code red a case study on the spread and victims of an
play

Code-Red: a case study on the spread and victims of an Internet - PowerPoint PPT Presentation

Feb 12, 2023 •144 likes •495 views

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeff Brown November, 2002 IMW {dmoore, cshannon} @ caida.org www.caida.org Outline What is the Code-Red worm? Detection Host

  1. Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeff Brown November, 2002 – IMW {dmoore, cshannon} @ caida.org www.caida.org

  2. Outline • What is the Code-Red worm? • Detection • Host Infection Rate • Host Characterization • Patching response after July 19th • Daily cycle in actively spreading hosts

  3. What is the Code-Red worm? • Malicious program that connects to other machines and replicates itself • Timeline: – June 18: eEye discovers vulnerability – June 26: Microsoft releases security patch – July 12: Code-Red version 1 spreads – 10am July 19: Code-Red version 2 begins to spread rapidly – August 1: Code-Red version 2 begins to spread a second time

  4. What does the Code-Red worm do? • Exploits a vulnerability in Microsoft IIS • Days 1-19 of each month – displays ‘hacked by Chinese’ message on English language servers – tries to open connections to infect randomly chosen machines using 100 threads • Day 20-27 – stops trying to spread – launches a denial-of-service attack on the IP address of www1.whitehouse.gov

  5. Code-Red Detection • Data collected from a /8 network at UCSD and two /16 networks at Lawrence Berkeley Laboratories (LBL) • 1/256th of total address space monitored • Machines sending TCP SYN packets to port 80 of nonexistent hosts considered infected • Data spans 24-hour period from midnight UTC July 19th - midnight UTC July 20th

  6. Host Infection Rate • 359,000 hosts infected in 24 hour period • Between 11:00 and 16:00 UTC, the growth is exponential • 2,000 hosts infected per minute at the peak of the infection rate (16:00 UTC)

  7. Host Infection Rate

  8. Epidemiological Infection Rate

  9. Infection Rate over Time

  10. Host Characterization: Country • The following graph shows the top ten countries of origin for all infected hosts • Surprisingly, Korea is the second most prevalent country, ahead of countries with more advanced network infrastructure

  11. Host Characterization: Country of Origin 160000 US 140000 Korea 120000 China 100000 Taiwan Canada 80000 UK 60000 Germany 40000 Australia 20000 Japan 0 Netherlands Infected Hosts 525 hosts in NZ

  12. Host Characterization: Top-Level Domain (TLD) • 47% of all infected hosts had no reverse DNS records, so we could not determine their TLDs • .COM, .NET, and .EDU are all represented in proportions equivalent to their overall share of existing hosts • 136 .MIL hosts and 213 .GOV hosts also infected • 390 hosts on private networks (addresses in 10.0.0.0/8) infected, suggesting that private networks were vulnerable and many more private network hosts may be infected • 374 .NZ hosts

  13. Host Characterization: Domain • ISPs providing connectivity to home and small- business users had the most infected hosts • Machines maintained by home/small-business users (i.e. less likely to be maintained by a professional sysadmin) are an important aspect of global Internet health

  14. Host Characterization: Domain 12000 home.com 10000 rr.com 8000 t-dialin.net pacbell.net 6000 uu.net aol.com 4000 hinet.com 2000 net.tw edu.tw 0 Infected Hosts

  15. Host Infection Animation

  16. Response to July 19th CodeRed • By July 30th and 31st, more news coverage than you can shake a stick at: – FBI/NIPC press release – Local ABC, CBS, NBC, FOX, WB, UPN coverage in many areas – National coverage on ABC, CBS, NBC, CNN – Printed/online news have been covering since the 19th • “Everyone” knew it was coming back on the 1st • However, many say that normal users need not worry, as this only affects commercial web servers

  17. Patching Survey • Idea: randomly test subset of previously infected IP addresses to see if they have been patched or are still vulnerable • 360,000 IP addresses in pool from initial July 19th infection • 10,000 chosen randomly each day and surveyed between 9am and 5pm PDT

