Very Fast Containment of Scanning Worms

1
Very Fast Containment of Scanning Worms

• Written By Nicholas Weaver, Stuart Staniford,
  Vern Paxson
• Presentation By Nathan Johnson A.K.A Space
  Monkey and Jeff Janies

2
Worms

• Malicious, self propagating programs
• Types
• Scanning picking random addresses and
  attempting to infect
• Topological attempt and discover topology and
  then infect
• Meta Sever Domain controller attacks
• Passive Sniff other traffic and infect them
• Hit list worm already knows targets to infect
• Social E-mail worms and human stupidity

3
Scanning Worms Cont.

• Scanning
• Linear probe the entire address space
• Fully random randomly select address spaces
• Bias toward local addresses random searches
  within the current domain before propagation

4
Examples

• Linear horizontal and vertical
• Blaster
• Random
• Code Red I (version 2)
• Bias towards local
• Code Red II and Nimda/Nimba/README.EXE
• Permutation Scan
• Theoretical

5
How do we Contain them?

• Shut the network down
• Crude, self-inflicted DOS
• Not infected, but not affective
• Achieves most attackers goals
• Break network into small cells
• Each cell is autonomous
• Block infected cells connections to healthy cells
• Still have functionality of most of the network
• compartmentalized response

6
How do we find a worm?

• Scanning worms make many connection attempts.
• They do not connect nearly as much as they
  attempt.
• Not always the same host
• Sometimes the same system is infected many times
• Infected systems may not stay active in
  propagation

7
Detection with Containment

• Cooperation between cells
• Sustained scanning threshold
• Epidemic threshold Depends on
• Sensitivity of the containment response devices
• The density of the vulnerable machines on the
  network
• The degree to which the worm is able to target
  its efforts in to the correct network, and even
  into the current cell

8
Threshold Random Walk (TRW)

• Uses an oracle to determine success of connection
• Successful connections drives random walk upwards
• Failed connections drives random walk downwards
• Benign traffic has higher probability of success
• Requires fewer connections to detect malicious
  activity (around 4 or 5 connections)

9
Comparisons between Algorithms
10
Simplified TRW

• Advantages
• Can be done in hardware or software
• Transparent to user
• False positives do not increase
• Disadvantages
• False negatives increase
• Stealth worm techniques can avoid detection
• Tracks connection establishment rather than using
  an oracle

11
Hardware Difficulties

• Memory access time
• On 1 Gigabit connection 8 accesses (DRAM)
• 4 in each direction
• On 10 Gigabit connections 0 accesses (DRAM)
• Must use SRAM

12
Hardware Difficulties (cont)

• Memory size
• SRAM currently only holds 10s of megabytes
• DRAM is in the Gigabyte range
• Must keep memory size small so that both are
  options

13
Solutions

• Use multiple memory banks
• Two accesses simultaneously
• Cost goes up
• Restrict memory size to 16MB
• Approximate network state
• For this method of detection this is all that is
  needed
• This method uses only 5MB for caches

14
Approximation Cache

• A cache for which collisions cause imperfections
• Simple lookup in bounded space
• Structured to avoid false positives
• Collisions cause aggregation
• Can only cause false negative

15
Attacking the Cache

• Predicting the hash
• Create collisions to evict or combine data to
  cause false positives or negatives
• Flooding the Cache
• Massive amounts of normal data to mask the true
  attack

16
Block Cipher

• Principle
• 32 bit block cipher
• Permute an N bit value into an index
• Use K bits for index and N-K bits for tag
• Application
• Uses Serpent S-boxes
• Requires only 8 levels of logic
• Can be implemented on FPGA or ASIC

17
Approximation of TRW

• Track connections with the approximation cache
• Track success and failure of connection to
• New address
• New port at old address
• Old port at old address (if entry timed out)
• Track everything that you can

18
Structure

• Connection table (1MB)
• Stores age and established direction (in-to-out
  or out-to-in)
• Indexed by hash of inside IP, outside IP, and
  inside port number (in TCP)
• Address cache (4MB)
• Stores information about external addresses
• Address is encrypted with 32-bit cipher
• Count Hits - Misses

19
The Structure
20
Variables

• Threshold (T) The constant being compared to
  the count
• Cmin , Cmax - The minimum/maximum values the
  count can obtain
• Legitimate hosts can go bad
• Bad hosts can become good
• Dmiss , Dconn The maintenance parameters
• Misses are cumulative but not over all time
• Need to remove idle connections

