Title: Routing Worm: A Fast, Selective Attack Worm based on IP Address Information
1Routing Worm A Fast, Selective Attack Worm based
on IP Address Information
- Cliff C. Zou, Don Towsley, Weibo Gong, Songlin
Cai - University of Massachusetts, Amherst
2Worm Propagation Illustration
- Find new targets
- IP random scanning
- Compromise targets
- Exploit vulnerability
- Newly infected join infection army
IPv4 space
3Why Random Scanning?
- Very simple to program
- High coverage, hard to shut down
- Any vulnerable with a global IP is possible to be
directly infected by any infected one - Propagate very fast on IPv4 Internet
- Slammer infected 90 in 10 minutes
- IPv4 space is small for blindly shooting
- Shooting in the dark (IPv4 space is big)
- 1 out of 40,000 Slammer scans hits a target
- Bandwidth simulation consider unsuccessful scans
4Motivation How Fast a Worm Can Spread?
- Scanning rate h
- Coding skill, TCP/UDP protocol
- Bandwidth-limited worm (Slammer, Witty)
- Number of initially infected hosts I0
- Hit-list worm (Warhol, flash) Weaver01
- Scanning efficiency p
- Local preference scanning
- Removing empty IPs from scanning space
- Routing worm
5What Is a Routing Worm?
- Containing information of BGP routable space
- The other IP space not Internet reachable
- Scanning the other IP space produces no
infection
- Routable IPv4 space increases slowly
- NAT
- CIDR
- DHCP
6BGP Routing Worm
- Contains BGP non-overlapping prefixes
- Remove 128.119.85/24 if BGP contains
128.119/16 - 140602 prefixes ? 62053 (Sept. 22, 2003)
- Increasing worms speed gt 3 times
- Scanning space 28.6 of IPv4 space
- Scanning efficiency pN/W
- Code Red 12,000 ? Routing 3,500
- Payload requirement ? 175KB
- Big payload for worm propagation
7/8 Routing Worm
- IANA provides /8 address allocations
- x.0.0.0/8 256 /8 prefixes in IPv4 space
- 116 /8 contain all BGP routable space
- Scanning space 45.3 payload 116 bytes
002/8 IANA - Reserved 003/8 General Electric Company 018/8 MIT 056/8 U.S. Postal Service 214/8 US-DOD 216/8 American Registry for Internet Numbers 224/8 IANA - Multicast
8Routing Worm based on Aggregated BGP Prefixes
- Trade-off between
- Scanning space ? Prefix payload
/16 routing worm
/8 routing worm
- /8 routing worm applicable for bandwidth-limited
worm
/n aggregation (n816)
9Routing Worm Propagation Study
- Code Red style worm
- h 358/min, N 360,000
- Hitlist, I0 10,000
- BGP routing, W.29 232
- /8 routing, W.45 232
10Congestion Challenge
x
Traditional scanning worm
- Network congestion happens in local networks
- Simulation 1/3 of scans contribute congestion to
both source and destination local networks
11Congestion Challenge
x
x
Routing worm
- A routing worm generates three times more
scanning traffic on the Internet backbone
12Fast Detection Challenge
- Detection of local infected host
- Excessive number of failed connection requests
- 2/3 scans of ordinary worm are non-routable
- Routing worm detection needs connection response
(RST, timeout)
13Routing Worm A Selective Attack Worm
- Selective Attack
- Imposes damage based on Victims IP addresses
- IP address ? BGP routing prefix ?
- AS ? Company, ISP, Country
- Pinpoint attack a specific target
- Potential terrorist attack, hater attack
14Selective Attack a Generic Attacking
Technique
- Selective attack exploit any information of
compromised hosts - OS ( illegal OS, language, time zone )
- Software ( installed a specific program )
- Hardware ( CPU, memory, network card )
- Increase worm propagation speed
- Max infectious power of compromised hosts
- Multi-thread worm (Code Red, Sasser)
15Is Routing Worm a Real Threat?
- BGP routing table is open to public
- Increase infection speed 23 times
- Pinpoint target attack
- Easier than hit-list worm to implement
- One routing dataset for all worms
- Different security holes need different hit lists
for hit-list worm - No need for hit-list collection
16Defense Upgrading IPv4 to IPv6
- Increase scanning space IPv4 ? IPv6
- Smallest BGP prefix in IPv6 /64
- Address usage inside /64 not in BGP
- 40 years to infect 50 hosts in a /64 network
(N1,000,000, h100,000/sec, I01000) - Limitation
- Eliminate scanning mechanism only
- Controversial issue in upgrading
17Summary
- Routing worm contains BGP routing information
- A faster spreading worm
- A selective attack worm
- Challenges
- Easy to implement by attackers
- More congestion to the Internet backbone
- Harder to quickly detect local infected
- Defense IPv4 ? IPv6
- Limitation eliminate random scanning only