Worm Origin Identification Using Random Moonwalks

1
Worm Origin Identification Using Random Moonwalks

• Rob and Isaac

2
Premise

• People keep getting away with worms
• Algorithm proposed can detect the source of worms

3
Deployment

• Requires extensive logs be kept of network
  traffic in order to be analyzed post mortem
• Paper assumes the implementation of something
  similar to IP traceback
• Requires massive cooperation between upper tier
  ISPs in order to be effective across the entire
  Internet.

4
The Storage Problem

• How much information do we really need to store?
• A back-of-the-envelope calculation in 21
  suggests that the amount of flow level storage
  requirement is not inconceivable.
• Quite the assertionBUT he just cited himself
  http//100x100network.org/papers/sekar-hotnets2004
  .pdf
• With all this self-citation going on, we
  practically have to perform a random moonwalk
  through their own papers to verify anything they
  say!

5
Breakdown of his Analysis

• Assumes 1000 bit average packet size, average
  flow of 10 packets per second, comes to average
  of 108 flows/sec. etc. etc.
• Numbers are rather arbitrary
• Storage is 4.5 TB per one hour of storage,
  distributed among POPs

6
Technicalities

• 1 hr of data costs about 7500 (5 TB)
• 24 hours of storage 180,000
• 1 week of storage 1.2 million
• This does not include maintenance, security
  costs, or any other relevant costs.
• Who is going to pay for this?

7
The Low-Rate Problem

• Keep in mind, source-detection is done via post
  mortem analysis
• If attacker can find out the logging capacity of
  ISP, simply have the worm distribute slower than
  normal flow (which the paper confirms that the
  algorithms performance is unpredictable against)
  but be in a dormant state and not attack
• If the time bomb worm distributes slowly enough
  to outlast logging capacity of the given ISP and
  then attacks aggressively simultaneously at a
  given time then the source of the attack has
  already been lost by the time networks realize
  they have been attacked

8
More Low-Rate Issues

• Analytic method employed relies on aggressiveness
  of the worm to be successful.
• So they use a simulation to demonstrate efficacy
  against low-rate worms.
• Simulation was in tightly controlled, small
  environment.
• Their own data demonstrates very rapid decrease
  in ability to detect causal edges with
  increasingly slow wormsback to time bomb
  situation.

9
The Spoof Problem

• Paper claims worms do not use spoofed source IP
  addresses because it does not yield successful
  attacks.
• All attacker needs to do is compromise a computer
  that is not his own, and propagate the worm from
  there.
• So even if the source is found, if the attacker
  is clever enough to do this, then hes safe.
• Remember One of the goals of this project is to
  aid law enforcement. But what good is knowing the
  originating host of a worm if we are dealing with
  an attacker who can cover his tracks?

10
The Security problem Problem

• Perhaps 3-4 major worms a year
• The proposed auditing system would require
  widespread cooperation
• This cooperative system has security problems of
  its own!
• What good is a detection system that is itself
  vulnerable to attack? If it could feasibly have
  been tampered with, no conviction can be made
  even if you CAN identify the source.
• Whos going to be responsible for this magical
  Network Forensic Alliance?

11
The Clock Synchronization Problem

• The proposed system relies on an assumption of
  quantized time intervals. This is crucial to
  their analytic method explaining the
  effectiveness of their work.
• However, in large scale deployment, it will be
  very difficult to achieve the kind of clock
  synchronization that will be necessary to
  properly analyze data.
• Clock skew can throw off delta-T, which can
  effect the results dramatically.

12
The Justice Problem

• Convictions result in mild slap on the wrist
• Sasser Worm 21 months suspended
• Blaster variant 18 months
• Samy 3 years probation, 90 days community
  service
• Zotob 2 years. (end of 2006, reduced to 1 year
  sentence)

13
Justice Problem (cont)

• SCO posted a 250,000 reward for MyDoom author,
  Microsoft posted similar award as well
• Whos going to pay 1.2 million to track 1 week of
  logs when Microsoft is only willing to pay 250k
  to catch the criminal?
• Whos going to pay all this money just to see
  this kind of justice get carried out?

14
Justice Problem (cont)

• Sasser worm (origin Russia)
• Zotob (origin Morocco)
• Judicial systems are different across countries,
  and even if they find out where a worm came from,
  what can an ISP do anyways? What can a big
  corporation in the US do to an attacker in Iraq?

15
The Money Problem

• Individual victimized companies have to pay for
  clean up and repairs out of pocket
• This doesnt effect the ISPs bank accounts. Why
  should an ISP care enough to implement this
  system? Or pay the kind of money to create a
  logging system and join the NFA?

16
Money Problem (cont)

• ISPs that agree to join the NFA will have to
  charge customers higher prices compared to other
  ISPs due to the overhead of a system that
  doesnt prevent worms, but merely finds the
  originator and gives him 90 days of community
  service.

17
The Math Curiosity Problem

• Their paper is rich with technical details and
  calculations
• These calculations rely on fundamental
  assumptions which we have spent the previous 20
  minutes poking holes in.
• So that leaves all these fancy numbers as a mere
  mathematical curiosity that relies on some
  non-existent NFA, and broadly sweeping
  assumptions.
• This system would be better suited as a homework
  problem, not a real-world solution.

18
The There are obviously too many problems with
this Problem

• Need we say more?