  18. Patching Rate

  19. Vulnerability Charts • July 29th data, but adjacent days look similar • Percentages are computed for all survey responses, including: – connection timeout, connection refused, unknown IIS version, unknown response, etc • These are more conservative estimates of the vulnerability than the previous slide

  20. Vulnerability: Country 60 US 50 Korea China 40 Taiwan Canada 30 UK 20 Germany Australia 10 Japan Netherlands 0 % Unpatched Hosts

  21. Vulnerability: Domain 60 Unknown 50 home.com rr.com 40 t-dialin.net pacbell.net 30 uu.net 20 aol.com hinet.com 10 net.tw edu.tw 0 % Hosts Unpatched

  22. The Return of Code-Red • Code-Red reawakened on August 1 • How did the infection change over time? What does this tell us about the infected machines? Are they big companies? Home users? Web servers? People who know they aren’t running IIS? • Can you see and identify daily cycles in graphs of infected hosts?

  23. Host Infections

  24. Hosts by Timezone (UTC)

  25. Hosts by Timezone (Local)

  26. Dynamic IP Addresses • Idea: How can we tell how many infected computers as opposed to IP addresses ? • Motivation: Max of ~180,000 unique IPs seen in any 2 hour period, but more than 2 million across ~a week. • This DHCP effect can produce skewed statistics for certain measures, especially over long time periods

  27. Dynamic IP Addresses • For each /24, count: – total number of unique IP addresses seen ever – maximum number seen in 2 hour periods • On plot: – x-axis is total number of unique addresses seen ever – y-axis is maximum number for a 2 hour period – the x = y (total = max) line shows /24s that had all their vulnerable hosts actively spreading in same 2 hour period, and those hosts didn’t change IP addresses – the space far below and to the right of the x = y line (total >> max) shows /24s that appear to have a lot of dynamic addresses – color of points represents density (3d histogram)

  28. DHCP Effect seen in /24s

  29. Conclusions • 1/3 - 1/2 of hosts are coming and going on a daily cycle • DHCP effect can skew statistics, since the same host can have multiple IP addresses • Even with the “best” possible warning, the majority of IIS patching occurred after the start of the next round of CodeRed

  30. Thanks • UCSD and SDSC Network Operations • CAIDA folks • Vern Paxson, Bill Fenner • Stefan Savage, Geoff Voelker • Mike Gannis • DARPA, NSF, Caida Members/Sponsors • Cisco Systems

  31. Cooperative Association for Internet Data Analysis (CAIDA) San Diego Supercomputer Center Computer Science & Engineering University of California, San Diego http://www.caida.org/ analysis/security/

  32. Host Characterization: Top-Level Domain (TLD) 180000 unknown 160000 net 140000 com 120000 edu 100000 tw 80000 jp 60000 ca 40000 it 20000 fr 0 nl Infected Hosts

  33. Host Characterization: Top-Level Domain (TLD) 70000 net 60000 com 50000 edu 40000 tw jp 30000 ca 20000 it fr 10000 nl 0 Infected Hosts

  34. Host Characterization: Domain 180000 Unknown 160000 home.com 140000 rr.com 120000 t-dialin.net 100000 pacbell.net 80000 uu.net 60000 aol.com 40000 hinet.com 20000 net.tw 0 edu.tw Infected Hosts

  35. Who gets Internet worms? • Big question: who gets code red? Big companies? Home users? Web servers? People who know they aren’t running IIS? • Host infection plots show some slight diurnal behavior ==> people turning off their “web servers” • Looking deeper shows extreme diurnal behavior, masked in simple plots (1/3 to 1/2 machines turned on/off daily)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Information Warfare in Cyberspace: The Spread of Hoaxes in Social Media ( Case Study: Jakarta

Information Warfare in Cyberspace: The Spread of Hoaxes in Social Media ( Case Study: Jakarta

