Internet Quarantine: Requirements for Containing SelfPropagating Code

1
Internet Quarantine Requirements for Containing
Self-Propagating Code

• David Moore et. al.
• University of California, San Diego

2
Outline

• Background about worm, esp. Code-Red
• Whats worm, esp. Code-Red
• Prevention, Treatment and Containment of the
  worm.
• SI epidemic model and Code Red propagation model.
• Simulations on Code Red Propagation and
  Containment System Deployment.
• Conclusion.

3
Background what is worm?

• Worm is a self-replicating software designed to
  spread through the network.
• Worm vs Virus and Trojan horse
• Virus and Trojan horse rely on human intervention
  to spread.
• Worm is autonomous.

4
Background Code-Red v1

• Outbreak June 18, 2001
• How it works
• Buffer overflow exploit on Microsoft IIS web
  server.
• Upon infected a machine, randomly generate a list
  of IP addresses.
• Probe each of the addresses from the list.
• Payload DDoS attack against www1.whitehouse.gov.
• Damage little
• Fixed random seed.

5
Background Code-Red v2

• Outbreak July 19, 2001
• How it works
• Similar to Code-Red v1, but with a random seed.
• Generates 11 probes for second.
• Damage severe
• 359,000 machines were infected within 14 hours.

6
How to mitigate the threat of worms(1)

• Three approaches
• Prevention
• Reduce the size of the vulnerable population.
• E.g. A single vulnerability in a popular software
  system can result in millions of vulnerable
  hosts.
• E.g. Code Red attacks millions of MS IIS web
  server.

7
How to mitigate the threat of worms (2)

• Treatment
• E.g. virus scanner.
• The time required to design, develop and test a
  security flaw is usually for too slow than the
  spread of the worm.
• Containment
• E.g. firewall, filters
• Containment is used to protect individual
  networks, and isolate infected hosts.

8
SI Model (1)

• In this work, a vulnerable machine is described
  as susceptible (S) machine.
• A infected machine is described as infected (I).
• Let N be the number of vulnerable machines.
• Let S(t) be the number of susceptible host at
  time t, and s(t) be S(t)/N, where N S(t)
  I(t).
• Let I(t) be the number of infected hosts at time
  t, and i(t) be I(t)/N.
• Let be the contact rate of the worm.
• Define

9
SI Model (2)
Solving the differential equation
where T is a constant
10
Code Red Propagation Model (1)

• Code Red generates IPv4 address by random. Thus,
  there are totally 232 addresses.
• Let r be the probe rate of a Code Red worm.
• Thus

11
Code Red Propagation Model (2)

• Two problems
• Cannot model preferential targeting algorithm.
• E.g. select targets form address ranges closer to
  the infected host.
• The rate only represents average contact
  rate.
• E.g. a particular epidemic may grow significantly
  more quickly by making a few lucky targeting
  decisions in early phase.

12
Code Red Propagation Model (3)

• Example on 100 simulations on Code Red
  propagation model

After 4 hours 55 on average 80 in 95th
percentiles 25 in 5th percentiles
13
Modeling Containment Systems (1)

• A containment system has three important
  properties
• Reaction time the time necessary for
• Detection of malicious activity,
• Propagation of the containment information to all
  hosts participating the system, and
• Activating any containment strategy.

14
Modeling Containing Systems (2)

• Containing Strategy
• Address blacklisting
• Maintain a list of IP addresses that have been
  identified as being infected.
• Drop all the packets from one of the addresses in
  the list.
• E.g. Mail filter.
• Advantage can be implemented easily with
  existing firewall technology.

15
Modeling Containing Systems (3)

• Content filtering
• Requires a database of content signatures known
  to represent particular worms.
• This approach requires additional technology to
  automatically create appropriate content
  signatures.
• Advantage a single update is sufficient to
  describe any number of instances of a particular
  worm implementation.
• Deployment scenarios
• Ideally, a global deployment is preferable.
• Practically, a global deployment is impossible.
• May be deploying at the border of ISP networks.

16
Idealized Deployment (1)

• Simulation goal
• To find how short the reaction time is necessary
  to effectively contain the Code-Red style worm.
• Simulation Parameters
• 360,000 vulnerable hosts out of 232 hosts.
• Probe rate of a worm 10 per sec.
• Containment strategy implementation
• Address blacklisting
• Send IP addresses to all participating hosts.
• Content filtering
• Send signature of the worm to all participating
  hosts.

17
Idealized Deployment (2)

• Result content filtering is more effective.

Number of susceptible host decreases
Worms unchecked
2 hr
20 min
18
Idealized Deployment (3)

• Next goal
• To find the relationship between containment
  effectiveness and worm aggressiveness.
• Figures are in log-log scale.

19
Idealized Deployment (4)
Percentage of infected hosts
Address blacklisting is hopeless when
encountering aggressive worms.
20
Practical Deployment (1)

• Network Model
• AS sets in the Internet
• routing table on July 19,2001
• 1st day of the Code Red v2 outbreak.
• A set of vulnerable hosts and ASes
• Use the hosts infected by Code Red v2 during the
  initial 24 hours of propagation.
• A large and well-distributed set of vulnerable
  hosts.
• 338,652 hosts distributed in 6,378 ASes.

21
Practical Deployment (2)

• Deployment Scenarios
• Use content filtering only.
• Filtering firewall are deployed on the borders of
  both the customer networks, and ISPs networks.

Deployment of containment strategy.
22
Practical Deployment (3)

• Reaction time 2hrs

Difference in performance because of
the difference in path coverage.
23
Practical Deployment (4)
System fails to contain the worm.
24
Conclusion

• Explore the properties of the containment system
• Reaction time
• Containment strategy
• Deployment scenario
• In order to contain the worm effectively
• Require automated and fast methods to detect and
  react to worm epidemics.
• Content filtering is the most preferable
  strategy.
• Have to cover all the Internet paths when
  deploying the containment systems.