computer worms and the telecommunications infrastructurecanccom/... · computer worms and the...
TRANSCRIPT
![Page 1: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/1.jpg)
making software secure
Computer Wormsand the
Telecommunications Infrastructure
MITACS 4th Annual ConferenceMay 9, 2003 - Ottawa NAC
Prof. Paul Van Oorschot (Carleton � C.S.)Dr. Jean-Marc Robert (Alcatel Canada)
Dr. Miguel Vargas Martin (Carleton � C.S.)
![Page 2: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/2.jpg)
Computer Worms andthe Telecommunications Infrastructure� 2
Worm (November 2)
• software on one Internet machine– collected host, network and user info– broke into other machines
• replicated itself; replica continued likewise• infected 10% of Internet machines (Unix variants)
![Page 3: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/3.jpg)
Computer Worms andthe Telecommunications Infrastructure� 3
Worm (November 2)
• software on one Internet machine– collected host, network and user info– broke into other machines
• replicated itself; replica continued likewise• infected 10% of Internet machines (Unix variants)
Why important?• Morris Worm (Nov.2, 1988)
![Page 4: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/4.jpg)
Computer Worms andthe Telecommunications Infrastructure� 4
How was Morris Worm Possible?
• configuration error (Sendmail)• weak passwords (dictionary size: 432)
– (where are we today?)• �trusted connections� (.rhosts file)• buffer overflow (finger daemon)
– feature of C; still #1 flaw per CERT
• diversity: one worm felled 10% of Internet• was patch available? YES ... but
![Page 5: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/5.jpg)
Computer Worms andthe Telecommunications Infrastructure� 5
Sapphire/Slammer worm (Jan. 25, 2003)
• fastest in history - doubling time: 8.5s– 90% of vulnerable hosts infected in 10 min– two orders magnitude faster than Code Red– hosts: 75K vs. 359K
• after 3 min: scanning rate 55M scans/s
• no malicious payload (would have been easy)
![Page 6: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/6.jpg)
Computer Worms andthe Telecommunications Infrastructure� 6
Sapphire/Slammer worm (cont�d)
• buffer overflow: MSFT SQL server & desktop s/w– patch available: July 2002– �only affected those behind on patches�
• single-packet worm– 376 bytes (404-byte UDP packet)– bandwidth limited (100 Mbps servers)
�significant milestone in evolution of worms�
![Page 7: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/7.jpg)
Computer Worms andthe Telecommunications Infrastructure� 7
Trends - Patches
• more frequent than ever• installed only by minority• Red Queen syndrome:
�[Here] it takesall the running you can dojust to keep in the same place�
![Page 8: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/8.jpg)
Computer Worms andthe Telecommunications Infrastructure� 8
Trends (cont�d)
• Warhol worms (15 minutes)– conference paper, Aug. 2002
�How to 0wn the Internet in your Spare Time�– Slammer worm (Jan. 2003)
• flash worms (10�s of seconds)– consider responses requiring human interaction
![Page 9: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/9.jpg)
Computer Worms and theTelecommunications Infrastructure (Part
II)
Jean-Marc Robert Ph.D.Alcatel R&I Security
Group
![Page 10: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/10.jpg)
Computer Worms andthe Telecommunications Infrastructure� 10 All rights reserved © 2003, Alcatel
Typical View of the Internet � User pointof view
![Page 11: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/11.jpg)
Computer Worms andthe Telecommunications Infrastructure� 11 All rights reserved © 2003, Alcatel
Our View of the Internet � Telcos pointof view
AutonomousSystem
AutonomousSystemRouting
Information
![Page 12: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/12.jpg)
Computer Worms andthe Telecommunications Infrastructure� 12 All rights reserved © 2003, Alcatel
Challenge
Survivability�� is the ability of a system to fulfill its mission, in atimely manner, in the presence of attacks, failures, oraccidents�
![Page 13: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/13.jpg)
Computer Worms andthe Telecommunications Infrastructure� 13 All rights reserved © 2003, Alcatel
Who is at Risk?
