How to Own the Internet in your spare time - PowerPoint PPT Presentation

About This Presentation
Title:

How to Own the Internet in your spare time

Description:

Analysis of KaZaA traffic. Immense traffic: 5-10 million conns per day ... If Kazaa exploited ... work remaining total Kazaa size ? Remote Control ... – PowerPoint PPT presentation

Number of Views:115
Avg rating:3.0/5.0
Slides: 25
Provided by: csNorth
Category:
Tags: internet | kazaa | spare | time

less

Transcript and Presenter's Notes

Title: How to Own the Internet in your spare time


1
How to Own the Internet in your spare time
  • Ashish Gupta
  • Network Security
  • April 2004

2
Overview
  • What is the paper about ?
  • Code Red Analysis
  • Three new techniques for fast spreading
  • Surreptitious worms
  • Summary

3
The threat
  • Millions of hosts ? enormous damage
  • Distributed DOS
  • Access Sensitive Information
  • Sow Confusion and Disruption
  • This paper is about
  • Fast spreading of worms

4
Analysis of Code Red I
  • Compromises MS IIS Web servers
  • Spreads by random IP generation 99 threads
  • Earlier bug ? Code Red I
  • DDOS attack to whitehouse.gov
  • Modeling ? Random Constant Spread (RCS)
  • Gives an exponential eq
  • Depends only on K, not N

5
(No Transcript)
6
Better Worms
  • Code Red II
  • Used a localized scanning technique
  • 3/8 ? Class B, 1/2 ? class A, 1/8 ? rest
  • Very successful strategy
  • Affects many vulnerable hosts
  • Proceeds quicker

1/8
1/2
3/8
7
Nimda Worm
  • Nimda Worm ? August 2001
  • Maintained itself for months , multi-mode worm
  • Infected Web servers
  • Bulk emailing
  • Infecting Web clients
  • Using CodeRed II backdoors

8
Onset
  • Very rapid onset
  • Mail based spread ? very effective
  • Full functionality ? ?

9
Faster Worms
10
Creating Better Worms
  • Hit List Scanning
  • getting off the ground very fast
  • Say first 10,000 hosts
  • Pre-select 10,000-50,000 vulnerable machines
  • First worm carries the entire hit list
  • Hit list split in half on each infection
  • Can establish itself in few seconds

11
Permutation Scanning
  • Random scanning inefficient ? lot of overlap
  • ? All worms share a common pseudo random
    permutation

32 bit block cipher
key
Index
Permutation scanning
IP Address
12
  • How it works
  • After first infection, start scanning after their
    point in permutation
  • If machine already infected, random starting
    index
  • Minimizes duplication of effort
  • W sees W ? W already working on the permutation
    list of W ? W re-starts at a random point
  • Keeps infection rate very high, comprehensive
    scan
  • Permutation key can be changed periodically for
    effective rescan

13
A Warhol Worm
  • Combination of hit-list and permutation scanning
  • Can spread widely in less than 15 mins
  • Simulation results

14
(No Transcript)
15
Topological scanning
  • Use info on victim to identify new targets
  • Email lists
  • P2P applications
  • List of web servers from IE favorites etc.

16
Faster Worms Recap
  • Fast Startup ? Hit List Scanning
  • Extremely Efficient ? Permutation scanning
  • Combine the above ? Warhol worms
  • exploit local information? Topological scanning

17
Flash Worms
  • Fastest Method ? Entire internet in 10s of
    seconds
  • Obtain hit-list of vulnerable servers in advance
  • 2 hours for entire IP space on OC-12 link (622
    mbps)
  • List would be big ( 48 MB )
  • Divide into n blocks
  • Infect first of each block and hand over the
    block to the new worm
  • Repeat for each block
  • Alternative Store pre-assigned chunks on a high
    BW server
  • Two limitations
  • Large list size
  • Latency
  • Analysis Sub-thirty limit on total infection
    time on a 256 kbps DSL link

18
For 3 million hosts, just 7 layers deep ( n 10)
19
Stealth Worms
  • No peculiar communication patterns
  • Very difficult to detect
  • Working
  • Pair of exploits Es for server, Ec for client
    ???
  • Server ? Client ? Server , .
  • Limitations
  • Pair of threats required
  • Depends on web surfing

20
(No Transcript)
21
Exploiting P2P systems
  • Large set, all running same software
  • Only single exploit now needed
  • More favorable for infection
  • Interconnect with large number of peers
  • Transfer large files
  • Not mainstream protocols
  • Execute on desktops, not servers
  • Potentially immense size

22
Analysis of KaZaA traffic
  • Immense traffic 5-10 million conns per day
  • Huge diversity ! ? 9 million distinct hosts
    contacted in November ( from 5,800 univ hosts )
  • If Kazaa exploited (variable size headers ? ),
    than a large number can infected stealthily in a
    month
  • Starting point brute force infect all
    university hosts ???
  • Actual spread much faster ?
  • Much work remaining ? total Kazaa size ?

23
Remote Control
  • Distributed control
  • Each worm knows about other worms it has
    infected
  • Analysis High connectivity , Average degree 4
  • Without a single point of communication, updates
    can be passed
  • Programatic Updates
  • Worms as computing capsules
  • Can send arbitrary code !

24
Conclusion
  • Worms present an extremely serious threat to the
    safety of the Internet
Write a Comment
User Comments (0)
About PowerShow.com