Very Fast containment of Scanning Worms

1
Very Fast containment of Scanning Worms

• Presented by
• Vinay Makula

2
Introduction

• Computer Worms malicious, self propagating
  programs
• Containment limit a worms spread by isolating
  it in a small subsection of the network

3
Worm Containment

• Detecting infected machines and preventing them
  from contacting further hosts
• Implementation aspects
• Breaking network into small pieces called cells
• Lowering false positives

4
Scanning Worms

• Operate by picking random addresses, attempting
  to infect them
• Linear scanning (Ex. Blaster)
• Fully random (Ex. Code Red)
• Bias toward local addresses (Ex. Code Red II
  Nimda)
• Permutation scanning

5
Scanning Worms

• Properties
• Most scanning attempts result in failure
• Infected machines will institute many connection
  attempts
• Containment
• Seeks a class of behavior rather than specific
  worm signatures

6
Epidemic Threshold

• Worm-suppression device must necessarily allow
  some scanning before it triggers a response
• Worm may find a victim during that time

7
Epidemic Threshold

• The epidemic threshold depends on
• The sensitivity of the containment response
  devices
• The density of vulnerable machines on the network
• The degree to which the worm is able to target
  its efforts into the correct network, and even
  into the current cell

8
Sustained Scanning Threshold

• If worm scans slower than sustained scanning
  threshold, the detector will not trigger
• In this implementation threshold set to 1 scan
  per minute.

9
Scan Suppression

• Respond to detected portscans by blocking future
  scanning attempts
• Two types of Portscans
• Horizontal search for identical service on
  large number of machines
• Vertical examine an individual machine to
  discover running services

10
Threshold Random Walk (TRW)

• The algorithm operates by using an oracle to
  determine if a connection will fail or succeed
• A successfully completed connection will drive
  the random walk upwards
• A failure to connect drives the random walk
  downwards

11
Scan detection algorithm

• Advantages
• Suitable for both hardware and software
  implementation
• No changes in the false positive rate
• Disadvantages
• Increased false negative rate
• Worms can still evade detection

12
Hardware Implementation

• Constraints
• Memory access speed
• During transmission of minimum-sized gigabit
  Ethernet packet, need to access a DRAM at 8
  different locations or 4 accesses for full duplex
• Use SRAM to solve the problem but it is more
  expensive

13
Hardware Implementation

• Memory size
• SRAM currently only hold a few tens of megabytes
• DRAM can hold up to a gigabyte
• Try to keep memory size small (5MB) so that both
  are options

14
Approximate Cache

• The information wed like to store can exceed the
  fixed volume of memory
• Hence use approximate cache for which collisions
  cause imperfections
• Advantages
• Keep the memory bounded
• Allow for very simple lookups

15
Attacking the Cache

• Predicting the hash
• Create collisions to evict or combine data to
  cause false positives or negatives
• Flooding the Cache
• Massive amounts of normal data to hide the true
  attack

16
Approximation of TRW

• Track connections and addresses using approximate
  caches
• Track success and failure of connection attempts
  to
• New address
• New address to old ports
• Old ports at old addresses
• Track addresses indefinitely

17
The Structure
18
The structure

• Connection Cache
• It tracks whether the connection has been
  established in either direction
• Address Cache
• It keeps tracks of detected addresses, and
  records in count the difference between number
  of failed and successful connections

19
Condition 1
20
Condition 2
21
Condition 3
22
Blocking and special cases

• If count is greater than a predefined threshold,
  it is blocked
• Only already existing connections are maintained
• Dropped unless session already exists
• TCP RST, RSTACK, SYNACK, FIN, FINACK

23
Evaluation

• A gigabit link connects 6000 hosts connected to
  the internet
• The link sustains 50-100Mbps and 8-15K
  packets/sec
• In a day
• 20M external connection attempts
• 2M internally initiated connection attempts
• Main trace
• Lasted 72 minutes
• 44M packets were generated of which, 48052
  external hosts, and 131K internal addresses
• Captured using Tcpdump

24
Evaluation
All outbound connections over a threshold of 5
were flagged by the algorithm
25
Evaluation
Additional alerts on the outbound traffic
generated when sensitivity was increased
26
Cooperation

• Every containment device knows how many blocks
  the other containment devices currently have
• Each device use the above information to adjust
  its response threshold

27
Cooperation

• Reduces Threshold by where ?
  controls how aggressively to reduce T and X is
  the number of other blocks in place

28
Attacking the Containment

• Attacker can create false positives
• Trigger responses which wouldnt otherwise occur
• False positive create a DOS target
• Attacker can create false negatives to slip by
  the defenses

29
Inadvertent False positives

• Two types
• Resulting from artifacts of the detection
  routines
• Resulting from benign scanning

30
Malicious False negatives

• Instead of the worm scanning, it propagates
  through different means topological, passive
  etc.
• Worms can operate below scanning threshold to
  avoid detection
• Scan for liveliness of the port
• Obtaining multiple network addresses

31
Malicious False positives

• Attacker can spoof packets to frame other hosts
  in the same cell
• Spoofing can be prevented using MAC addresses
• Setup HTTP proxies and mail filtering to detect
  and block malicious content

32
Attacking the algorithm

• Exploit the approximate caches hash and
  permutation function
• Exploit the vulnerability of a two-sided evasion
  technique

33
Two-sided evasion

• Requires two computers, one on each side of the
  containment device, generating normal traffic on
  a multitude of ports
• A worm could use this evasion technique, making
  up for each failed attempt by creating a
  successful connection between cooperating
  machines

34
Related Work

• Network Security Monitor
• Snort
• Bro
• Leckie
• Forescout
• Mirage Networks

35
Future Work

• Implementing the system in hardware and deploying
  it
• Integrating the algorithm in into software based
  IDS
• Obtain complete enterprise-trace
• Developing optimal communication strategies

36
Conclusions

• Demonstrated a highly sensitive scan detection
  and suppression algorithm suitable for worm
  containment
• Able to detect scanning for fewer than 10
  attempts for a highly sensitive machine and for a
  normal machine in 30 attempts
• Cooperation between containment devices provides
  an improved performance