Cristina Nita-Rotaru Spring 2004/Lecture 10 1Security Topics in Networkingand Distributed SystemsCS 590DLecture 10: Worms (cont.)Department of Computer SciencesPurdue UniversityCristina Nita-Rotaru Spring 2004/Lecture 10 2References• Modeling the Spread of ActiveWorms. Zesheng Chen, Lixin Gao,Kevin Kwiat, INFOCOM 2003.• Internet Quarantine: Requirementsfor Containing Self-Propagating Code.David Moore, Colleen Shannon,Geoffrey M. Voelker, Stefan Savage,INFOCOM 2003.• How to 0wn the Internet in YourSpare Time, Stuart Staniford, VernPaxson, Nicholas Weaver USENIX2002Cristina Nita-Rotaru Spring 2004/Lecture 10 3Worms• Program that can replicate itself and send copies from computer to computer across network connections;• Use network connections to spread fromsystem to system.• Within a system, can behave as a computervirus, or it could implant Trojan horse programs,or perform unwanted, disruptive or destructivefunctions.Cristina Nita-Rotaru Spring 2004/Lecture 10 4Factors• Target discovery: mechanism by which a wormdiscovers new targets to infect.• Carrier: mechanism the worm uses to transmititself to the target.• Activation: mechanism by which the worm’s codebegins operating on the target.• Payloads: non-propagating routines a worm usesto accomplish a goal.• Attackers: different goals.Cristina Nita-Rotaru Spring 2004/Lecture 10 5Target Discovery• Scanning: probing a set of addresses to identifyvulnerable hosts:– sequential– random.• Using lists– Pre-generated target lists: create a list of probable victims.Externally generated target lists: exploit the fact that some servers maintain lists of active servers, (games,peer-to-peer applications).– Internal target list: applications maintain information aboutservers with vulnerabilities; can be used to createtopological worms• Passive: wait for potential victim to contact theworm or rely on user behavior to discover newtargetsCristina Nita-Rotaru Spring 2004/Lecture 10 6Approach• Prevention• Detection• Containment• ResponseCristina Nita-Rotaru Spring 2004/Lecture 10 7Modeling Worm Propagation• Why?– Can help detect worms– Prediction of spreading– Estimation of damage• Factors?– Target discovery scanning, lists– Network topology– Network parameters: bandwidth, latency– Repair rate (applying patches)– Worm design specifics: transport protocol,amount of data transferred.Cristina Nita-Rotaru Spring 2004/Lecture 10 8Models of Worm Propagation• Epidemiologic modeling• Deterministic approximation modeling• What did these models take intoaccount?Cristina Nita-Rotaru Spring 2004/Lecture 10 9Several Simulators• Weaver simulator• SSFnet• EASEL• DIB:S/TRAFENCristina Nita-Rotaru Spring 2004/Lecture 10 10Other Ways of Detecting WormAttacks• Monitor for scanning.• When is the scanningperceived as being an attack?• Worms action results indenial of service, why notinfer/estimate denial ofservice activity• How to infer/estimate denialof service activity?Network telescopesCristina Nita-Rotaru Spring 2004/Lecture 10 11Containment/Quarantine• ``Worm containment is the art, science, andengineering discipline of preventing worms fromspreading’’– http://www.networm.org• Internet vs. enterprise containment• Firewalls?• Internal firewalls? Do they work? What are thelimitations?• Intrusion detection systemsCristina Nita-Rotaru Spring 2004/Lecture 10 12Containment/Quarantine• Containment of scanning worms(outbound vs. inbound scans)• Containment of flash worms(develops a complete hitlist of allvulnerable systems, splits the listwhen infects a machine)• Containment of topologicalworms (relies on information itfinds on the infected host in orderto locate further potential victimsto infect)Cristina Nita-Rotaru Spring 2004/Lecture 10 13If You Can Not Stop It, Slow ItDown !!!• LaBrea:, a "sticky honeypot”– Takes over unused IPaddresses on a network andcreates "virtual machines"– Answer to connection attemptsin a way that causes themachine at the other end to get"stuck”– started in response to theCodeRed
View Full Document
Unlocking...