very fast containment of scanning worms presenter: yan gao...
Post on 20-Dec-2015
218 views
TRANSCRIPT
Very Fast containment of Scanning Worms
Presenter: Yan Gao
------------------------------------------------Authors: Nicholas Weaver Stuart Staniford Vern
Paxson
Outline
Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment
Scanning Worms What is scanning worm?
--- Operate by picking “random” address and attempt to infect the machine.
Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses
Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection
attempts.
Scanning Worms How to mitigate the spread of worms?
Prevention Reduce size of vulnerable population Insufficient to counter worm threat Why?? … single vulnerability in a popular software
system can translate to millions of vulnerable hosts Treatment
Once a host is infected, clean it up immediately (Antivirus Software, Patches)
Reduce vulnerable hosts and rate of infection Limitation… long time to develop cleanup code, and
too slow to have a significant impact People don’t install patches
Containment
Containment
Protect individual networks and isolate infected hosts Examples: firewalls, content filters,
automated blacklists Most Promising Solution
Can be completely automated Containment does not require
participation of each and every host on the internet
Containment Properties Reaction time
Detection of malicious activity Propagation of the containment information
to all hosts participating the system Activating any containment strategy.
Containing Strategy Address blacklisting
Maintain a list of IP addresses that have been identified as being infected.
Drop all the packets from one of the addresses in the list.
Advantage: can be implemented easily with existing filtering technology.
Disadvantage: must be updated continuously to reflect newly infected hosts
Containment (contd.) Content filtering
Requires a database of content signatures known to represent particular worms.
Requires additional technology to automatically create appropriate content signatures.
Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation
Deployment scenarios Ideally, a global deployment is preferable. Practically, a global deployment is impossible. May be deploying at the border of ISP networks
Worm Containment Defense against scanning worms
Works by detecting that a worm is operating in the network and then blocking the infected machines from contacting further hosts;
Leverage the anomaly of a local host attempting to connect to multiple other hosts.
Containment looks for a class of behavior rather than specific worm signature --- able to stop new worms.
Worm Containment Break the network into many cells
Within each cell a worm can spread unimpeded. Between cells, containment limits infections by
blocking outgoing connections from infected cells. Must have very low false positive rate.
Blocking suspicious machines can cause a DOS if false positive rate is high.
Need for complete deployment within an enterprise
Integrated into the network’s outer switches or similar hardware elements
Epidemic Threshold Worm-suppression device must
necessarily allow some scanning before it triggers a response. Worm may find a victim during that time.
The epidemic threshold depends on: The sensitivity of the containment response
devices The density of vulnerable machines on the
network --- NAT and DHCP The degree to which the worm is able to
target its efforts into the correct network, and even into the current cell.
Sustained Scanning Threshold
If worm scans slower than sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained
scanning threshold as possible. For this implementation threshold set
to 1 scan per minute.
Outline
Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment
Hardware Implementation
Constraints: Memory access speed
On duplex gigabit Ethernet, can only access DRAM 4 times
Memory size Attempt to keep footprint under 16MB
The number of distinct memory banks
Hardware Implementations Approximate caches
--- collisions cause imperfections (bloom filter) Fixed memory available Allow collisions to cause aliasing Err on the side of false negative
Attacker behavior Predicting the hashing algorithm
--- keyed hash function Simply overwhelming the cache
Hardware Implementations
Efficient small 32 bit block ciphers Prevent attackers from controlling
collisions Permute the N-bit value Separate the resulting N-bit value into
an index and a tag
Outline
Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment
Scan Suppression
Responding to detected portscans by blocking future scanning attempts.
Portscans have two basic types: Horizontal – search for identical service
on large number of machines. Vertical – examine an individual machine
to discover running services.
Scan SuppressionProtect the enterprise, forget the Internet
Preventing scans from Internet is too hard
If inside node is infected, filter sees all traffic
Cell (local area network) is “outside”, Enterprise larger internet network is “inside”
Can also treat entire enterprise as cell, Internet as outside
Internet
Inside
Scan detectorsOutside
Outside
Scan Suppression Derived from Threshold Random Walk
(TRW) scan detection. The algorithm operates by using an oracle
to determine if a connection will fail or succeed.
By modeling the benign traffic as having a different probability of success than attack traffic, TRW can make a decision regarding the likelihood that a particular series of connection attempts from a given host.
Assumption: benign traffic has a higher probability of success than attack traffic
Scan Suppression Strategies:
Track connections and addresses using approximate caches;
Replace the old addresses and old ports if the corresponding entry has timed out;
Track addresses indefinitely as long as we do not have to evict their state from our caches;
Detect vertical as well as horizontal TCP scans, and horizontal UDP scans;
Implement a “hygiene filter” to thwart some stealthy scanning techniques without causing undue restrictions on normal machines.
Connection Cache
Recording if we’ve seen a packet in each direction Aliasing turns failed attempt into success (biases to
false negative) Age is reset on each forwarded packet Every minute, back ground process purges entries older
than Dconn
Address Cache Track
“outside” addresses
Counter keeps difference between successes and failures
Counts are decremented every Dmiss seconds
Algorithm Pseudo-code
Parameters and Tuning
Parameters: T: miss-hit difference that causes block Cmin: minimum allowed count Cmax: maximum allowed count Dmiss: decay rate for misses Dconn: decay rate for idle connections Cache size and associativity
Evaluation For 6000-host enterprise trace:
1MB connection cache, 4MB 4-way address cache = 5MB total
At most 4 memory accesses per packet Operated at gigabit line-speed Detects scanning at rates over 1 per minute Low false positive rate About 20% false negative rate Detects scanning after 10-30 attempts
Outline
Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment
Cooperation Divide enterprise into small cells Connect all cells via low-latency channel A cell’s detector notifies others when it
blocks an address (“kill message”) Blocking threshold dynamically adapts
to number of blocks in enterprise: T’ = T(1 – θ)X, for very small θ Changing θ does not change epidemic
threshold, but reduces infection density
Cooperation – Effect of θ
Outline
Worm containment Hardware implementations Scan suppression Cooperation Attacking worm containment
Attacking worm containment
False positives Forge packets (though this does not prevent
inside systems from initiating connections)
False negatives Use a non-scanning technique
(topological, meta-server, passive and hit-list)
Scan under detection threshold Use a white-listed port to test for
liveness before scanning
Attacking Cooperation Attempt to outrace containment if
threshold is permissive Flood cooperation channels Cooperative collapse:
False positives cause lowered thresholds
Lowered thresholds cause more false positives
Feedback causes collapse of network
Attacking Worm Containment Detecting containment
Try to contact already infected hosts Go stealthy if containment is detected
Circumventing containment Embed scan in storm of spoofed packets Two-sided evasion:
Inside and outside host initiate normal connections to counter penalty of scanning
Can modify algorithm to prevent, but lose vertical scan detection
Conclusion
Develop containment algorithms suitable for deployment in high-speed, low-cost network hardware;
Devise the mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection.