Download routingWorm

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts
no text concepts found
Transcript 
Routing Worm: A Fast, Selective
Attack Worm based on IP
Address Information
Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai
Univ. Massachusetts, Amherst
1
Routing Worm Summary


Routing worm: contains information of BGP
routing prefixes in the worm code.
A faster spreading worm




Internet routable IP space < 30% of entire IPv4 space.
Scanning routable space instead of entire IPv4 space.
Increasing propagation speed by 2 ~ 3.5 times.
A selective attack worm

IP address  routing prefix  AS  ISP, country


Pinpoint attacking vulnerable hosts in a specific target
Selective attack based on any information derived from
compromised hosts.
2
BGP Routing Table Introduction

BGP (Border Gateway Protocol)


Inter-autonomous system routing protocol.
Backbone BGP routers contain all routable prefixes
(without default route)
Routable IPv4 space
increases slowly
 NAT
 CIDR
 DHCP
28%
Percentage

30%
26%
24%
22%
11/97
11/98
11/99 11/00 11/01
Time (1997 ~ 2003)
11/02
09/03
3
BGP Routing Worm

Contains BGP non-overlapping prefixes:

Non-overlapping prefixes:



140602 prefixes  62053 prefixes (Sept. 22, 2003)
Payload requirement: 175KB


Remove “128.119.85/24” if BGP contains “128.119/16”.
Big payload for Internet-scale worm propagation.
Increasing worm’s speed by 3.5 times.

Scanning space is 28.6% of entire IPv4 space.
4
Class A Routing Worm

IANA provides Class A address allocations

Class A (x.0.0.0/8); 256 Class A in IPv4 space.
002/8 : IANA - Reserved
003/8 : General Electric Company
056/8 : U.S. Postal Service
214/8 : US-DOD
216/8 : ARIN
217/8 : RIPE NCC
224/8 : IANA - Multicast

116 Class A contain all BGP routable space.

Scanning space: 45.3%; payload: 116 Bytes.
5
Routing Worm based on
Aggregated BGP Prefixes

Two extreme cases of routing worms:



BGP routing worm: all prefixes in BGP
Class A routing worm: only “/8” prefixes
Routing worm based on aggregated prefixes

“/n” aggregation: combine several longer prefixes
into a shorter “/n” prefix.

“128.119.5/24” + “128.119.2/24”  “128.119/16” or “128.119.0/19”

Class A prefixes are results of “/8” aggregation.
6
Routing Worm based on
Aggregated BGP Prefixes
25KB
50%
40%
10KB
35%
Worm Prefix Payload
5KB
0 8
30%
9
10
11
12
13
14
15
25%
16
Worm Prefix Payload
Worm Prefix Payload
15KB
45%
Percentage of Scanning Space
Percentage of Scanning Space
20KB
25KB
20KB
15KB
10KB
5KB
30%
"/n" Aggregation
“/n” aggregation (n=8~16)

34%
38%
42%
Percentage of Scanning Space
46%
Payload vs. Scanning space trade-off
Flexible trade-off between:

Scanning space  Prefix payload
7
Routing Worm
Propagation Study
where
: # of vulnerable
: Scanning space
: Scan rate
Comparison of the Code Red worm, a routing worm,
a hit-list worm, a hit-list routing worm
Number of infected hosts
4
x 10
5
4
x 10
5
4
3.5
3.5
3.5
3
3
3
2.5
2.5
2.5
2
2
2
1.5
1.5
1.5
1
0.5
0
0
100
1
BGP routing worm
Class A routing worm 0.5
Traditional worm
0
0
200 300 400 500 600 700
Time t (minute)
BGP routing worm
Class A routing worm
Hit-list worm
100
200
Time t (minute)
300
x 10
5
1
Hitlist routing worm
Hitlist worm
Traditional worm
0.5
400 00
100
200
300
400
Time t (minute)
N=360,000; h=358 scans/min; I(0)=10 ( 10,000 for a hit-list worm )
500
8
600
Routing Worm:
A Selective Attack Worm

Selective Attack: worm has different behaviors on
different compromised hosts.

Routing worm: imposes damage based on geographical
information of IP addresses of compromised hosts

Geographical information of IP addresses

IP address  Routing prefix  AS

AS  Company, ISP, Country
 Researches
Pinpoint attacking vulnerable hosts in a specific target
Potential terrorist’s attack

 BGP routing table
9
Selective Attack:
a Generic Attacking Technique

Selective attack: imposes damage based on any
information a worm can get from compromised hosts




OS (e.g. : illegal OS, language, time zone )
Software (e.g. : installed a specific program)
Hardware ( e.g. : CPU, memory, network card)
Selective attack: improving propagation speed

Maximize infectious power of each compromised host.

Multi-thread worm: generates different numbers of threads on
different computers based on CPU, memory, and connection
speed.
10
Defense: Upgrading IPv4 to IPv6

Routing worm: Reducing worm scanning space
Effective, easier than hit-list worm to implement
 Difficult to prevent:



public BGP tables and IP geographical information
Defense: Increasing worm scanning space
 Upgrading IPv4 to IPv6



The smallest network in IPv6 has 264 IP address space.
A worm needs 40 years to infect 50% of vulnerable hosts
in a network when N=1,000,000, h=100,000/sec, I(0)=1000
Limitation: for scan-based worms only
11
Summary

Routing worm: contains information of BGP routing
prefixes in the worm code.

Routing worm: a faster spreading worm



Scans routable space (< 30%) instead of entire IPv4 space.
Increasing propagation speed by 2 ~ 3.5 times.
Routing worm: a selective attack worm

IP address  routing prefix  AS  ISP, Country



Pinpoint attacking vulnerable hosts in a specific target
Selective attack based on any information a worm can get from
compromised hosts.
Defense: Increase a worm’s scanning space
 IPv4 upgrade to IPv6
12
Related documents