Post on 14-Dec-2015
1
On the Performance of Internet Worm Scanning Strategies
Authors: Cliff C. Zou, Don Towsley, Weibo Gong
Publication: Journal of Performance Evaluation, 63(7), 700-723, July 2006
Presenter: Cliff Zou for CDA6133, Spring’08
2
Motivation
Hackers have tried various scanning strategies in their scan-based worms Uniform scan Code Red, Slammer Local preference scan Code Red II Sequential scan Blaster
Possible scanning strategies: Target preference scan (selective attack from a routing
worm) Divide-and-conquer scan
How do they affect a worm’s propagation? Mean value analysis (based on law of large number) Numerical solutions; Simulation studies.
3
Epidemic Model Introduction
Model for homogeneous system
Model for interacting groups
: # of infectious
: infection ability
: # of hosts
: scan rateFor worm modeling:: scanning space
4
Infinitesimal Analysis of Epidemic Model
From time t to t+: Vulnerable hosts [N-I(t)]; infected hosts I(t). An infected host infects vulnerable hosts.
Negligible of Prob. “two scans hitting the same vulnerable host”. Newly infected hosts:
Negligible of Prob. “two infected hosts infect the same vulnerable host”.
Thus I(t+) is
: # of hosts : scan rate : scanning space : # of infectious
: small time intervalProb. p of a worm copy hitting a specific IP address during :
5
Uniform Scan Worm
Traditional worm: Code Red, Slammer Uniformly scans the entire IPv4 space ( = 232 )
Hit-list worm – increase I(0): [Staniford et al. 2002] Knowing IP addresses of a fraction of vulnerable
hosts. Has a large number of initially infected hosts I(0).
Routing worm – decrease : [Zou et al. 2003] Using BGP routing table to only scan BGP routable
space. Currently, only 32% of IPv4 space is routable. Has a bigger infection ability
6
Hitlist, routing worm
Code Red style worm
= 358/min N = 360,000 hitlist, I(0) =
10,000 routing, =.29£ 232
0
50000
100000
150000
200000
250000
300000
350000
400000
0 100 200 300 400 500 600
Time (minutes)
No
. in
fec
ted
Code Red worm
Hit-list worm
Routing worm
Hitlist routing worm
Defense: Crucial to prevent attackers from Identifying IP addresses of a large number of vulnerable hosts
Flash worm, Hit-list worm Obtaining address information to reduce a worm’s scanning space
Routing worm
7
Local Preference Scan Worm
Model: epidemic in interacting groups
Analysis: assume K “/n” networks Prob. p: uniformly scan local “/n” network
Prob. (1-p): uniformly scan others
Conclusions: Vulnerable hosts uniformly distributed:
No difference as long as the worm spreads out to every network.
Vulnerable hosts not uniformly distributed: Analysis: hosts uniformly distributed in m out of K networks Local preference scan increases a worm’s speed.
8
Local preference scan increases speed (when vulnerable hosts are not uniformly distributed)
Local scan on Class A (“/8”) networks: p* 1 Local scan on Class B (“/16”) networks: p* 0.85 Code Red II: p=0.5 (Class A), p=0.375 (Class B) Smaller than p*
Local Preference Scan Worm
Class A local scan (K=256, m=116) Class B local scan (K=216, m=116£28)
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5
x 105
Time t (minute)
Class A routing wormPreference p=0.99Preference p=0.5Preference p=0.1Uniform scan worm
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5
x 105
Time t (minute)
Class A routing wormPreference p=0.99Preference p=0.85Preference p=0.5Uniform scan worm
9
Sequential Scan Worm
Sequential scan: Sequentially scans IP addresses from a starting point. Blaster worm selects its starting point locally with p=0.4 Such local preference slows down worm propagation.
Reason: child worm copies are more likely to be wasted on repeating their parents’ scanning trails.
Sequential scan is equivalent to uniform scan when Vulnerable hosts uniformly distributed in IPv4 space. The worm selects starting point uniformly.
10
Simulations agree with our analyses. Analysis limitation (mean value analysis):
No consideration of variability.
Sequential Scan Worm Simulation Study
100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 10
5
Time t (minute)
# o
f in
fect
ed
ho
sts
95% uniform5% uniform95% sequential5% sequential
100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 10
5
Time t (minute)
# o
f in
fect
ed
ho
sts
Uniform scanUniform sequentialPreference sequential
Comparison of uniform scan, sequential scan with/without local preference
(100 simulation runs; vulnerable hosts uniformly distributed in entire IPv4 space)
11
Sequential Scan Worm Simulation Study
Observations: Local preference in selecting starting point is a bad
idea. Mean value analysis cannot analyze variability.
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 10
5
Time t (minute)
# o
f in
fect
ed
ho
sts
Uniform scanUniform sequentialPreference sequential
100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 10
5
Time t (minute)
# o
f in
fect
ed
ho
sts
95% uniform5% uniform95% sequential5% sequential
Uniform scan, sequential scan with/without local preference (100 simulation runs)Vulnerable hosts uniformly distributed in BGP routable IP space (28.6% of IPv4 space)
12
Witty worm modeling Witty’s destructive behavior:
1). Send 20,000 UDP scans to 20,000 IP addresses
2). Write 65KB in a random point in hard disk
Consider an infected computer: Constant bandwidth constant time to send 20,000 scans
Random point writing infected host crashes with prob.
Crashing time approximate by
Exponential distribution ( )Exponential distribution ( )
13
Witty worm modeling
hours
Memoryless property
: # of crashed infected computers at time t
4:30 8:00 12:00 16:00 20:00 00:00 04:000
2000
4000
6000
8000
10000
12000
Time (UTC) in March 20 ~ 21, 2004
It
Witty traceModel
# of vulnerable at t
# of vulnerable at t
*Witty trace provided by U. Michigan “Internet Motion Sensor”
14
Two Guidelines in Defense
Prevent attackers from Identifying IP addresses of a large number of
vulnerable hosts Flash worm, Hit-list worm Obtaining address information to reduce a
worm’s scanning space Routing worm
Worm monitoring system IP space coverage is not the only issue Should monitor as many as possible well
distributed IP blocks non-uniform scan worm
15
Summary Modeling basis:
Law of large number; mean value analysis; infinitesimal analysis.
Epidemic model: Conclusions:
All about worm scanning space or density of vulnerable population)
Flash worm, Hit-list worm, Routing worm Local preference, divide-and-conquer, selective
attack Monitoring challenge: sequential scan worm
16
Contributions
Provided comprehensive analysis of worm propagation with different scanning strategies Uniform scan, local preference scan,
sequential scan, BGP routing scan, hit-list.. Revealed the underlying connections
between different worm scanning strategies
Host distribution, scanning space Provided several defense guidelines
17
Weaknesses
Mean-value analysis, not suitable for small-scale worm propagation
Mathematical analysis makes some assumptions Host uniform distribution, equal scan rate
No consideration of topology Not suitable for email virus, P2P worm, etc.
No model on defense systems Didn’t provide practical defense systems
Only basic guidelines, intuitive clear
18
How to improve
Stochastic modeling for small-scale propagation
Topological modeling
Present detailed defense methods