Internet Outbreaks Epidemiology and Defenses Geoffrey M Voelker Collaborative Center for Internet Epidemiology and Defenses CCIED Computer p Science and Engineering g g UC San Diego February 28 2007 With David Anderson Jay Chen Cristian Estan Estan Chris Fleizach Fleizach Ranjit Jhala Jhala Flavio Junqueira Junqueira Erin Kenneally Kenneally Justin Ma John McCullough David Moore Vern Paxson ICSI Stefan Savage Colleen Shannon Sumeet Singh Alex Snoeren Snoeren Stuart Staniford Nevis Amin Vahdat Erik Vandekeift Vahdat Vandekeift George Varghese Michael Vrable Vrable Nick Weaver ICSI Qing Zhang 1 Paradise Lost Our Goal Develop the understanding and technology to address largelarge scale subversion of Internet hosts Yahoo and UPF 2 1 Threat Transformation z Traditional threats z Attacker manually targets high value system resource Defender increases cost to compromise high value systems Biggest threat insider attacker Modern threats Attacker uses automation to target all systems at once can filter later Defender must defend all systems at once Biggest threats software vulnerabilities na ve users Yahoo 3 Large Scale Enablers Large z Unrestricted high performance connectivity z Software homogeneity user naivet z Single bug mass vulnerability in millions of hosts Trusting users ok mass vulnerability in millions of hosts Lack of meaningful deterrence z Large scale g adoption p of IP model for networks apps pp Internet is high bandwidth low latency The Internet succeeded Little forensic attribution audit capability Effective anonymity No deterrence minimal risk Yahoo 4 2 Driving Economic Forces z Emergence of profit making payloads z Spam p forwarding g MyDoom A y backdoor SoBig g Credit Card theft Korgo DDoS extortion many etc Virtuous economic cycle transforms nature of threat Commoditization of compromised hosts Fluid third party exchange market millions Going rate for Spam proxying 3 10 cents host week Seems small but 25k botnet gets you 40k 130k yr Raw bots 01 host Special orders 50 z Hosts effectively becoming a criminal platform Innovation in both host substrate and its uses Sophisticated infection and command control networks DDoS SPAM piracy phishing identity theft are all applications Yahoo 5 Botnet Spammer Rental Rates 20 30k always online SOCKs4 url is de duped and updated every 10 minutes 900 weekly Samples will be sent on request Monthly M thl payments t arranged d att discount di t prices i z 3 6 cents per bot week 350 00 weekly 1 000 monthly USD Always Online 5 000 6 000 Updated every 10 minutes z 6 cents p per bot week 220 00 weekly 800 00 monthly USD Always Online 9 000 10 000 Updated every 5 minutes z 2 5 cents per bot week and UPF September 2004 postingsYahoo to SpecialHam com Spamforum biz 6 3 Why Worms z z z z All of these applications depend on automated mechanisms for subverting large numbers of hosts Self propagating programs continue to be the most effective mechanism for host subversion Prevent automated subversion severely undermine phishing DDoS extortion etc Our Goal Develop the understanding and technology to address large scale subversion of Internet hosts Yahoo 7 Today z Worm outbreaks z Framing the worm problem and solutions z What are our options Two worm detection and monitoring techniques z What are we up against Fundamental basis for understanding and defending against large scale Internet attacks EarlyBird High High speed speed network based network based content sifting Potemkin Large scale high fidelity honeyfarm Current projects Yahoo 8 4 Network Telescopes Idea Unsolicited packets evidence of global phenomena z Backscatter response p p packets sent by y victims p provide insight g into global prevalence of DoS attacks and who is getting attacked Scans request packets can indicate an infection attempt from a worm and who is current infected growth rate etc Very scalable CCIED Telescope monitors 17M IP addrs 1 of all routable addresses of the Internet z Yahoo 9 2001 A DoS Odyssey z Inferring global Internet DoS attacks using backscatter 4 000 DoS attacks week 4 000 attacks week everyone a victim victim intense intense periodic Moore et al Inferring Internet Denial Yahoo and UPFof Service Activity USENIX Security 2001 10 5 2001 A Worm Odyssey z CodeRed worm released in July 2001 Exploited buffer overflow in Microsoft IIS Infects 360 000 hosts in 14 hours CRv2 Propagation is limited by latency of TCP handshake Moore et al CodeRed a Case study onand theUPF Spread of an Internet Worm IMW 2002 and Yahoo Staniford et al How to 0wn the Internet in your Spare Time USENIX Security 2002 11 Fast Worms z Slammer Sapphire released in January 2003 First 1 1 min behaves like classic scanning worm Doubling time of 8 5 seconds 1 min worm saturates access bandwidth Some hosts issue 20 000 scans sec Self interfering Peaks at 3 min 90 off IInternet t t scanned d iin 10 10 mins i 55 million IP scans sec Moore et al The Spread of the Sapphire Slammer Worm IEEE Security Yahoo and UPF Privacy 1 4 2003 12 6 Was Slammer really fast z z z Yes it was orders of magnitude faster than CodeRed No it was poorly written and unsophisticated No Who cares It is literally an academic point The current debate is whether one can get 500ms Bottom line way faster than people Yahoo Staniford et al The Top Speed of Flash Worms ACM WORM 2004 13 Understanding Worms z Worms are well modeled as infectious epidemics z Homogeneous random contacts Classic SI model N population size S t susceptible hosts at time t I t infected hosts at time t contact rate i t I t N s t S t N e t T i t 1 e t T Staniford Paxson Weaver How to 0wn the Internet Yahoo and UPF in Your Spare Time USENIX Security 2002 14 7 What Can We Do 1 Reduce number of susceptible hosts S t Prevention 2 Reduce number of infected hosts I t Treatment 3 Prepare for the inevitable N Survival 4 Reduce the contact rate C t i Containment t Yahoo 15 Prevention z z Reduce of susceptible hosts S t Software quality eliminate vulnerability Static dynamic testing e g Cowan Wagner Engler Active research community taken seriously in industry Traditional problems soundness completeness usability Security code review alone for Windows Server 2003 200M z Software updating reduce window of vulnerability Most worms exploit known vulnerability 10 days 6 months Sapphire Vulnerability patch July 2002 worm January 2003 z Some activity Shield Wang04 yet critical problem Is finding security holes a good idea Rescorla04 Software heterogeneity reduce impact of
View Full Document
Unlocking...