21
Operation (from the outside)

• Established Connections packet
• Reduce age in connection table to 0
• Packet from outside
• if has corresponding connection request from
  inside, addresss count count -1
• Otherwise, external addresss count count 1

22
Operations (from the inside)

• Establishment connection from the other side
• External Addresss count count -2
• Must compensate for the previous charge to the
  outside address

23
Operations (ultimate goal)

• If count is greater than a predefined threshold,
  it is blocked.
• Only already existing connections are maintained
• Dropped unless session already exists
• TCP RST, RSTACK, SYNACK, FIN, FINACK

24
Evaluation

• 6000 hosts connected to the internet
• 50-100Mbps 8-15K packets/sec
• In a day
• 20M external connection attempts
• 2M internally initiated connection attempts
• Main trace
• 72 minutes
• 44M packets, 48052 external hosts, and 131K
  internal addresses

25
Evaluation

• Threshold of 5
• 470 alerts
• No false positives
• These are only the ones between 5 and 19

26
Evaluation

• Maximize sensitivity
• Cmin -5, Dmiss infinity
• Mis-configurations showed up
• These are the lowest Max counts

27
Cooperation between Cells

• Every containment device knows the number of
  blocks others have in effect
• Each cell computes its own threshold using this
  knowledge
• Reduces T by where ? controls how
  aggressively to reduce T and X is the number of
  other blocks in place
• Additionally each cell must increase

28
Affect of Theta
29
Inter-cell Communication

• Tests performed under the assumption that cell
  communication is instantaneous in comparison to
  worm propagation
• Slow communications may allow a worm to propagate
  before any threshold modifications can take place
• Possible solutions
• Using a broadcast address
• Caching recently contacted addresses

30
Inadvertent False Positives

• Artifacts of the detection routines
• Potentially more severe
• In testing, does not appear to be a problem with
  the algorithm used in this paper
• Benign scanning

31
Malicious False Positives

• Attacker can frame another through packet
  forging
• Internal addresses preventions
• Use MAC address and switch features to prevent
  spoofing or changing MAC addresses.
• Setup HTTP proxies and mail filters to filter
  malicious content
• External addresses may still be spoofed and
  blocked

32
Malicious False Negatives

• Occurs when a worm is able to continue despite
  the active scan-containment
• Worm continues to infect the network without
  being noticed

33
Avoiding Detection

• Propagate via a different means
• Topological, meta-server, passive, hit-list, etc
• Operate Below scanning threshold
• Scan for liveliness on white-listed port
• Imperfect, but lowers failure rate
• Obtain multiple network addresses
• Lowers epidemic threshold by a factor of K if the
  attacker can obtain K network addresses

34
Attacking Cooperation

• Outrace containment
• Flood containment coordination channels
• Cells should have reserved communication
  bandwidth to prevent this
• Cooperative Collapse
• High false positives ? lowering thresholds which
  in turn increases the false positives
• Attacker can amplify this effect by causing
  scanning within the cells

35
Added Risks using Simplified TRW

• Exploiting approximation caches hash and
  permutation functions
• Hash countermeasure Block-cipher based
• Hide scanning in a flood of spoofed packets
• Pollutes connection cache with half-open
  connections
• Not very feasible due to level of resources
  required
• Could spread as well using slow, distributed scan
• Two-sided evasion technique

36
Two-sided Evasion

• Requires two computers
• One on each side of the containment device
• Uses the accomplice machine to provide a valid
  connection to balance out the scanning

37
Two-sided Countermeasures

• Perform only horizontal scans
• Advantages Greatly limits evasion potential
• Disadvantages Cannot detect vertical scans
• Split per-address count into two counts
• Scanning internal network and on the Internet
• Still allows for Internet scanning, but protects
  internal network
• Use two containment implementations
• Doubles required resources
• Provides protection from general scanning and
  scanning for evasive techniques

38
Weaknesses

• Assume instantaneous communication time between
  cell
• Does not account for bandwidth consumption that
  occurs in worm attacks
• Assume accurate communication between cells
• Does not account for the existence of P2P networks

39
Contributions

• Provides a mechanism for detection and
  containment
• Used in hardware/software
• Provides granularity of network
• Containment is not limited to an entire subnet
• Cooperation between granular units enhances
  containment and improves containment time

40
References

• Worst-Case Worm, Paxson, Weaver
• How to 0wn the Internet in Your Spare Time,
  Staniford, Paxson, Weaver
• Fast Portscan Detection Using Sequential
  Hypothesis Testing, Jung, Paxson, Berger, and
  Balakrishnan