Lecture 19 - Network Securitytrj1/cse443-s12/slides/cse443-lecture-18-network... · Lecture 19 -...
Transcript of Lecture 19 - Network Securitytrj1/cse443-s12/slides/cse443-lecture-18-network... · Lecture 19 -...
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
Lecture 19 - Network Security
CMPSC 443 - Spring 2012Introduction Computer and Network Security
Professor Jaegerwww.cse.psu.edu/~tjaeger/cse443-s12/
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Exploiting the network ...
• The Internet is extremely vulnerable to attack– it is a huge open system ...– which adheres to the end-to-end principle
• smart end-points, dumb network
• Can you think of any large-scale attacks that would be enabled by this setup?
2
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Malware
• Malware - software that exhibits malicious behavior (typically manifest on user system)– virus - self-replicating code, typically transferring by shared
media, filesystems, email, etc.– worm - self propagating program that travels over the
network
• The behaviors are as wide ranging as imagination– backdoor - hidden entry point into system that allows quick
access to elevated privileges– rootkit - system replacement that hides adversary behavior– key logger - program that monitors, records, and potentially
transmits keyboard input to adversary– trojan - malicious software disguised as legitimate program
3
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Worms• A worm is a self-propagating program.• As relevant to this discussion
1. Exploits some vulnerability on a target host …2. (often) embeds itself into a host …3. Searches for other vulnerable hosts …4. Goto (1)
• Q: Why do we care?
4
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
The Danger
• What makes worms so dangerous is that infection grows at an exponential rate– A simple model:
• s (search) is the time it takes to find vulnerable host• i (infect) is the time is take to infect a host
– Assume that t=0 is the worm outbreak, the number of hosts at t=j is
2(j/(s+i))
– For example, if (s+i = 1), how many hosts are compromised at time t=32?
5
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
The result
0
500,000,000
1,000,000,000
1,500,000,000
2,000,000,000
2,500,000,000
3,000,000,000
3,500,000,000
4,000,000,000
4,500,000,000
5,000,000,000
6
“point of criticality”
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
The Morris Worm• Robert Morris, a 23 year old doctoral student from
Cornell– Wrote a small (99 line) program– November 3rd, 1988– Simply disabled the Internet
• How it did it– Reads /etc/password, they tries the obvious choices and
dictionary, /usr/dict words– Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts
that are related• Tries cracked passwords at related hosts (if necessary)• Uses whatever services are available to compromise other hosts
– Scanned local interfaces for network information– Covered its tracks (set is own process name to sh, prevented
accurate cores, re-forked itself)7
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Code Red• Anatomy of a worm: Maiffret (good reading)• Exploited a Microsoft IIS web-server vulnerability
– A vanilla buffer overflow (allows adversary to run code)– Scans for vulnerabilities over random IP addresses– Sometimes would deface the served website
• July 16th, 2001 - outbreak– CRv1- contained bad randomness (fixed IPs searched)– CRv2 - fixed the randomness,
• added DDOS of www.whitehouse.gov• Turned itself off and on (on 1st and 16th of month)
– August 4 - Code Red II• Different code base, same exploit• Added local scanning (biased randomness to local IPs)• Killed itself in October of 2001
8
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Worms and infection• The effectiveness of a worm is determined by how good it is at
identifying vulnerable machines– Morris used local information at the host– Code Red used what?
• Multi-vector worms use lots of ways to infect– E.g., network, DFS partitions, email, drive by downloads …– Another worm, Nimda did this
• Lots of scanning strategies– Signpost scanning (using local information, e.g., Morris)– Random IP - good, but waste a lot of time scanning dark or
unreachable addresses (e.g., Code Red)– Local scanning - biased randomness– Permutation scanning - instance is given part of IP space
9
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Other scanning strategies• Hit-list scanning
– Setup - use “low and slow” scanning to determine which hosts are vulnerable (i.e., create a hit list)
– Start the worm, passing the list of vulnerable hosts, reduce/device the list at each host
– Gets past the slow start part, gets right into the exponential
– Essentially removes the window to stop worm
0
500,000,000
1,000,000,000
1,500,000,000
2,000,000,000
2,500,000,000
3,000,000,000
3,500,000,000
4,000,000,000
4,500,000,000
5,000,000,000
10
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Other scanning strategies
• The doomsday worm: a flash worm– Create a hit list of all vulnerable hosts
• Staniford et al. argue this is feasible
• Would contain a 48MB list
– Do the infect and split approach– Use a zero-day vulnerability
11
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Worms: Defense Strategies• (Auto) patch your systems: most, if not all, large worm
outbreaks have exploited known vulnerabilities (with patches)• Heterogeneity: use more than one vendor for your networks• Shield (Ross): provides filtering for known vulnerabilities, such
that they are protected immediately (analog to virus scanning)
• Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor – This is the dominant method, getting sophisticated (Arbor Networks)
OperatingSystem
Network Interface
Shield NetworkTraffic
12
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
• Quarantine - how do stop it once it is out?– Internet Quarantine: Requirements for Containing Self-
Propagating Code. David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage
• Assume you have a LAN/WAN environment– We have already talked about how to prevent– Q1: How do you recognize a worm?– Q2: How do you stop a worm?
