Routing Worm: A Fast, Selective Attack Worm based on IP Address Information - PowerPoint PPT Presentation

About This Presentation
Title:

Routing Worm: A Fast, Selective Attack Worm based on IP Address Information

Description:

Title: PowerPoint Presentation Last modified by: Cliff Changchun Zou Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:114
Avg rating:3.0/5.0
Slides: 18
Provided by: csUcfEdu82
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Routing Worm: A Fast, Selective Attack Worm based on IP Address Information


1
Routing Worm A Fast, Selective Attack Worm based
on IP Address Information
  • Cliff C. Zou, Don Towsley, Weibo Gong, Songlin
    Cai
  • University of Massachusetts, Amherst

2
Worm Propagation Illustration
  • Find new targets
  • IP random scanning
  • Compromise targets
  • Exploit vulnerability
  • Newly infected join infection army

IPv4 space
3
Why Random Scanning?
  • Very simple to program
  • High coverage, hard to shut down
  • Any vulnerable with a global IP is possible to be
    directly infected by any infected one
  • Propagate very fast on IPv4 Internet
  • Slammer infected 90 in 10 minutes
  • IPv4 space is small for blindly shooting
  • Shooting in the dark (IPv4 space is big)
  • 1 out of 40,000 Slammer scans hits a target
  • Bandwidth simulation consider unsuccessful scans

4
Motivation How Fast a Worm Can Spread?
  • Scanning rate h
  • Coding skill, TCP/UDP protocol
  • Bandwidth-limited worm (Slammer, Witty)
  • Number of initially infected hosts I0
  • Hit-list worm (Warhol, flash) Weaver01
  • Scanning efficiency p
  • Local preference scanning
  • Removing empty IPs from scanning space
  • Routing worm

5
What Is a Routing Worm?
  • Containing information of BGP routable space
  • The other IP space not Internet reachable
  • Scanning the other IP space produces no
    infection
  • Routable IPv4 space increases slowly
  • NAT
  • CIDR
  • DHCP

6
BGP Routing Worm
  • Contains BGP non-overlapping prefixes
  • Remove 128.119.85/24 if BGP contains
    128.119/16
  • 140602 prefixes ? 62053 (Sept. 22, 2003)
  • Increasing worms speed gt 3 times
  • Scanning space 28.6 of IPv4 space
  • Scanning efficiency pN/W
  • Code Red 12,000 ? Routing 3,500
  • Payload requirement ? 175KB
  • Big payload for worm propagation

7
/8 Routing Worm
  • IANA provides /8 address allocations
  • x.0.0.0/8 256 /8 prefixes in IPv4 space
  • 116 /8 contain all BGP routable space
  • Scanning space 45.3 payload 116 bytes

002/8 IANA - Reserved 003/8 General Electric Company 018/8 MIT 056/8 U.S. Postal Service 214/8 US-DOD 216/8 American Registry for Internet Numbers 224/8 IANA - Multicast
8
Routing Worm based on Aggregated BGP Prefixes
  • Trade-off between
  • Scanning space ? Prefix payload

/16 routing worm
/8 routing worm
  • /8 routing worm applicable for bandwidth-limited
    worm

/n aggregation (n816)
9
Routing Worm Propagation Study
  • Code Red style worm
  • h 358/min, N 360,000
  • Hitlist, I0 10,000
  • BGP routing, W.29 232
  • /8 routing, W.45 232

10
Congestion Challenge
x
Traditional scanning worm
  • Network congestion happens in local networks
  • Simulation 1/3 of scans contribute congestion to
    both source and destination local networks

11
Congestion Challenge
x
x
Routing worm
  • A routing worm generates three times more
    scanning traffic on the Internet backbone

12
Fast Detection Challenge
  • Detection of local infected host
  • Excessive number of failed connection requests
  • 2/3 scans of ordinary worm are non-routable
  • Routing worm detection needs connection response
    (RST, timeout)

13
Routing Worm A Selective Attack Worm
  • Selective Attack
  • Imposes damage based on Victims IP addresses
  • IP address ? BGP routing prefix ?
  • AS ? Company, ISP, Country
  • Pinpoint attack a specific target
  • Potential terrorist attack, hater attack

14
Selective Attack a Generic Attacking
Technique
  • Selective attack exploit any information of
    compromised hosts
  • OS ( illegal OS, language, time zone )
  • Software ( installed a specific program )
  • Hardware ( CPU, memory, network card )
  • Increase worm propagation speed
  • Max infectious power of compromised hosts
  • Multi-thread worm (Code Red, Sasser)

15
Is Routing Worm a Real Threat?
  • BGP routing table is open to public
  • Increase infection speed 23 times
  • Pinpoint target attack
  • Easier than hit-list worm to implement
  • One routing dataset for all worms
  • Different security holes need different hit lists
    for hit-list worm
  • No need for hit-list collection

16
Defense Upgrading IPv4 to IPv6
  • Increase scanning space IPv4 ? IPv6
  • Smallest BGP prefix in IPv6 /64
  • Address usage inside /64 not in BGP
  • 40 years to infect 50 hosts in a /64 network
    (N1,000,000, h100,000/sec, I01000)
  • Limitation
  • Eliminate scanning mechanism only
  • Controversial issue in upgrading

17
Summary
  • Routing worm contains BGP routing information
  • A faster spreading worm
  • A selective attack worm
  • Challenges
  • Easy to implement by attackers
  • More congestion to the Internet backbone
  • Harder to quickly detect local infected
  • Defense IPv4 ? IPv6
  • Limitation eliminate random scanning only
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Routing Worm: A Fast, Selective Attack Worm based on IP Address Information" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!