Very Fast containment of Scanning Worms

1
Very Fast containment of Scanning Worms

• Presenter Yan Gao
• ------------------------------------------------
• Authors Nicholas Weaver Stuart Staniford
  Vern Paxson

2
Outline

• Worm containment
• Hardware implementations
• Scan suppression
• Cooperation
• Attacking worm containment

3
Scanning Worms

• What is scanning worm?
• --- Operate by picking random address and
  attempt to infect the machine.
• Blaster linear scanning
• Code Red fully random
• Code Red II Nimda bias toward local addresses
• Common properties of scanning worms
• Most scanning attempts result in failure.
• Infected machines will institute many connection
  attempts.

4
Scanning Worms

• How to mitigate the spread of worms?
• Prevention
• Reduce size of vulnerable population
• Insufficient to counter worm threat
• Why?? single vulnerability in a popular
  software system can translate to millions of
  vulnerable hosts
• Treatment
• Once a host is infected, clean it up immediately
  (Antivirus Software, Patches)
• Reduce vulnerable hosts and rate of infection
• Limitation long time to develop cleanup code,
  and too slow to have a significant impact
• People dont install patches
• Containment

5
Containment

• Protect individual networks and isolate infected
  hosts
• Examples firewalls, content filters, automated
  blacklists
• Most Promising Solution
• Can be completely automated
• Containment does not require participation of
  each and every host on the internet

6
Containment Properties

• Reaction time
• Detection of malicious activity
• Propagation of the containment information to all
  hosts participating the system
• Activating any containment strategy.
• Containing Strategy
• Address blacklisting
• Maintain a list of IP addresses that have been
  identified as being infected.
• Drop all the packets from one of the addresses in
  the list.
• Advantage can be implemented easily with
  existing filtering technology.
• Disadvantage must be updated continuously to
  reflect newly infected hosts

7
Containment (contd.)

• Content filtering
• Requires a database of content signatures known
  to represent particular worms.
• Requires additional technology to automatically
  create appropriate content signatures.
• Advantage a single update is sufficient to
  describe any number of instances of a particular
  worm implementation
• Deployment scenarios
• Ideally, a global deployment is preferable.
• Practically, a global deployment is impossible.
• May be deploying at the border of ISP networks

8
Worm Containment

• Defense against scanning worms
• Works by detecting that a worm is operating in
  the network and then blocking the infected
  machines from contacting further hosts
• Leverage the anomaly of a local host attempting
  to connect to multiple other hosts.
• Containment looks for a class of behavior rather
  than specific worm signature --- able to stop new
  worms.

9
Worm Containment

• Break the network into many cells
• Within each cell a worm can spread unimpeded.
• Between cells, containment limits infections by
  blocking outgoing connections from infected
  cells.
• Must have very low false positive rate.
• Blocking suspicious machines can cause a DOS if
  false positive rate is high.
• Need for complete deployment within an enterprise
• Integrated into the networks outer switches or
  similar hardware elements

10
Epidemic Threshold

• Worm-suppression device must necessarily allow
  some scanning before it triggers a response.
• Worm may find a victim during that time.
• The epidemic threshold depends on
• The sensitivity of the containment response
  devices
• The density of vulnerable machines on the network
  --- NAT and DHCP
• The degree to which the worm is able to target
  its efforts into the correct network, and even
  into the current cell.

11
Sustained Scanning Threshold

• If worm scans slower than sustained scanning
  threshold, the detector will not trigger.
• Vital to achieve as low a sustained scanning
  threshold as possible.
• For this implementation threshold set to 1 scan
  per minute.

12
Outline

• Worm containment
• Hardware implementations
• Scan suppression
• Cooperation
• Attacking worm containment

13
Hardware Implementation

• Constraints
• Memory access speed
• On duplex gigabit Ethernet, can only access DRAM
  4 times
• Memory size
• Attempt to keep footprint under 16MB
• The number of distinct memory banks

14
Hardware Implementations

• Approximate caches
• --- collisions cause imperfections (bloom
  filter)
• Fixed memory available
• Allow collisions to cause aliasing
• Err on the side of false negative
• Attacker behavior
• Predicting the hashing algorithm
• --- keyed hash function
• Simply overwhelming the cache

15
Hardware Implementations

• Efficient small 32 bit block ciphers
• Prevent attackers from controlling collisions
• Permute the N-bit value
• Separate the resulting N-bit value into an index
  and a tag

16
Outline

• Worm containment
• Hardware implementations
• Scan suppression
• Cooperation
• Attacking worm containment

17
Scan Suppression

• Responding to detected portscans by blocking
  future scanning attempts.
• Portscans have two basic types
• Horizontal search for identical service on
  large number of machines.
• Vertical examine an individual machine to
  discover running services.

