Internet Quarantine- Requirements for Containing Self-.ppt

1、Internet Quarantine: Requirements for Containing Self-Propagating Code,David Moore et. al. University of California, San Diego,Internet Quarantine: Requirements for Containing Self-Propagating Code,Aleksandar Kuzmanovic Rice University, COMP 629,Outline,Background about worm, esp. Code-Red Whats wor

2、m, esp. Code-Red Prevention, Treatment and Containment of the worm.SI epidemic model and Code Red propagation model.Simulations on Code Red Propagation and Containment System Deployment.Conclusion.,Background: what is worm?,Worm is a self-replicating software designed to spread through the network.W

3、orm vs Virus and Trojan horse Virus and Trojan horse rely on human intervention to spread. Worm is autonomous.,Background: Code-Red v1,Outbreak: June 18, 2001How it works: Buffer overflow exploit on Microsoft IIS web server. Upon infected a machine, randomly generate a list of IP addresses. Probe ea

4、ch of the addresses from the list.Payload: DDoS attack against www1.whitehouse.gov.Damage: little Fixed random seed.,Background: Code-Red v2,Outbreak: July 19, 2001How it works: Similar to Code-Red v1, but with a random seed. Generates 11 probes for second.Damage: severe 359,000 machines were infect

5、ed within 14 hours.,How to mitigate the threat of worms(1),Three approaches Prevention: Reduce the size of the vulnerable population. E.g. A single vulnerability in a popular software system can result in millions of vulnerable hosts. E.g. Code Red attacks millions of MS IIS web server.,How to mitig

6、ate the threat of worms (2),Treatment: E.g. virus scanner. The time required to design, develop and test a security flaw is usually for too slow than the spread of the worm.Containment: E.g. firewall, filters Containment is used to protect individual networks, and isolate infected hosts.,SI Model (1

7、),In this work, a vulnerable machine is described as susceptible (S) machine. A infected machine is described as infected (I). Let N be the number of vulnerable machines. Let S(t) be the number of susceptible host at time t, and s(t) be S(t)/N, where N = S(t) + I(t). Let I(t) be the number of infect

8、ed hosts at time t, and i(t) be I(t)/N. Let be the contact rate of the worm. Define:,SI Model (2),Solving the differential equation:,where T is a constant,Code Red Propagation Model (1),Code Red generates IPv4 address by random. Thus, there are totally 232 addresses. Let r be the probe rate of a Cod

9、e Red worm. Thus:,Code Red Propagation Model (2),Two problems Cannot model preferential targeting algorithm. E.g. select targets form address ranges closer to the infected host.The rate only represents average contact rate. E.g. a particular epidemic may grow significantly more quickly by making a f

10、ew lucky targeting decisions in early phase.,Code Red Propagation Model (3),Example on 100 simulations on Code Red propagation model:,After 4 hours:55% on average80% in 95th percentiles25% in 5th percentiles,Modeling Containment Systems (1),A containment system has three important properties:Reactio

11、n time the time necessary for Detection of malicious activity, Propagation of the containment information to all hosts participating the system, and Activating any containment strategy.,Modeling Containing Systems (2),Containing StrategyAddress blacklisting Maintain a list of IP addresses that have

12、been identified as being infected. Drop all the packets from one of the addresses in the list. E.g. Mail filter. Advantage: can be implemented easily with existing firewall technology.,Modeling Containing Systems (3),Content filtering Requires a database of content signatures known to represent part

13、icular worms. This approach requires additional technology to automatically create appropriate content signatures. Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation.Deployment scenarios Ideally, a global deployment is preferable. Practic

14、ally, a global deployment is impossible. May be deploying at the border of ISP networks.,Idealized Deployment (1),Simulation goal To find how short the reaction time is necessary to effectively contain the Code-Red style worm.Simulation Parameters: 360,000 vulnerable hosts out of 232 hosts. Probe ra

15、te of a worm : 10 per sec.Containment strategy implementation Address blacklisting Send IP addresses to all participating hosts. Content filtering Send signature of the worm to all participating hosts.,Idealized Deployment (2),Result: content filtering is more effective.,20 min,2 hr,Number of suscep

16、tible host decreases,Worms unchecked,Idealized Deployment (3),Next goal: To find the relationship between containment effectiveness and worm aggressiveness. Figures are in log-log scale.,Idealized Deployment (4),Percentage of infected hosts,Address blacklisting is hopeless when encountering aggressi

17、ve worms.,Practical Deployment (1),Network Model AS sets in the Internet: routing table on July 19,2001 1st day of the Code Red v2 outbreak.A set of vulnerable hosts and ASes: Use the hosts infected by Code Red v2 during the initial 24 hours of propagation. A large and well-distributed set of vulner

18、able hosts. 338,652 hosts distributed in 6,378 ASes.,Practical Deployment (2),Deployment Scenarios Use content filtering only. Filtering firewall are deployed on the borders of both the customer networks, and ISPs networks.,Deployment of containment strategy.,Practical Deployment (3),Reaction time:

19、2hrs,Difference in performance because of the difference in path coverage.,Practical Deployment (4),System fails to contain the worm.,Conclusion,Explore the properties of the containment system Reaction time Containment strategy Deployment scenario In order to contain the worm effectively Require automated and fast methods to detect and react to worm epidemics. Content filtering is the most preferable strategy. Have to cover all the Internet paths when deploying the containment systems.,