How to Own the Internet in your spare time - PowerPoint PPT Presentation

About This Presentation
Title:

How to Own the Internet in your spare time

Description:

Analysis of KaZaA traffic. Immense traffic: 5-10 million conns per day ... If Kazaa exploited ... work remaining total Kazaa size ? Remote Control ... – PowerPoint PPT presentation

Number of Views:115
Avg rating:3.0/5.0
Slides: 25
Provided by: csNorth
Category:
Tags: internet | kazaa | spare | time

less

Transcript and Presenter's Notes

Title: How to Own the Internet in your spare time


1
How to Own the Internet in your spare time
  • Ashish Gupta
  • Network Security
  • April 2004

2
Overview
  • What is the paper about ?
  • Code Red Analysis
  • Three new techniques for fast spreading
  • Surreptitious worms
  • Summary

3
The threat
  • Millions of hosts ? enormous damage
  • Distributed DOS
  • Access Sensitive Information
  • Sow Confusion and Disruption
  • This paper is about
  • Fast spreading of worms

4
Analysis of Code Red I
  • Compromises MS IIS Web servers
  • Spreads by random IP generation 99 threads
  • Earlier bug ? Code Red I
  • DDOS attack to whitehouse.gov
  • Modeling ? Random Constant Spread (RCS)
  • Gives an exponential eq
  • Depends only on K, not N

5
(No Transcript)
6
Better Worms
  • Code Red II
  • Used a localized scanning technique
  • 3/8 ? Class B, 1/2 ? class A, 1/8 ? rest
  • Very successful strategy
  • Affects many vulnerable hosts
  • Proceeds quicker

1/8
1/2
3/8
7
Nimda Worm
  • Nimda Worm ? August 2001
  • Maintained itself for months , multi-mode worm
  • Infected Web servers
  • Bulk emailing
  • Infecting Web clients
  • Using CodeRed II backdoors

8
Onset
  • Very rapid onset
  • Mail based spread ? very effective
  • Full functionality ? ?

9
Faster Worms
10
Creating Better Worms
  • Hit List Scanning
  • getting off the ground very fast
  • Say first 10,000 hosts
  • Pre-select 10,000-50,000 vulnerable machines
  • First worm carries the entire hit list
  • Hit list split in half on each infection
  • Can establish itself in few seconds

11
Permutation Scanning
  • Random scanning inefficient ? lot of overlap
  • ? All worms share a common pseudo random
    permutation

32 bit block cipher
key
Index
Permutation scanning
IP Address
12
  • How it works
  • After first infection, start scanning after their
    point in permutation
  • If machine already infected, random starting
    index
  • Minimizes duplication of effort
  • W sees W ? W already working on the permutation
    list of W ? W re-starts at a random point
  • Keeps infection rate very high, comprehensive
    scan
  • Permutation key can be changed periodically for
    effective rescan

13
A Warhol Worm
  • Combination of hit-list and permutation scanning
  • Can spread widely in less than 15 mins
  • Simulation results

14
(No Transcript)
15
Topological scanning
  • Use info on victim to identify new targets
  • Email lists
  • P2P applications
  • List of web servers from IE favorites etc.

16
Faster Worms Recap
  • Fast Startup ? Hit List Scanning
  • Extremely Efficient ? Permutation scanning
  • Combine the above ? Warhol worms
  • exploit local information? Topological scanning

17
Flash Worms
  • Fastest Method ? Entire internet in 10s of
    seconds
  • Obtain hit-list of vulnerable servers in advance
  • 2 hours for entire IP space on OC-12 link (622
    mbps)
  • List would be big ( 48 MB )
  • Divide into n blocks
  • Infect first of each block and hand over the
    block to the new worm
  • Repeat for each block
  • Alternative Store pre-assigned chunks on a high
    BW server
  • Two limitations
  • Large list size
  • Latency
  • Analysis Sub-thirty limit on total infection
    time on a 256 kbps DSL link

18
For 3 million hosts, just 7 layers deep ( n 10)
19
Stealth Worms
  • No peculiar communication patterns
  • Very difficult to detect
  • Working
  • Pair of exploits Es for server, Ec for client
    ???
  • Server ? Client ? Server , .
  • Limitations
  • Pair of threats required
  • Depends on web surfing

20
(No Transcript)
21
Exploiting P2P systems
  • Large set, all running same software
  • Only single exploit now needed
  • More favorable for infection
  • Interconnect with large number of peers
  • Transfer large files
  • Not mainstream protocols
  • Execute on desktops, not servers
  • Potentially immense size

22
Analysis of KaZaA traffic
  • Immense traffic 5-10 million conns per day
  • Huge diversity ! ? 9 million distinct hosts
    contacted in November ( from 5,800 univ hosts )
  • If Kazaa exploited (variable size headers ? ),
    than a large number can infected stealthily in a
    month
  • Starting point brute force infect all
    university hosts ???
  • Actual spread much faster ?
  • Much work remaining ? total Kazaa size ?

23
Remote Control
  • Distributed control
  • Each worm knows about other worms it has
    infected
  • Analysis High connectivity , Average degree 4
  • Without a single point of communication, updates
    can be passed
  • Programatic Updates
  • Worms as computing capsules
  • Can send arbitrary code !

24
Conclusion
  • Worms present an extremely serious threat to the
    safety of the Internet
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "How to Own the Internet in your spare time" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!