adoption of IP model for networks & appsz Software homogeneity & user naivetéz Single bug = mass vulnerability in millions of hostsz Trusting users (“ok”) = mass vulnerability in millions of hostsz Few meaningful defensesz Effective anonymity (minimal risk)z No longer just for fun, but for profitz SPAM forwarding (MyDoom.A backdoor, SoBig), Credit Card theft (Korgo), DDoS extortion, etc…z Symbiotic relationship: worms, bots, SPAM, etcz Fluid third-party exchange market (millions of hosts for sale)z Going rate for SPAM proxying 3 -10 cents/host/weekz Seems small, but 25k botnet gets you $40k-130k/yrz Generalized search capabilities are nextz “Virtuous” economic cyclez The bad guys have large incentive to get betterDriving Economic ForcesToday’s focus: Outbreaksz Outbreaks?z Acute epidemics of infectious malcode designed to actively spread from host to host over the networkz E.g. Worms, viruses (for me: pedantic distinctions)z Why epidemics?z Epidemic spreading is the fastest method for large-scale network compromise z Why fast?z Slow infections allow much more time for detection, analysis, etc (traditional methods may cope)A pretty fast outbreak:Slammer (2003)z First ~1min behaves like classic random scanning wormz Doubling time of ~8.5 secondsz CodeRed doubled every 40minsz >1min worm starts to saturateaccess bandwidthz Some hosts issue >20,000 scans per second z Self-interfering(no congestion control)z Peaks at ~3minz >55million IP scans/secz 90% of Internet scanned in <10minsz Infected ~100k hosts (conservative)See: Moore et al, IEEE Security & Privacy, 1(4), 2003 for more detailsWas Slammer really fast?z Yes, it was orders of magnitude faster than CRz No, it was poorly written and unsophisticatedz Who cares? It is literally an academic pointz The current debate is whether one can get < 500msz Bottom line: way faster than people!How to think about wormsz Reasonably well described as infectious epidemics z Simplest model: Homogeneous random contactsz Classic SI modelz N: population sizez S(t): susceptible hosts at time tz I(t): infected hosts at time tz ß: contact ratez i(t): I(t)/N, s(t): S(t)/NNISdtdSNISdtdIββ−==)1( iidtdi−=β)()(1)(TtTteeti−−+=ββcourtesy Paxson, Staniford, WeaverWhat’s important?z There are lots of improvements to the model…z Chen et al, Modeling the Spread of Active Worms, Infocom 2003 (discrete time)z Wang et al, Modeling Timing Parameters for Virus Propagation on the Internet , ACM WORM ’04 (delay)z Ganesh et al, The Effect of Network Topology on the Spread of Epidemics, Infocom 2005 (topology)z … but the bottom line is the same. We care about two things:z How likely is it that a given infection attempt is successful?z Target selection (random, biased, hitlist, topological,…)z Vulnerability distribution (e.g. density – S(0)/N)z How frequently are infections attempted?z ß: Contact rateWhat can be done?z Reduce the number of susceptible hostsz Prevention, reduce S(t) while I(t) is still small(ideally reduce S(0))z Reduce the contact ratez Containment, reduce ß while I(t) is still smallPrevention: Software Qualityz Goal: eliminate vulnerabilityz Static/dynamic testing (e.g. Cowan, Wagner, Engler, etc)z Software process, code review, etc.z Active research communityz Taken seriously in industryz Security code review alone for Windows Server 2003 ~ $200Mz Traditional problems: soundness, completeness, usabilityz Practical problems: scale and costPrevention: Hygiene Enforcementz Goal: keep susceptible hosts off networkz Only let hosts connect to network if they are “well cared for”z Recently patched, up-to-date anti-virus, etc…z Automated version of what they do by hand at NSFz Cisco Network Admission Control (NAC)Containmentz Reduce contact ratez Slow downz Throttle connection rate to slow spreadz Twycross & Williamson, Implementing and Testing a Virus Throttle, USENIX Sec ‘03z Important capability, but worm still spreads…z Quarantinez Detect and block wormDefense requirementsz We can define reactive defenses in terms of:z Reaction time – how long to detect, propagate information, and activate responsez Containment strategy – how malicious behavior is identified and stoppedz Deployment scenario - who participates in the systemz Given these, what are the engineering requirements for any effective defense?Defense requirements summaryz Reaction timez Required reaction times are a couple minutes or less for CR-style worms (seconds for worms like Slammer)z Containment strategyz Content filtering is far more effective than address blacklisting for a given reaction speedz Deployment scenariosz Need nearly all customer networks to provide containmentz Need at least top 40 ISPs provide containment; top 100 idealz Is this possible? Lets see…Outbreak Detection/Monitoringz Two classes of detectionz Scan detection: detect that host is infected by infection attemptsz Signature inference: automatically identify content signature for exploit (sharable)z Two classes of monitorsz Ex-situ: “canary in the coal mine”z Network Telescopesz HoneyNets/Honeypotsz In-situ: real activity as it happensNetwork Telescopesz Infected host scans for other vulnerable hosts by randomly generating IP addressesz Network Telescope: monitor large range of unused IP addresses –will receive scans from infected hostz Very scalable. UCSD monitors 17M+ addressesTelescopes + Active Respondersz Problem: Telescopes are passive, can’t respond to TCP handshakez Is a SYN from a host infected by CodeRed or Welchia? Dunno.z What does the worm payload look