Very Fast containment of Scanning Worms

1
Very Fast containment of Scanning Worms

• Artur Zak
• ------------------------------------------------
• Nicholas Weaver Stuart Staniford Vern
  Paxson
• ICSI Nevis Netowrks
  ICSI

2
Abstract

• Worms malicious, self-propagating programs.
• Represent threat to large networks.
• Containment one form of defense limit a worms
  spread by isolating it in a small subsection of
  the network.

3
Worm Containment (virus throttling)

• Needs to be Automated.
• Worms propagate more rapidly than human response.

• Works by detecting that a worm is operating in
  the network and then block the infected machines
  from contacting further hosts.

4
Mechanism Requirements

• Break the network into many cells
• Within each cell a worm can spread unimpeded.
• Between cells, containment limits infections by
  blocking outgoing connections from infected cells.

• Must have very low false positive rate.
• Blocking suspicious machines can cause a DOS if
  false positive rate is high.

5
Scanning Worms

• Operate by picking random address and attempt
  to infect the machine.
• Blaster linear scanning
• Code Red fully random
• Code Red II Nimda bias toward local addresses

6
Scanning Worms

• Common properties of scanning worms
• Most scanning attempts result in failure.
• Infected machines will institute many connection
  attempts.

• Containment looks for a class of behavior rather
  than specific worm signature.
• Able to stop new worms.

7
Epidemic Threshold

• Worm-suppression device must necessarily allow
  some scanning before it triggers a response.
• Worm may find a victim during that time.

8
Epidemic Threshold

• The epidemic threshold depends on
• The sensitivity of the containment response
  devices
• The density of vulnerable machines on the network
• The degree to which the worm is able to target
  its efforts into the correct network, and even
  into the current cell.

9
Sustained Scanning Threshold

• If worm scans slower than sustained scanning
  threshold, the detector will not trigger.
• Vital to achieve as low a sustained scanning
  threshold as possible.
• For this implementation threshold set to 1 scan
  per minute.

10
Scan Suppression

• Scan Suppression responding to detected
  portscans by blocking future scanning attempts.
• Portscans have two basic types
• Horizontal search for identical service on
  large number of machines.
• Vertical examine an individual machine to
  discover running services.

11
Implementation

• Scan detection and suppression algorithm derived
  from Threshold Random Walk (TRW) scan detection.
• The algorithm operates by using an oracle to
  determine if a connection will fail or succeed.

12
Implementation

• Scan detection algorithm easier than TRW.
• Suitable for both hardware and software
  implementation.
• Simplified algorithm caused increased false
  negative rate.
• No changes in the false positive rate.

13
Hardware Implementation

• Constraints
• Memory access speed.
• During transmission of minimum-sized gigabit
  Ethernet packet, need to access a DRAM at 8
  different locations. (4 accesses for full
  duplex).
• Use SRAM to solve the problem. (more expensive)

14
Hardware Implementation

• Approximate cache a cache for which collisions
  cause imperfections.
• Store amounts of data that normally exceeds
  memory volume.
• Bloom filter is a type of approximation cache.

15
Connection Cache
16
Address Cache Lookup
17
Attacking the Containment

• Attacker an create false positive
• Trigger responses which wouldnt otherwise occur.
• False positive create a DOS target.

18
Attacking the Containment

• False Negative
• The worm slips by even thought containment is
  active.
• Scan at a rate slower than sustained scanning
  threshold.
• Requires complicated code by worm writers.