1 / 18

On the Performance of Internet Worm Scanning Strategies

On the Performance of Internet Worm Scanning Strategies . Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst. Motivation. Hackers have tried various scanning strategies in their scan-based worms Uniform scan  Code Red, Slammer Local preference scan  Code Red II

lilith
Download Presentation

On the Performance of Internet Worm Scanning Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst

  2. Motivation • Hackers have tried various scanning strategies in their scan-based worms • Uniform scan  Code Red, Slammer • Local preference scan  Code Red II • Sequential scan  Blaster • Possible scanning strategies: • Target preference scan (selective attack from a routing worm) • Divide-and-conquer scan • How do they affect a worm’s propagation? • Mean value analysis (based on law of large number) • Numerical solutions; Simulation studies.

  3. Some Analysis Conclusions • Equivalent when hosts are uniformly distributed • Uniform scan • Sequential scan • Divide-and-conquer scan • Local preference scan increases a worm’s speed • When vulnerable hosts are not uniformly distributed • Optimal local scan prob. p when local network size  • Sequential scan selecting starting point locally slows down worm propagation speed • Selective attack  global scan or target-only scan determined by distribution of vulnerable hosts.

  4. Two Guidelines in Defense • Prevent attackers from • Identifying IP addresses of a large number of vulnerable hosts  Flash worm, Hit-list worm • Obtaining address information to reduce a worm’s scanning space  Routing worm • Worm monitoring system • IP space coverage is not the only issue • Should monitor as many as possible well distributed IP blocks  non-uniform scan worm

  5. : # of hosts : # of infectious : infection ability : scan rate Epidemic Model Introduction • Model for homogeneous system • Model for interacting groups For worm modeling: : scanning space

  6. : scan rate : # of hosts : scanning space : small time interval Infinitesimal Analysis of Epidemic Model : # of infectious • From time t to t+d: (d! 0) • Vulnerable hosts [N-I(t)]; infected hosts I(t). • An infected host infects vulnerable hosts. • Negligible of Prob. “two scans hitting the same vulnerable host”. • Newly infected hosts: • Negligible of Prob. “two infected hosts infect the same vulnerable host”. • Thus I(t+d) is Prob. p of a worm copy hitting a specific IP address during d :

  7. Idealized Worm • Know IP addresses of all vulnerable hosts • Perfect worm • Cooperation among worm copies • Flash worm • No cooperation; random scan • Complete infection within seconds

  8. Uniform Scan Worm • Traditional worm: Code Red, Slammer • Uniformly scans the entire IPv4 space ( W = 232) • Hit-list worm: [Staniford et al. 2002] • Knowing IP addresses of a fraction of vulnerable hosts. • Has a large number of initially infected hosts I(0). • Routing worm: [Zou et al. 2003] • Using BGP routing table to reduce worm scanning space. • Has a bigger infection ability b=h/ W

  9. Uniform Scan Worms Comparison • Defense: Crucial to prevent attackers from • Identifying IP addresses of a large number of vulnerable hosts  Flash worm, Hit-list worm • Obtaining address information to reduce a worm’s scanning space  Routing worm • Hit-list worm has • a hit-list of I(0)=10,000 • Routing worm has W=0.286£ 232 • Other parameters: • N=360,000 • h=358/min • I(0)=10

  10. Divide-and-Conquer Scan Worm • Divide-and-conquer scan: • An infected host gives half of its scanning space to its newest infected child host. • At time t, each worm copy has • Scanning space: • Vulnerable hosts: • Use infinitesimal analysis technique. • Conclusion: when vulnerable hosts are uniformly distributed, divide-and-conquer scan is equivalent to uniform scan.

  11. Local Preference Scan Worm • Model: epidemicininteracting groups • Analysis: assume K“/n” networks • Prob. p: uniformly scan local “/n”network • Prob. (1-p): uniformly scan others • Conclusions: • Vulnerable hosts uniformly distributed: • No difference as long as the worm spreads out to every network. • Vulnerable hosts not uniformly distributed: • Analysis: hosts uniformly distributed in m out of K networks • Local preference scan increases a worm’s speed.

  12. Local Preference Scan Worm • Local preference scan increases speed (when vulnerable hosts are not uniformly distributed) • Local scan on Class A (“/8”) networks: p* 1 • Local scan on Class B (“/16”) networks: p* 0.85 • Code Red II: p=0.5 (Class A), p=0.375 (Class B)  Smaller than p* Class A local scan (K=256, m=116) Class B local scan (K=216, m=116£28)

  13. Sequential Scan Worm • Sequential scan: • Sequentially scans IP addresses from a starting point. • Blaster worm selects its starting point locally with p=0.4 • Such local preference slows down worm propagation. • Reason: child worm copies are more likely to be wasted on repeating their parents’ scanning trails. • Sequential scan is equivalent to uniform scanwhen • Vulnerable hosts uniformly distributed in IPv4 space. • The worm selects starting point uniformly.

  14. Sequential Scan Worm Simulation Study • Simulations agree with our analyses. • Analysis limitation (mean value analysis): • No consideration of variability. Comparison of uniform scan, sequential scan with/without local preference (100 simulation runs; vulnerable hosts uniformly distributed in entire IPv4 space)

  15. Sequential Scan Worm Simulation Study • Observations: • Local preference in selecting starting point is a bad idea. • Mean value analysis cannot analyze variability. Uniform scan, sequential scan with/without local preference (100 simulation runs) Vulnerable hosts uniformly distributed in BGP routable IP space (28.6% of IPv4 space)

  16. Selective Attack Worm • Target domain: • Other domains: • Target-only scan: • Global scan: • Conclusion: • Target-only scan is faster when vulnerable hosts are more densely distributed in the target domain than in other domains ( c1<c2 )

  17. Worm Monitoring System Design • “Network telescope” monitoring system: [Moore 2002] • Observing global Internet activities based on monitored traffic on a small fraction of IP space. • Should monitor as many as possible well distributed IP blocks. Directly monitored data Worm propagation I(t) and monitored data C(t) After low-pass filter Blaster worm simulation and monitoring

  18. Summary • Modeling basis: • Law of large number; mean value analysis; infinitesimal analysis. • Epidemic model: • Conclusions: • All about worm scanning spaceW (or density of vulnerable population): • Flash worm, Hit-list worm, Routing worm • Local preference, divide-and-conquer, selective attack • Monitoring: sequential scan worm

More Related