Information Warfare in Cyberspace: The Spread of Hoaxes in Social Media ( Case Study: Jakarta Gubernatorial Election 2017 ) Fahmy Yusuf 1 , Agus HS. Reksoprodjo 2 Submitted for Revuln 19 at the Best Western Plus Hotel, Hong Kong, 2019 December

246 views • 12 slides
Content Before Code A D8 Case Study Session overview + Who We Are + The Content Before

Content Before Code A D8 Case Study Session overview + Who We Are + The Content Before

Content Before Code A D8 Case Study Session overview + Who We Are + The Content Before Code Philosophy + AcademyHealth + Outcomes + Our Approach + GatherContent Michelle Jackson Web Strategist Bec White Development Operations

613 views • 40 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
GUIDING PRINCIPALS Percolation Percolation Percolation Slow it /Spread it /Sink it

GUIDING PRINCIPALS Percolation Percolation Percolation Slow it /Spread it /Sink it

ECOLOGICAL GRADING TECHNIQUES FOR STORMWATER MANAGEMENT IN THE LANDSCAPE Guiding Principals Rural Case Study Suburban Case Study Presen ented ed by by: Rick Taylor, Elder Creek Landscapes GUIDING PRINCIPALS Percolation

421 views • 11 slides
Offload Mode Case Study James Briggs 1 COSMOS DiRAC April 28, 2015 Case Study: Modal2d

Offload Mode Case Study James Briggs 1 COSMOS DiRAC April 28, 2015 Case Study: Modal2d

Case Study: Modal2d Surveying the Code Making it Offloadable Xeon Phi Performance Offload Mode Case Study James Briggs 1 COSMOS DiRAC April 28, 2015 Case Study: Modal2d Surveying the Code Making it Offloadable Xeon Phi Performance Case

366 views • 12 slides
The Business Case for Contributing Code Alex Urevick-Ackelsberg About Us Zivtech = 4+ years

The Business Case for Contributing Code Alex Urevick-Ackelsberg About Us Zivtech = 4+ years

The Business Case for Contributing Code Alex Urevick-Ackelsberg About Us Zivtech = 4+ years old, 20+ employees Alex UA Co-founder, CEO Professional Troublemaker Hat enthusiast The Problem Wide spread confusion as to the

608 views • 25 slides
NY NY CRIM CRIME VICTIM VICTIMS LE LEGAL NETW NETWORK OV OVS Case Case Ma Manag nager Traini

NY NY CRIM CRIME VICTIM VICTIMS LE LEGAL NETW NETWORK OV OVS Case Case Ma Manag nager Traini

2/26/2019 NY NY CRIM CRIME VICTIM VICTIMS LE LEGAL NETW NETWORK OV OVS Case Case Ma Manag nager Traini ning ng 2 26 26 19 19 Training Objectives Participants will: Understand the variety of civil legal needs that arise from crime

215 views • 5 slides
Code Enforcement First line of defense for a community to stop the spread of blight

Code Enforcement First line of defense for a community to stop the spread of blight

Code Enforcement First line of defense for a community to stop the spread of blight Effective code enforcement is important not only for maintaining healthy and safe communities for our residents, but it is also a proven tool to reverse the

386 views • 14 slides
on ACCU Laura Pathak Royal London Hospital Case Study Diagnoses Code Red Polytrauma.

on ACCU Laura Pathak Royal London Hospital Case Study Diagnoses Code Red Polytrauma.

Speech and Language Therapy on ACCU Laura Pathak Royal London Hospital Case Study Diagnoses Code Red Polytrauma. Jump from 5th Floor. GCS 4 on scene Injuries: HEAD: multifocal ICH, SAH, DAI 1, R sided stroke FACE:

226 views • 10 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
Case Study CC BY Charlotte Wickham fivethirtyeight Datasets and code from the fivethirtyeight

Case Study CC BY Charlotte Wickham fivethirtyeight Datasets and code from the fivethirtyeight

Case Study CC BY Charlotte Wickham fivethirtyeight Datasets and code from the fivethirtyeight website. (Not o ff icially published by 'FiveThirtyEight'). # install.packages("fivethirtyeight") fivethirtyeight library(fivethiryeight)