18
Scan Suppression

• Protect the enterprise, forget the Internet
• Preventing scans from Internet is too hard
• If inside node is infected, filter sees all
  traffic
• Cell (local area network) is outside,
  Enterprise larger internet network is inside
• Can also treat entire enterprise as cell,
  Internet as outside

Inside
Scan detectors
19
Scan Suppression

• Derived from Threshold Random Walk (TRW) scan
  detection.
• The algorithm operates by using an oracle to
  determine if a connection will fail or succeed.
• By modeling the benign traffic as having a
  different probability of success than attack
  traffic, TRW can make a decision regarding the
  likelihood that a particular series of connection
  attempts from a given host.
• Assumption benign traffic has a higher
  probability of success than attack traffic

20
Scan Suppression

• Strategies
• Track connections and addresses using approximate
  caches
• Replace the old addresses and old ports if the
  corresponding entry has timed out
• Track addresses indefinitely as long as we do not
  have to evict their state from our caches
• Detect vertical as well as horizontal TCP scans,
  and horizontal UDP scans
• Implement a hygiene filter to thwart some
  stealthy scanning techniques without causing
  undue restrictions on normal machines.

21
Connection Cache

• Recording if weve seen a packet in each
  direction
• Aliasing turns failed attempt into success
  (biases to false negative)
• Age is reset on each forwarded packet
• Every minute, back ground process purges entries
  older than Dconn

22
Address Cache

• Track outside addresses
• Counter keeps difference between successes and
  failures
• Counts are decremented every Dmiss seconds

23
Algorithm Pseudo-code
24
Parameters and Tuning

• Parameters
• T miss-hit difference that causes block
• Cmin minimum allowed count
• Cmax maximum allowed count
• Dmiss decay rate for misses
• Dconn decay rate for idle connections
• Cache size and associativity

25
Evaluation

• For 6000-host enterprise trace
• 1MB connection cache, 4MB 4-way address cache
  5MB total
• At most 4 memory accesses per packet
• Operated at gigabit line-speed
• Detects scanning at rates over 1 per minute
• Low false positive rate
• About 20 false negative rate
• Detects scanning after 10-30 attempts

26
Outline

• Worm containment
• Hardware implementations
• Scan suppression
• Cooperation
• Attacking worm containment

27
Cooperation

• Divide enterprise into small cells
• Connect all cells via low-latency channel
• A cells detector notifies others when it blocks
  an address (kill message)
• Blocking threshold dynamically adapts to number
  of blocks in enterprise
• T T(1 ?)X, for very small ?
• Changing ? does not change epidemic threshold,
  but reduces infection density

28
Cooperation Effect of ?
29
Outline

• Worm containment
• Hardware implementations
• Scan suppression
• Cooperation
• Attacking worm containment

30
Attacking worm containment

• False positives
• Forge packets (though this does not prevent
  inside systems from initiating connections)
• False negatives
• Use a non-scanning technique (topological,
  meta-server, passive and hit-list)
• Scan under detection threshold
• Use a white-listed port to test for liveness
  before scanning

31
Attacking Cooperation

• Attempt to outrace containment if threshold is
  permissive
• Flood cooperation channels
• Cooperative collapse
• False positives cause lowered thresholds
• Lowered thresholds cause more false positives
• Feedback causes collapse of network

32
Attacking Worm Containment

• Detecting containment
• Try to contact already infected hosts
• Go stealthy if containment is detected
• Circumventing containment
• Embed scan in storm of spoofed packets
• Two-sided evasion
• Inside and outside host initiate normal
  connections to counter penalty of scanning
• Can modify algorithm to prevent, but lose
  vertical scan detection

33
Conclusion

• Develop containment algorithms suitable for
  deployment in high-speed, low-cost network
  hardware
• Devise the mechanisms for cooperation that enable
  multiple containment devices to more effectively
  detect and respond to an emerging infection.