1

Routing Worm: A Fast, Selective Attack Worm based on IP Address Information

Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai

Univ. Massachusetts, Amherst

2

Routing Worm Summary

Routing worm: contains information of BGP routing prefixes in the worm code.

A faster spreading worm Internet routable IP space < 30% of entire IPv4

space. Scanning routable space instead of entire IPv4 space. Increasing propagation speed by 2 ~ 3.5 times.

A selective attack worm IP address routing prefix AS ISP, country

Pinpoint attacking vulnerable hosts in a specific target Selective attack based on any information derived

from compromised hosts.

3

BGP Routing Table Introduction

BGP (Border Gateway Protocol) Inter-autonomous system routing protocol.

Backbone BGP routers contain all routable prefixes (without default route)

11/97 11/98 11/99 11/00 11/01 11/02 09/03

22%

24%

26%

28%

30%

Time (1997 ~ 2003)

Pe

rce

nta

ge

Routable IPv4 space increases slowly NAT CIDR DHCP

4

BGP Routing Worm

Contains BGP non-overlapping prefixes: Non-overlapping prefixes:

Remove “128.119.85/24” if BGP contains “128.119/16”. 140602 prefixes 62053 prefixes (Sept. 22,

2003)

Payload requirement: 175KB Big payload for Internet-scale worm propagation.

Increasing worm’s speed by 3.5 times. Scanning space is 28.6% of entire IPv4 space.

5

Class A Routing Worm

IANA provides Class A address allocations Class A (x.0.0.0/8); 256 Class A in IPv4 space.

116 Class A contain all BGP routable space. Scanning space: 45.3%; payload: 116 Bytes.

002/8 : IANA - Reserved

003/8 : General Electric Company

056/8 : U.S. Postal Service

214/8 : US-DOD

216/8 : ARIN

217/8 : RIPE NCC

224/8 : IANA - Multicast

6

Routing Worm based on Aggregated BGP Prefixes

Two extreme cases of routing worms: BGP routing worm: all prefixes in BGP Class A routing worm: only “/8” prefixes

Routing worm based on aggregated prefixes “/n” aggregation: combine several longer

prefixes into a shorter “/n” prefix. “128.119.5/24” + “128.119.2/24” “128.119/16” or

“128.119.0/19” Class A prefixes are results of “/8” aggregation.

7

Routing Worm based on Aggregated BGP Prefixes

Flexible trade-off between: Scanning space Prefix payload

0

5KB

10KB

15KB

20KB

25KB

"/n" Aggregation

Wo

rm P

refix

Pa

ylo

ad

8 9 10 11 12 13 14 15 1625%

30%

35%

40%

45%

50%

Pe

rce

nta

ge

of

Sca

nn

ing

Sp

ace

W orm Prefix Payload

Percentage of Scanning Space

30% 34% 38% 42% 46%

5KB

10KB

15KB

20KB

25KB

Percentage of Scanning SpaceW

orm

Pre

fix P

ayl

oa

d“/n” aggregation (n=8~16) Payload vs. Scanning space trade-off

8

Routing Worm Propagation Study

: # of vulnerable : Scan rate : Scanning space

where

0 100 200 300 400 500 600 7000

0.5

1

1.5

2

2.5

3

3.5

4x 10

5

Time t (minute)

Nu

mb

er

of

infe

cte

d h

ost

s

BGP routing wormClass A routing wormTraditional worm

0 100 200 300 4000

0.5

1

1.5

2

2.5

3

3.5

4x 10

5

Time t (minute)

BGP routing wormClass A routing wormHit-list worm

0 100 200 300 400 500 6000

0.5

1

1.5

2

2.5

3

3.5

4x 10

5

Time t (minute)

Hitlist routing wormHitlist wormTraditional worm

N=360,000; =358 scans/min; I(0)=10 ( 10,000 for a hit-list worm )

Comparison of the Code Red worm, a routing worm, a hit-list worm, a hit-list routing worm

9

Routing Worm: A Selective Attack Worm

Selective Attack: worm has different behaviors on different compromised hosts.

Routing worm: imposes damage based on geographical information of IP addresses of compromised hosts

Geographical information of IP addresses IP address Routing prefix AS

AS Company, ISP, Country Pinpoint attacking vulnerable hosts in a specific target Potential terrorist’s attack

BGP routing table

Researches

10

Selective Attack: a Generic Attacking Technique

Selective attack: imposes damage based on any information a worm can get from compromised hosts OS (e.g. : illegal OS, language, time zone ) Software (e.g. : installed a specific program) Hardware ( e.g. : CPU, memory, network card)

Selective attack: improving propagation speed Maximize infectious power of each compromised

host. Multi-thread worm: generates different numbers of threads

on different computers based on CPU, memory, and connection speed.

11

Defense: Upgrading IPv4 to IPv6

Routing worm: Reducing worm scanning space Effective, easier than hit-list worm to implement Difficult to prevent:

public BGP tables and IP geographical information

Defense: Increasing worm scanning space

Upgrading IPv4 to IPv6 The smallest network in IPv6 has 264 IP address space. A worm needs 40 years to infect 50% of vulnerable hosts

in a network when N=1,000,000, =100,000/sec, I(0)=1000 Limitation: for scan-based worms only

12

Summary

Routing worm: contains information of BGP routing prefixes in the worm code.

Routing worm: a faster spreading worm Scans routable space (< 30%) instead of entire IPv4 space. Increasing propagation speed by 2 ~ 3.5 times.

Routing worm: a selective attack worm IP address routing prefix AS ISP, Country

Pinpoint attacking vulnerable hosts in a specific target Selective attack based on any information a worm can get

from compromised hosts.

Defense: Increase a worm’s scanning space

IPv4 upgrade to IPv6