From the viewpoint of the telecommunication systems,there are two targets:
– The network equipment• According to a report of the CERT Coordination Center of
the CMU Software Engineering Institute, a recent attacktrend is to target or to use infrastructure elements, suchas routers.
– The systems connected to network equipment.
![Page 14: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/14.jpg)
Computer Worms andthe Telecommunications Infrastructure� 14 All rights reserved © 2003, Alcatel
Denial-of-Service Attack Taxonomy
From the viewpoint of the telecommunication systems,the attacks can be divided into two groups:
– The DoS-Victim attacks correspond to attacksagainst the network equipment themselves
• E.g. SYN Flood or Ping-of-Death against a router
– The DoS-Carrier attacks correspond to attacksagainst systems connected to network equipment
• E.g. SYN Flood or Slammer against an end-user � usingresources at the network-level and at the end-user-level
![Page 15: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/15.jpg)
Computer Worms andthe Telecommunications Infrastructure� 15 All rights reserved © 2003, Alcatel
Worms and Routing Infrastructure
Worms Target:
– Slammer � MySQL– Nimda � IIS– Code Red � IIS
Why are they impacting the routinginfrastructure?
![Page 16: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/16.jpg)
Computer Worms andthe Telecommunications Infrastructure� 16 All rights reserved © 2003, Alcatel
Worms Potential Impact
Classical Software
Engineering Problems
Classical Software
Engineering Problems
Due to some extreme conditions � heavy traffic load �routers are more sensitive to:
– Software vulnerabilities
– Resource exhaustion
• CPU Overload
• Buffer overflows
• Memory exhaustion
![Page 17: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/17.jpg)
Computer Worms andthe Telecommunications Infrastructure� 17 All rights reserved © 2003, Alcatel
� But the Major Impact May BeElsewhere �
Traffic diversity i.e. many new flows– Caching problem in routers � CPU overload– Non-existing routers � �ICMP storms�
Instability in the routing information (???)– The Border Gateway Protocol (BGP) is a routing
protocol used to exchange information betweenAutonomous Systems
![Page 18: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/18.jpg)
Computer Worms andthe Telecommunications Infrastructure� 18 All rights reserved © 2003, Alcatel
Routing Architecture
Potential threatTCP connections interrupted
Autonomous System (AS)
iBGP
Autonomous SystemBorder Router
Toward another ASConnection BGP-Peers
![Page 19: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/19.jpg)
Computer Worms andthe Telecommunications Infrastructure� 19 All rights reserved © 2003, Alcatel
BGP (Potential) Instabilities
Instability observed under stress conditions– Intra-AS flapping and routing failures– High BGP message load– Route computation � CPU overload
Reason (?)– Potential failures in the TCP connections between
BGP peers• Forcing exchange of BGP Tables ( ~100,000 entries)
![Page 20: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/20.jpg)
Computer Worms andthe Telecommunications Infrastructure� 20 All rights reserved © 2003, Alcatel
BGP (Potential) Instabilities
Unfortunately, only a few results have been publishedon this research area � and they are contradictory
Problems– Hard to simulate a complex system such as the
Internet– Hard to monitor automatically a complex system
without any bias
![Page 21: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/21.jpg)
Computer Worms andthe Telecommunications Infrastructure� 21 All rights reserved © 2003, Alcatel
Conclusion
The impact of worms on routing infrastructure shall bestudied more thoroughly � by the industry and by theacademic community. For example, what are the realimpact
– On the routing protocols– On the congestion algorithms– On the quality-of-service approachesAn important step toward those objectives isa better understanding of the worm behavior
![Page 22: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/22.jpg)
making software secure
Classification of Worms
Miguel Vargas MartinDigital Security Group