• Much work in this area ...– number of new addresses contacted– number of incomplete IP handshakes– number of connections to new local hosts (COI?)
Advanced Methods
13
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Botnet Story
14
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
• A botnet is a network of software robots (bots) run on zombie machines which run are controlled by command and control networks– IRCbots - command and control over IRC
– Bot herder - owner/controller of network
– "scrumping" - stealing resources from a computer
• Surprising Factoid: the IRC server is exposed.
Botnets
15
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
• The actual number of bots, the size of the botnets and the activity is highly controversial.– As of 2005/6: hundreds of thousands of bots
– 1/4 of hosts are now part of bot-nets
– Growing fast (many more bots)
• Assertion: botnets are getting smaller(?!?)
Statistics (controversial)
16
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
What are botnets being used for?
• 50 botnets– 100-20,000bots/net
• Clients/serversspread aroundthe world– Different
geographicconcentrations
Activities we have seen
Stealing CD Keys:
[email protected] PRIVMSG #atta :BGR|0981901486 $getcdkeysBGR|[email protected] PRIVMSG #atta :Microsoft WindowsProduct ID CD Key: (55274-648-5295662-23992).BGR|[email protected] PRIVMSG #atta :[CDKEYS]: Searchcompleted.
Reading a user's clipboard:
B][[email protected] PRIVMSG ##chem## :~getclipCh3m|[email protected] PRIVMSG ##chem## :-[Clipboard Data]- Ch3m|[email protected] PRIVMSG##chem## :If You think the refs screwed the seahawks over put your name down!!!
DDoS someone:
[email protected] PRIVMSG #t3rr0r0Fc1a :!pflood 82.147.217.39443 1500 s7n|[email protected] PRIVMSG #t3rr0r0Fc1a :\002Packets\002\002D\002one \002;\002>\n s7n|[email protected] PRIVMSG #t3rr0r0Fc1aflooding....\n
Set up a web-server (presumably for phishing):
[DeXTeR][email protected] PRIVMSG [Del]29466:.http 7564 c:\\ [Del][email protected] PRIVMSG _[DeXTeR]:[HTTPD]: Server listening on IP: 10.0.2.100:7564, Directory: c:\\.
piracy
mining
attacks
hosting
17
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
• 1988 - one-to-many or many-to-many chat (for BBS)• Client/server -- TCP Port 6667• Used to report on 1991 Soviet coup attempt• Channels (sometimes password protected) are used to
communicate between parties.– Invisible mode (no list, not known)– Invite only (must be invited to participate)
IRC
Server
Server
Server
Server
Server
18
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
IRC botnets
• An army of compromised hosts (“bots”) coordinated via a command and control center (C&C). The perpetrator is usually called a “botmaster”.
“A botnet is comparable to compulsory military service for windows boxes” -- Bjorn Stromberg
IRC Server
Bots(Zombies)
Find and infectmore
machines!
19
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Typical (IRC) infection cycle
optional
Bots usually require some form of authentication from their botmaster20
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
• Worms, Trojan horses, backdoors
• Note: the software on these systems is updated• Bot theft: bot controllers penetrate/"steal" bots.
Infection
21
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Not only for launching attacks ...
• Some botmasters pay very close attention to their bots– hence covert infiltration is important
• In many cases, Botmasters “inspect” their bots fairly regularly, and isolate certain bots (“cherry picking”)
#HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ]#HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara#HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s#HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s#HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" **#HINDI-FILMZ :** -= #Hindi-Filmz=- **#HINDI-FILMZ :** I M 100% Desi !! **#HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB
#HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ]#HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara#HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s#HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s#HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" **#HINDI-FILMZ :** -= #Hindi-Filmz=- **#HINDI-FILMZ :** I M 100% Desi !! **#HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB
That’s a lot of movies served! ( ~ 300)
22
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 23
Measuring botnet size
• Two main categories– Indirect methods: inferring
botnet size by exploiting the side-effects of botnet activity (e.g., DNS requests)
– Direct methods: exploiting internal information from monitoring botnet activity
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
• Approach: infiltration templates based on collected honeynet data, e.g., observing compromised hosts that are identified within the channel
• How many? – 1.1 million distinct user IDs used– 425 thousand distinct IP addresses
• Issues:– NAT/DHCP?– “Cloaked” IP address (SOCKS proxies?)– Botnet membership overlap
How many bots?
24
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Botnet size, what does it mean?• Infection Footprint: the total number of infected bots
throughout a botnet’s lifetime– Relevance: how wide spread the botnet infection
• Effective Botnet Size: the number of bots simultaneously connected to the command and control channel– Relevance: the botnet capacity to execute botmaster
commands (e.g., flood attacks)
• An Example:– While a botnet appeared to have a footprint of 45,000 bots,
the number of online bots (i.e. its effective size) was < 3,000
25
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page
Take away• Internet malware is used to gain control of hosts
– Lots of them potentially• Worms: self-propagating malware
– Lifecycle• Find, Infect, Propagate
– Zero-day • Botnets
– Network of zombies under command and control – Used for a variety of malicious purposes– Key concern: botnet size
26