Internet Quarantine: Requirements for Containing Self-Propagating Code

1
Internet QuarantineRequirements for Containing
Self-Propagating Code

• David Moore, Colleen Shannon, Geoffrey M.
  Voelker, Stefan Savage

2
Worm Security

• Prevention
• Stop the worms from propagating by eliminating
  security holes from software infeasible
• Treatment
• Remove the worm from the infected host
• Containment
• Stop the worm from spreading

3
Worm Containment

• How effectively can any containment approach
  counter a worm epidemic on the Internet?
• Time to detect
• Identification and containment
• Deployment

4
Background

• History of Worms
• First appeared in 1988
• Few studies done on worms
• Worm containment approaches
• La Brea
• Intercept worm and place it in artificial
  persistent connection state
• Unclear how effective it is
• Per-host throttling
• Reduce the rate of new connections allowed
• If universally deployed, can reduce worm spread
• Firewall filters
• Detect worms then cut off communications using
  firewalls to block ports
• NBAR
• Developed by Cisco
• Allows routers to block TCP sessions based on
  presence of certain strings in the session

5
Modeling Worms

• Classic SI model

6
SI Model

• Susceptible (S), Infected (I), population (N),
  contact rate (beta)
• dI/dt betaIS/N
• dS/dt -betaIS/N
• Solving (T as a constant of integration)
• i(t) (e(beta(t-T)))/(1e(beta(t-T)))
• Grows exponentially until majority are infected
• Well known in public health community

7
Modeling Containment

• Reaction Time
• The time R in which the system can react to
  contain the worm
• Containment Strategy
• Address Blacklisting
• Block traffic from malicious source IPs
• Reaction relative to each host
• Content Filtering
• Block traffic based on content
• Reaction time from first infection
• Deployment Scenario
• Analyzed a few different deployment scenarios in
  the model
• Finite Time Period
• Restricted to looking at first 24 hours after
  worm appears

8
Idealized Deployment

• Simulation Parameters
• Code-Red Case Study
• Generalized Worm Containment

9
Simulation Parameters

• 360,000 vulnerable hosts
• Probe rate of 10 per second
• Probes randomly from time t 0
• Hosts notified of infected hosts at t R

10
Code-Red Case Study

• Address blacklisting
• Containment with R lt 20 minutes
• Larger R allows spread
• All susceptible hosts infected in 24 hours if R gt
  2 hours
• Content Filtering
• Containment with R lt 2 hours
• Worm propagates until t R, then stops

11
Modeling the Worm

• Graphs Reaction time to the percentage of
  vulnerable hosts infected in the 24 hour
  time-period analyzed

12
Generalized Worm Containment

• Content Filtering vs. Address Blacklisting
• Highly aggressive worms
• Extremely challenging, even for content filtering
• 1000 probes/sec requires R 2 min

13
Practical Deployment

• Far more limited
• Network Model
• Deployment Scenarios
• Code-Red Case Study
• Generalized Worm Containment

14
Network Model

• Identify ASes on the Internet
• Identify vulnerable hosts and their locations
• Model AS paths between vulnerable hosts

15
Deployment Scenarios

• Models levels of AS deployment of containment

16
Code-Red Case Study

• Uses same parameters as idealized model
• Reaction time 2 hours

17
Generalized Worm Containment

• Much smaller containment with network model
• 100 top ISPs model
• 50 customers model
• Worse results than 100 top ISPs
• Infeasible to contain even modest probe rates
  under these models

18
Deployment Scenarios
19
Conclusion

• Very challenging to build containment systems
• Order of minutes needed to respond effectively
• In the future, worms will be more aggressive
• Will require a great amount of effort and
  engineering to fight the spread of Worms.