Internet Outbreaks: Internet Outbreaks: Epidemiology and DefensesEpidemiology and DefensesStefan SavageStefan SavageCollaborative Center for Internet Epidemiology and DefensesCollaborative Center for Internet Epidemiology and DefensesDepartment of Computer Science & EngineeringDepartment of Computer Science & EngineeringUniversity of California at San DiegoUniversity of California at San DiegoIn collaboration with Jay Chen, Cristian Estan, Ranjit Jhala, ErIn collaboration with Jay Chen, Cristian Estan, Ranjit Jhala, Erin in KenneallyKenneally, Justin Ma, David , Justin Ma, David Moore, Vern Paxson (ICSI), Colleen Shannon, Sumeet Singh, Alex SMoore, Vern Paxson (ICSI), Colleen Shannon, Sumeet Singh, Alex Snoeren, Stuart noeren, Stuart Staniford (Nevis), Amin Vahdat, Erik Staniford (Nevis), Amin Vahdat, Erik VandekeiftVandekeift, George Varghese, Geoff Voelker, Michael , George Varghese, Geoff Voelker, Michael Vrable, Nick Weaver (ICSI)Vrable, Nick Weaver (ICSI)Who am I?! Assistant Professor, UCSD ! B.S., Applied History, CMU! Ph.D., Computer Science, University of Washington! Research at the intersection of networking, security and OS! Co-founder of Collaborative Center for Internet Epidemiology and Defenses (CCIED)! One of four NSF Cybertrust Centers, joint UCSD/ICSI effort! Focused on large-scale Internet attacks (worms, viruses, botnets, etc)! Co-founded a number of commercial security startups! Asta Networks (failed anti-DDoS startup)! Netsift Inc, (successful anti-worm/virus startup)A Chicken Little view of the Internet…Why Chicken Little is a naïve optimist! Imagine the following species:! Poor genetic diversity; heavily inbred! Lives in “hot zone”; thriving ecosystem of infectious pathogens! Instantaneous transmission of disease! Immune response 10-1M times slower! Poor hygiene practices! What would its long-term prognosis be?Why Chicken Little is a naïve optimist! Imagine the following species:! Poor genetic diversity; heavily inbred! Lives in “hot zone”; thriving ecosystem of infectious pathogens! Instantaneous transmission of disease! Immune response 10-1M times slower! Poor hygiene practices! What would its long-term prognosis be?! What if diseases were designed…! Trivial to create a new disease ! Highly profitable to do soThreat transformation! Traditional threats! Attacker manually targets high-value system/resource ! Defender increases cost to compromise high-value systems! Biggest threat: insider attacker! Modern threats! Attacker uses automation to target all systems at once (can filter later)! Defender must defend allsystems at once ! Biggest threats: software vulnerabilities & naïve usersLarge-scale technical enablers! Unrestricted connectivity! Large-scale adoption of IP model for networks & apps! Software homogeneity & user naiveté! Single bug = mass vulnerability in millions of hosts! Trusting users (“ok”) = mass vulnerability in millions of hosts! Few meaningful defenses! Effective anonymity (minimal risk)! No longer just for fun, but for profit! SPAM forwarding (MyDoom.A backdoor, SoBig), Credit Card theft (Korgo), DDoS extortion, etc…! Symbiotic relationship: worms, bots, SPAM, DDoS, etc! Fluid third-party exchange market (millions of hosts for sale)! Going rate for SPAM proxying 3 -10 cents/host/week" Seems small, but 25k botnet gets you $40k-130k/yr! Raw bots, 1$+/host, Special orders ($50+)! “Virtuous” economic cycle! Bottom line: Large numbers of compromised hosts = platformDDoS, SPAM, piracy, identity theft = applicationsDriving economic forcesWhat service-oriented computing really means…Today’s focus: Outbreaks! Outbreaks?! Acute epidemics of infectious malcode designed to actively spread from host to host over the network! E.g. Worms, viruses, etc (I don’t care about pedantic distinctions, so I’ll use the term worm from now on)! Why epidemics?! Epidemic spreading is the fastest method for large-scale network compromise ! Why fast?! Slow infections allow much more time for detection, analysis, etc (traditional methods may cope)Today! Network worm review! Network epidemiology! Threat monitors & automated defensesWhat is a network worm?! Self-propagating self-replicating network program! Exploits some vulnerability to infect remote machines! Infected machines continue propagating infectionWhat is a network worm?! Self-propagating self-replicating network program! Exploits some vulnerability to infect remote machines! Infected machines continue propagating infectionWhat is a network worm?! Self-propagating self-replicating network program! Exploits some vulnerability to infect remote machines! Infected machines continue propagating infectionWhat is a network worm?! Self-propagating self-replicating network program! Exploits some vulnerability to infect remote machines! Infected machines continue propagating infectionA brief history of worms…! As always, Sci-Fi authors get it first! Gerold’s “When H.A.R.L.I.E. was One” (1972) – “Virus”! Brunner’s “Shockwave Rider” (1975) – “tapeworm program”! Shoch&Hupp co-opt idea; coin term “worm” (1982)! Key idea: programs that self-propagate through network to accomplish some task; benign! Fred Cohen demonstrates power and threat of self-replicating viruses (1984)! Morris worm exploits buffer overflow vulnerabilities & infects a few thousand hosts (1988)Hiatus for over a decade…The Modern Worm era! Email based worms in late 90’s (Melissa & ILoveYou)! Infected >1M hosts, but requires user participation! CodeRed worm released in Summer 2001! Exploited buffer overflow in IIS; no user interaction! Uniform random target selection (after fixed bug in CRv1)! Infects 360,000 hosts in 10 hours (CRv2)! Attempted to mount simultaneous DDoS attack on whitehouse.gov! Like the energizer bunny… still going! Energizes renaissance in worm construction (1000’s)! Exploit-based: CRII, Nimda, Slammer, Blaster, Witty, etc…! Human-assisted: SoBig, NetSky, MyDoom, etc… ! 6200 malcode variants in 2004; 6x increase from 2003 [Symantec]Anatomy of a worm: Slammer! Exploited SQL server buffer overflow vulnerability ! Worm fit in a single UDP packet (404 bytes total)! Code structure! Cleanup from buffer overflow! Get API pointers! Code borrowed from published exploit! Create socket & packet! Seed PRNG with getTickCount()! While (TRUE)! Increment Pseudo-RNG" Mildly buggy! Send packet to pseudo-random address! Main advancement: doesn’t listen(decouples scanning from
View Full Document
Unlocking...