Measuring Global Worm Activity

1
Measuring Global Worm Activity

• NSP-SEC BOF
• APRICOT 2004 - KUALA LUMPUR, MY
• February 24, 2004
• Danny McPherson -- danny_at_arbor.net

2
Introduction

• Measure scan and worm activity, DDoS backscatter
• Capture-distillation methodology
• Near real-time alerting
• Scan or backscatter detection, description
• Long-term records
• Observe trends
• Ongoing project
• Fewer artifacts compared to point collection
• Can compare with direct observations

3
Measurement Infrastructure

• Use blackhole monitoring techniques
• Globally announced, unused /8
• Distill worm activity, summarize

4
Methodology

• Collect data to a globally announced unused /8
  network.
• Provided by a research partner
• Perform TCP handshake and grab payload at sampled
  interval
• Roughly 1/223 of entire IPv4 Internet address
  space.
• Collect
• Backscatter from spoofed sources
• Scanning and other activity destined for hosts
  within /8

5
Measure What?

• Duration
• Protocol Distribution
• Counts packets, bytes, unique sources, etc..
• Target Distribution
• Wasted bandwidth
• Observe trends

6
Worm Impact

• Global
• Consumes bandwidth, operational overhead
• DDoS susceptibility via announced holes
• Local
• Resources in cleanup
• Potential to affect new machines locally

7
Duration

• Most are short, but some are longer than 100
  minutes
• June 2003 statistics
• 117,000 backscatter events logged
• 6800 high severity
• 8500 medium severity
• 1600 longer than 100 minutes
• 5000 between 10 and 100 minutes in duration
• Similar in recent months

8
Duration
9
Packets and Bytes

• Most are small, but some are very heavy
• June 2003 statistics
• 500 over 1 million packets per event
• 2400 over 100,000 packets per event
• 9400 over 100,000 bytes per event
• 1600 over 1 million bytes per event
• scaled to factor blackhole view (1/256)
• 3-10 fold increase over previous months

10
Target Distribution

• Targets are distributed all over the world
• Asia-Pacific, Europe, South America, North
  America
• Various types of targets
• government, network providers, universities,
  banks, broadband
• Most sites hit once or twice, small handful
  appear commonly
• various networks hit hundreds of times each

11
Protocol Distributions

• Inverted protocol distribution
• mid 2001 95 TCP
• late 2002 75 UDP
• current (2003) 90 UDP
• Transition away from SYN flood to generic
  bandwidth attacks
• 137/UDP, 139/UDP, 445/TCP common attack targets
• many attacks hit random ports

12
Protocol Distribution
13
Trends in Worm Incidents

• Demographics
• Korea no longer top spot (TLD analysis)!
• Global broadband still biggest source (2LD)
• Persistence
• Exploit trends
• Faster time to market?
• Escalated Threats
• DDoS agent carrier, spread is DDoS
• Faster cleanup
• Hours, not days

14
Worm Demographics

• Code Red Nimda
  Blaster

15
Nimdas Persistence

• Nimda (September, 2001)
• Still persistent after 2 years
• Over one million hosts a day (August, 2003)

16
Blasters Activity Cycle

• Blaster (August, 2003)
• Circadian pattern
• Global TLD distribution
• 300-1000 hosts per hour

17
Exploit Trends in Worms

• Slightly faster time to market
• Code Red (2001) 30 days
• Nimda 42 days
• Sapphire 184 days
• Blaster under 30 days
• Still not 0 day
• Known vulnerabilities
• IDS signatures, firewall rules
• Hard to predict what will be a worm

18
Escalated Threats

• DDoS payload
• Code Red DDoS against one IP
• Blaster DDoS against hostname
• Deloder Arbitrary DDoS toolkit
• The spread is the DDoS
• Sapphires congestion
• Effects on routing tables
• Multicast group state (MSDP SA).

19
Faster Cleanup

• Were responding faster
• Filters, cleanup
• Measures as half life of observations
• Nimda cleanup rate 2-3 days
• Blaster cleanup rate 10 hours

20
Limitations

• Inferring activity via scan activity
• We only actively sample on port 80/TCP
• Use MD5 payload hashing to classify payloads
• Labor intensive
• Manual payload classification
• Limited visibility for some worms
• Worms which use enumerated networks can (and
  have) ignored this network
• Misses worms which fingerprint
• Misses worms which use target lists (mail, IM)

21
Conclusions

• Cumulative effect of frequent small attacks
• hundreds of small attacks per month for top
  targets
• cumulative effect of a very long lived attack
• Similar durations but larger packet and byte
  counts
• individual attacks have more sources, bandwidth
• higher packets per second
• Whats going on?
• Rapid increase in number of tools, availability
• Worms being tied to zombie creation - bot armies

22
Conclusions (cont.)

• The good news
• CR, Nimda, Blaster numbers down
• Blaster was quickly filtered
• Korea not seen heavily in Blaster
• Blackhole monitoring effective at estimations
• The bad news
• Nimda still persists after 2 years
• Global broadband networks are the main sources
  for Blaster

23
Acknowledgements

• Jose Nazario
• Michael Bailey
• Dug Song