Internet Outbreaks: Epidemiology and DefensesWho am I?A Chicken Little view of the Internet…Why Chicken Little is a naïve optimistSlide 5Threat transformationLarge-scale technical enablersDriving economic forcesWhat service-oriented computing really means…Today’s focus: OutbreaksTodayWhat is a network worm?Slide 13Slide 14Slide 15A brief history of worms…The Modern Worm eraAnatomy of a worm: SlammerA pretty fast outbreak: Slammer (2003)Was Slammer really fast?Slide 21How to think about wormsWhat’s important?What can be done?Prevention: Software QualityPrevention: WrappersPrevention: Software HeterogeneityPrevention: Software UpdatingPrevention: Known Exploit BlockingPrevention: Hygiene EnforcementContainmentTreatmentQuarantine requirementsIts difficult…How do we detect new outbreaks?Network TelescopesTelescopes + Active RespondersHoneypotsThe Scalability/Fidelity tradeoffPotemkin honeyfarm: large scale high-fidelity honeyfarmSlide 41Challenges for honeypot systemsScan DetectionSignature InferenceApproachContent siftingThe basic algorithmSlide 48Slide 49Slide 50Slide 51Slide 52ChallengesExperienceKey limitations: Evasion & DoSSome other issuesSummarySlide 58Internet Outbreaks: Internet Outbreaks: Epidemiology and Epidemiology and DefensesDefensesStefan SavageStefan SavageCollaborative Center for Internet Epidemiology and DefensesCollaborative Center for Internet Epidemiology and Defenses Department of Computer Science & EngineeringDepartment of Computer Science & EngineeringUniversity of California at San DiegoUniversity of California at San DiegoIn collaboration with Jay Chen, Cristian Estan, Ranjit Jhala, Erin Kenneally, Justin In collaboration with Jay Chen, Cristian Estan, Ranjit Jhala, Erin Kenneally, Justin Ma, David Moore, Vern Paxson (ICSI), Colleen Shannon, Sumeet Singh, Alex Ma, David Moore, Vern Paxson (ICSI), Colleen Shannon, Sumeet Singh, Alex Snoeren, Stuart Staniford (Nevis), Amin Vahdat, Erik Vandekeift, George Snoeren, Stuart Staniford (Nevis), Amin Vahdat, Erik Vandekeift, George Varghese, Geoff Voelker, Michael Vrable, Nick Weaver (ICSI)Varghese, Geoff Voelker, Michael Vrable, Nick Weaver (ICSI)Who am I?Assistant Professor, UCSD B.S., Applied History, CMUPh.D., Computer Science, University of WashingtonResearch at the intersection of networking, security and OSCo-founder of Collaborative Center for Internet Epidemiology and Defenses (CCIED)One of four NSF Cybertrust Centers, joint UCSD/ICSI effortFocused on large-scale Internet attacks (worms, viruses, botnets, etc)Co-founded a number of commercial security startupsAsta Networks (failed anti-DDoS startup)Netsift Inc, (successful anti-worm/virus startup)A Chicken Little view of the Internet…Why Chicken Little is a naïve optimistImagine the following species:Poor genetic diversity; heavily inbredLives in “hot zone”; thriving ecosystem of infectious pathogensInstantaneous transmission of diseaseImmune response 10-1M times slowerPoor hygiene practicesWhat would its long-term prognosis be?Why Chicken Little is a naïve optimistImagine the following species:Poor genetic diversity; heavily inbredLives in “hot zone”; thriving ecosystem of infectious pathogensInstantaneous transmission of diseaseImmune response 10-1M times slowerPoor hygiene practicesWhat would its long-term prognosis be?What if diseases were designed…Trivial to create a new disease Highly profitable to do soThreat transformationTraditional threatsAttacker manually targets high-value system/resource Defender increases cost to compromise high-value systemsBiggest threat: insider attackerModern threatsAttacker uses automation to target all systems at once (can filter later)Defender must defend all systems at once Biggest threats: software vulnerabilities & naïve usersLarge-scale technical enablersUnrestricted connectivity Large-scale adoption of IP model for networks & appsSoftware homogeneity & user naivetéSingle bug = mass vulnerability in millions of hostsTrusting users (“ok”) = mass vulnerability in millions of hostsFew meaningful defensesEffective anonymity (minimal risk)No longer just for fun, but for profitSPAM forwarding (MyDoom.A backdoor, SoBig), Credit Card theft (Korgo), DDoS extortion, etc…Symbiotic relationship: worms, bots, SPAM, DDoS, etcFluid third-party exchange market (millions of hosts for sale)Going rate for SPAM proxying 3 -10 cents/host/weekSeems small, but 25k botnet gets you $40k-130k/yrRaw bots, 1$+/host, Special orders ($50+)“Virtuous” economic cycleBottom line: Large numbers of compromised hosts = platformDDoS, SPAM, piracy, identity theft = applicationsDriving economic forcesWhat service-oriented computing really means…Today’s focus: OutbreaksOutbreaks?Acute epidemics of infectious malcode designed to actively spread from host to host over the networkE.g. Worms, viruses, etc (I don’t care about pedantic distinctions, so I’ll use the term worm from now on)Why epidemics?Epidemic spreading is the fastest method for large-scale network compromise Why fast?Slow infections allow much more time for detection, analysis, etc (traditional methods may cope)TodayNetwork worm reviewNetwork epidemiologyThreat monitors & automated defensesWhat is a network worm?Self-propagating self-replicating network programExploits some vulnerability to infect remote machinesInfected machines continue propagating infectionWhat is a network worm?Self-propagating self-replicating network programExploits some vulnerability to infect remote machinesInfected machines continue propagating infectionWhat is a network worm?Self-propagating self-replicating network programExploits some vulnerability to infect remote machinesInfected machines continue propagating infectionWhat is a network worm?Self-propagating self-replicating network programExploits some vulnerability to infect remote machinesInfected machines continue propagating infectionA brief history of worms…As always, Sci-Fi authors get it firstGerold’s “When H.A.R.L.I.E. was One” (1972) – “Virus”Brunner’s “Shockwave Rider” (1975) – “tapeworm program”Shoch&Hupp co-opt idea; coin term “worm” (1982)Key idea: programs that self-propagate through network to accomplish some task; benignFred Cohen
View Full Document