714 views • 26 slides
Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross Department of Computer Science

Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross Department of Computer Science

Hot-Patching a Web Server: a Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross Department of Computer Science ETH Zurich * now at UC Berkeley Security Dilemma Integrity and availability threatened by vulnerabilities Two

330 views • 29 slides
Algorithm Engineering (aka. How to Write Fast Code) CS260 Lecture 2 Yan Gu Case Study:

Algorithm Engineering (aka. How to Write Fast Code) CS260 Lecture 2 Yan Gu Case Study:

Algorithm Engineering (aka. How to Write Fast Code) CS260 Lecture 2 Yan Gu Case Study: Matrix Multiplication Many slides in this lecture are borrowed from the first lecture in 6.172 Performance Engineering of Software Systems at MIT. The

833 views • 55 slides
2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Page 1 of 7 2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular, symbolic problem. The solution that we develop incorporates a task scheduling algorithm. 2.7.1

259 views • 7 slides
THE HIGH RISK CASE COORDINATION PROGRAM National Victims Awareness Week Symposium Verona

THE HIGH RISK CASE COORDINATION PROGRAM National Victims Awareness Week Symposium Verona

THE HIGH RISK CASE COORDINATION PROGRAM National Victims Awareness Week Symposium Verona Singer , Ph.D , Coordinator Halifax Regional Police Victim Services April 7, 2014, Ottawa High risk case coordination program What is it? Who

539 views • 20 slides
CloPlag A Study of Effects of Code Obfuscation to Code Similarity Detection Tools Chaiyong

CloPlag A Study of Effects of Code Obfuscation to Code Similarity Detection Tools Chaiyong

CloPlag A Study of Effects of Code Obfuscation to Code Similarity Detection Tools Chaiyong Ragkhitwetsagul, Jens Krinke, Albert Cabr Juan Cloned Code vs Plagiarised Code A result from source code Created in a similar way as code

479 views • 31 slides
Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When you run it, the Greeks creep out and slaughter your system Lecture 12 Page 1 CS 236 Online Basic Trojan Horses A program you pick up somewhere

581 views • 23 slides
ECS 289M Lecture 24 May 26, 2006 Computer Virus Program that inserts itself into one or more

ECS 289M Lecture 24 May 26, 2006 Computer Virus Program that inserts itself into one or more

ECS 289M Lecture 24 May 26, 2006 Computer Virus Program that inserts itself into one or more files and performs some action Insertion phase is inserting itself into file Execution phase is performing some (possibly null) action

586 views • 22 slides
Module 20: Security The Security Problem Authentication Program Threats System

Module 20: Security The Security Problem Authentication Program Threats System

Module 20: Security The Security Problem Authentication Program Threats System Threats Threat Monitoring Encryption Silberschatz and Galvin 1999 Operating System Concepts 20.1 The Security Problem Security must

155 views • 11 slides
So you think you want to simulate a network? Mark Handley Professor of Network Systems UCL Why

So you think you want to simulate a network? Mark Handley Professor of Network Systems UCL Why

So you think you want to simulate a network? Mark Handley Professor of Network Systems UCL Why do you want to do network simulation? Understand a problem. Demonstrate your ideas work. Demonstrate your ideas are better than the

838 views • 48 slides
CSSE132 Introduc0on to Computer Systems 18 : Alignment,

CSSE132 Introduc0on to Computer Systems 18 : Alignment,

Adapted from Carnegie Mellon 15-213 CSSE132 Introduc0on to Computer Systems 18 : Alignment, Pointers, Bounds April 9, 2013 1 Today Structures Alignment

605 views • 43 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new

1.05k views • 46 slides
Machine-Level Programming V: Advanced Topics 15-213:

Machine-Level Programming V: Advanced Topics 15-213:

Carnegie Mellon Machine-Level Programming V: Advanced Topics 15-213: Introduc0on to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy Bryant &

738 views • 53 slides

More recommend