School of Computer ScienceCarleton University
MITACS 4th Annual ConferenceMay 9, 2003 - Ottawa NAC
![Page 23: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/23.jpg)
Computer Worms andthe Telecommunications Infrastructure� 23
Characteristics of Worms
Internet
Propagation strategy
IP address scanning
Attack rate dynamicsExploited vulnerability
Impact on host
![Page 24: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/24.jpg)
Computer Worms andthe Telecommunications Infrastructure� 24
Worms Studied
1 Morris
2 Sadmind
4 Sircam
6 Nimda
7 Slammer3 Code Red v2
5 Code Red II
8 Code Red III
![Page 25: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/25.jpg)
Computer Worms andthe Telecommunications Infrastructure� 25
IP Address Scanning
randomhost related
local subnet probabilistic non-probabilistichitlistpermutation
![Page 26: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/26.jpg)
Computer Worms andthe Telecommunications Infrastructure� 26
IP Address Scanning
IP address scanninglocal subnet
worm random hostrelated probabilistic
non-probabilistic
Morris v v vSadmind v vCode Red v2 vSircam vCode Red II v vNimda v v vSlammer vCode Red III v v
![Page 27: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/27.jpg)
Computer Worms andthe Telecommunications Infrastructure� 27
Propagation Nature
uniform payload central back-chaining autonomous
poly-morphic central back-chaining autonomous
![Page 28: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/28.jpg)
Computer Worms andthe Telecommunications Infrastructure� 28
Propagation Nature
propagation natureuniform payload
wormcentral
back-chaining
auton-omous
Morris v vSadmind vCode Red v2 vSircam vCode Red II vNimda v v vSlammer vCode Red III v
![Page 29: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/29.jpg)
Computer Worms andthe Telecommunications Infrastructure� 29
Exploited Vulnerability
protocol implementation design characteristicsmisconfiguration/bad defaultsetting
![Page 30: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/30.jpg)
Computer Worms andthe Telecommunications Infrastructure� 30
Exploited Vulnerability
exploited vulnerabilityworm implementation configuration/
bad default settingsMorris sendmail,
finger.rhosts / weakpassword policy
Sadmind sadmind, IISCode Red v2 IISSircam network sharesCode Red II IISNimda IIS, Code Red II and
Sadmind backdoorsjava script
Slammer SQLCode Red III IIS
![Page 31: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/31.jpg)
Computer Worms andthe Telecommunications Infrastructure� 31
Attack Rate Dynamics
continuous latency-limited bandwidth-limited
variable fluctuating increasing
![Page 32: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/32.jpg)
Computer Worms andthe Telecommunications Infrastructure� 32
Attack Rate Dynamics
attack rate dynamicscontinuous variable
worm latency-limited
bandwidth-limited fluctuating
Morris vSadmind vCode Red v2 v vSircam vCode Red II vNimda v vSlammer vCode Red III v
![Page 33: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/33.jpg)
Computer Worms andthe Telecommunications Infrastructure� 33
Impact on Infected Host
disruptive delete/modify files subvert as DDoS zombie install backdoors
degrading (bandwidth,processing power)
![Page 34: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/34.jpg)
Computer Worms andthe Telecommunications Infrastructure� 34
Impact on Infected Host
impact on infected hostdisruptive
worm filemodifications
/deletions
DDoSzombie
backdoor
degradingbandwidth/processingpower
Morris vSadmind v v vCode Red v2 v v v vSircam vCode Red II v v v vNimda v v vSlammer vCode Red III v v v v
![Page 35: Computer Worms and the Telecommunications Infrastructurecanccom/... · Computer Worms and the Telecommunications Infrastructure˜ 8 Trends (cont˜d) • Warhol worms (15 minutes)](https://reader034.vdocuments.net/reader034/viewer/2022042918/5f5d9e98a5b87e72360ef763/html5/thumbnails/35.jpg)
Computer Worms andthe Telecommunications Infrastructure� 35
Final Remarks
Worms are currently among the biggest threatsto the Internet, and therefore understandingthem better is one the most important thingswe can do.