1 routing worm: a fast, selective attack worm based on ip address information cliff c. zou, don...
TRANSCRIPT
![Page 1: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/1.jpg)
1
Routing Worm: A Fast, Selective Attack Worm based on IP Address Information
Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai
Univ. Massachusetts, Amherst
![Page 2: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/2.jpg)
2
Routing Worm Summary
Routing worm: contains information of BGP routing prefixes in the worm code.
A faster spreading worm Internet routable IP space < 30% of entire IPv4
space. Scanning routable space instead of entire IPv4 space. Increasing propagation speed by 2 ~ 3.5 times.
A selective attack worm IP address routing prefix AS ISP, country
Pinpoint attacking vulnerable hosts in a specific target Selective attack based on any information derived
from compromised hosts.
![Page 3: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/3.jpg)
3
BGP Routing Table Introduction
BGP (Border Gateway Protocol) Inter-autonomous system routing protocol.
Backbone BGP routers contain all routable prefixes (without default route)
11/97 11/98 11/99 11/00 11/01 11/02 09/03
22%
24%
26%
28%
30%
Time (1997 ~ 2003)
Pe
rce
nta
ge
Routable IPv4 space increases slowly NAT CIDR DHCP
![Page 4: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/4.jpg)
4
BGP Routing Worm
Contains BGP non-overlapping prefixes: Non-overlapping prefixes:
Remove “128.119.85/24” if BGP contains “128.119/16”. 140602 prefixes 62053 prefixes (Sept. 22,
2003)
Payload requirement: 175KB Big payload for Internet-scale worm propagation.
Increasing worm’s speed by 3.5 times. Scanning space is 28.6% of entire IPv4 space.
![Page 5: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/5.jpg)
5
Class A Routing Worm
IANA provides Class A address allocations Class A (x.0.0.0/8); 256 Class A in IPv4 space.
116 Class A contain all BGP routable space. Scanning space: 45.3%; payload: 116 Bytes.
002/8 : IANA - Reserved
003/8 : General Electric Company
056/8 : U.S. Postal Service
214/8 : US-DOD
216/8 : ARIN
217/8 : RIPE NCC
224/8 : IANA - Multicast
![Page 6: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/6.jpg)
6
Routing Worm based on Aggregated BGP Prefixes
Two extreme cases of routing worms: BGP routing worm: all prefixes in BGP Class A routing worm: only “/8” prefixes
Routing worm based on aggregated prefixes “/n” aggregation: combine several longer
prefixes into a shorter “/n” prefix. “128.119.5/24” + “128.119.2/24” “128.119/16” or
“128.119.0/19” Class A prefixes are results of “/8” aggregation.
![Page 7: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/7.jpg)
7
Routing Worm based on Aggregated BGP Prefixes
Flexible trade-off between: Scanning space Prefix payload
0
5KB
10KB
15KB
20KB
25KB
"/n" Aggregation
Wo
rm P
refix
Pa
ylo
ad
8 9 10 11 12 13 14 15 1625%
30%
35%
40%
45%
50%
Pe
rce
nta
ge
of
Sca
nn
ing
Sp
ace
W orm Prefix Payload
Percentage of Scanning Space
30% 34% 38% 42% 46%
5KB
10KB
15KB
20KB
25KB
Percentage of Scanning SpaceW
orm
Pre
fix P
ayl
oa
d“/n” aggregation (n=8~16) Payload vs. Scanning space trade-off
![Page 8: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/8.jpg)
8
Routing Worm Propagation Study
: # of vulnerable : Scan rate : Scanning space
where
0 100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5
4x 10
5
Time t (minute)
Nu
mb
er
of
infe
cte
d h
ost
s
BGP routing wormClass A routing wormTraditional worm
0 100 200 300 4000
0.5
1
1.5
2
2.5
3
3.5
4x 10
5
Time t (minute)
BGP routing wormClass A routing wormHit-list worm
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5
4x 10
5
Time t (minute)
Hitlist routing wormHitlist wormTraditional worm
N=360,000; =358 scans/min; I(0)=10 ( 10,000 for a hit-list worm )
Comparison of the Code Red worm, a routing worm, a hit-list worm, a hit-list routing worm
![Page 9: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/9.jpg)
9
Routing Worm: A Selective Attack Worm
Selective Attack: worm has different behaviors on different compromised hosts.
Routing worm: imposes damage based on geographical information of IP addresses of compromised hosts
Geographical information of IP addresses IP address Routing prefix AS
AS Company, ISP, Country Pinpoint attacking vulnerable hosts in a specific target Potential terrorist’s attack
BGP routing table
Researches
![Page 10: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/10.jpg)
10
Selective Attack: a Generic Attacking Technique
Selective attack: imposes damage based on any information a worm can get from compromised hosts OS (e.g. : illegal OS, language, time zone ) Software (e.g. : installed a specific program) Hardware ( e.g. : CPU, memory, network card)
Selective attack: improving propagation speed Maximize infectious power of each compromised
host. Multi-thread worm: generates different numbers of threads
on different computers based on CPU, memory, and connection speed.
![Page 11: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/11.jpg)
11
Defense: Upgrading IPv4 to IPv6
Routing worm: Reducing worm scanning space Effective, easier than hit-list worm to implement Difficult to prevent:
public BGP tables and IP geographical information
Defense: Increasing worm scanning space
Upgrading IPv4 to IPv6 The smallest network in IPv6 has 264 IP address space. A worm needs 40 years to infect 50% of vulnerable hosts
in a network when N=1,000,000, =100,000/sec, I(0)=1000 Limitation: for scan-based worms only
![Page 12: 1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst](https://reader036.vdocuments.site/reader036/viewer/2022072005/56649cf05503460f949beb73/html5/thumbnails/12.jpg)
12
Summary
Routing worm: contains information of BGP routing prefixes in the worm code.
Routing worm: a faster spreading worm Scans routable space (< 30%) instead of entire IPv4 space. Increasing propagation speed by 2 ~ 3.5 times.
Routing worm: a selective attack worm IP address routing prefix AS ISP, Country
Pinpoint attacking vulnerable hosts in a specific target Selective attack based on any information a worm can get
from compromised hosts.
Defense: Increase a worm’s scanning space
IPv4 upgrade to IPv6