Outline Introduction to worms Potential damage that *could* be caused (theoretical) Early DoS and Worms Examples of recent worms and DoS attacks � Slammer Worm � Shaft DoS attack Ben Wilde � Mstream DoS attack 7 February, 2005 � Trin00 DoS attack Comp 290 – Network Intrusion Detection Worm Propagation: past and future So, what are these “worms”? What is a worm? What’s a worm? A computer worm is a program that self- propagates across a network exploiting How does it pick who is infected? security or policy flaws in widely-used What are their payloads? services But why would somebody do this? � First gained notice with the Morris worm of ’88 Different from viruses and other DoS attacks in that they self-propagate automatically, without need for user input I’m sorry… this is terrible. Who gets infected? For a worm to infect a machine, it must first discover that the machine exists There are a number of techniques by which a worm can discover new machines to exploit � Scanning � Target lists or Hit lists � Passive monitoring
Worm target selection Potential Payloads The payload (code carried by the worm apart Scanning from the propagation routines) is limited only by � A worm scans IP addresses, which are selected the imagination of the attacker. either sequentially or randomly Some examples fall into the following categories: Target Lists � None/Non-functional � Worm infects computers based on a list of IP � Internet Remote Control (control a user’s computer) addresses, either generated by the attacker or � Spam Relays (let spammers avoid known IP’s) extracted from information stored on the computer � HTML Proxies (hard to shut down illegal websites) More on this later… � DoS Passive Monitoring � Data Collection (snoop around on a users hard drive) � Worm waits for potential victims to contact it, then � Access for Sale (sell remote control of a zombie spreads to that new computer army) Why would somebody do this? Why ELSE? Experimental Curiosity Pride and Power � The old “show off” factor Commercial Advantage � Such as DDoS against competitors Extortion and Criminal Gain � “You wouldn’t want your network to crash, would ya? Pay me and it won’t…” Protest Economic Terrorism Cyber Warfare � Attack a government’s computers Potential Damage Potential Damage Now that we have some of the background Cost of a worm can be modeled as: down, let’s look about some calculations about what damage could result… Keep in mind… it’s just a little piece of � The four parameters are: software. How much damage could it Recovery Costs really cause? Productivity loss due to down time Value of data loss times the probability of unrecoverable data loss Over 100 BILLION DOLLARS worth. Replacement value of the computer times the That’s how much. probability of hardware damage
Potential Damage Catch your breath… Based on estimates of costs, the Let’s back up… that number was based on researchers produced the following table: numerous assumptions, all of which are for the worst case. � Assumes attacker has “infinite” resources Like a nation state � Assumes all code in the worm is perfect and bug-free (yeah… right.) � Assumes that all difficult-to-predict possibilities go in favor of the attacker See Paxson’s “A Worst Case Worm” for more information Bring on some real worms Now, we’ll begin looking at some REAL WORMS AND DOS ATTACKS that have appeared in the past five years. Again, I apologize. I really am sorry. Installation of a Worm Common Bonds between worms Before we get into the specifics of any one Let’s start by looking at how worms get attack, I’d like to cover the bonds that are onto your computer… shared between the attacks. � Specifically how someone else takes control of your machine � Command hierarchy � Password Protection Warning: Lots of text and very few � Attack Protocols diagrams… I’ll try to move fast.
Installation of Worms Installation of Worms A stolen account is set up as a repository for A scan is performed of large ranges of pre-compiled versions of scanning tools, attack network blocks to identify potential targets. tools, root kits and sniffers, daemon and master � Targets would include systems running programs, lists of vulnerable hosts and various services known to have remotely previously compromised hosts, etc. exploitable buffer overflow security bugs This would normally be a large system with many users, one with little administrative oversight, and on a high-bandwidth connection for rapid file transfer. Installation of Worms Installation of Worms A list of vulnerable systems is then used to From this list of compromised systems, create a script that performs the exploit subsets with the desired architecture are and sets up a command shell running chosen under the root � Slammer stops at this phase and begins to propagate � Trinoo and others set up a TCP port and responds to the master confirming the success of the exploit Sometimes, email messages are sent to confirm which systems have been compromised Installation of Worms Installation of Worms Optionally, a "root kit" is installed on the system A script is then run which takes this list of to hide the presence of programs, files, and "owned" systems and produces yet network connections. another script to automate the installation � A root kit is “a set of tools used after cracking a process. computer system that hides logins, processes, and � Each installation is run the background for logs as well as usually sniff terminals, connections, maximum multitasking. and the keyboard.” (Wikipedia) � A sniffer monitors packets on the network that a particular terminal is connected to, potentially giving a remote user to confidential information i.e. logins and passwords
Worm Hierarchy Worm Control Hierarchy Now that we’ve seen how a worm can get Interactive, controlled attack loaded onto your computer, we can see � Shaft, Trinoo, Mstream how it is generally controlled. There are two general attack schemes Attacker � Interactive attack � Oblivious attack Master Master Daemon Daemon Daemon Daemon Worm Control Hierarchy Worm Control Hierarchy Commands are issued by an attacker “Oblivious” UDP attack � Specifying which hosts to attack, for example � Slammer Responses can be returned by the One way daemons � Does not need to hear back from ‘daemons’ � Statistics about attack Bandwidth Limited Because the attack is interactive and TCP- � Can go as fast as the network bandwidth will based, we say that it is “latency-limited” allow � You must wait to hear back from the daemon Not latency-limited like others before you issue another command Result of using UDP over TCP Password Protection Attack Protocols With trinoo, mstream and shaft, The main types of attack protocols are commands are issued by one or a few UDP, TCP SYN, or ICMP attackers, and can go to (potentially) � They are increasingly being used in thousands of zombies combination From the attacker’s point of view, they don’t want somebody else being able to ‘hijack’ their zombie army. Simple password schemes are used
Attack Protocols Examples of Worms TCP SYN Attack We’ll now discuss four different worms/DoS attacks � The attacker sends TCP connection requests faster than the victim can process them � Slammer, MStream, Shaft and Trinoo Victim will respond to a spoofed IP address, then wait for a For each, we’ll see the following: response (which will never come). � Damage that was caused UDP Flood � Exploits that were used to gain control � The attacker sends a bunch of UDP packets to a � Communication between attacker and daemons victim, resulting in a backlog of responses on the victim-side. Examples of commands that were passed back and forth � Password Protection ICMP Flood � Defenses against the worm � Many flavors… one is to spoof source IP of the victim, � Weaknesses of the worm then send out PING (or other) requests, flooding the victim with the responses. � Potential modifications to the worm http://www.riverhead.com/re/generic_ddos.html has an extensive list of attacks Slammer Slammer Also known as Sapphire This is after 30 minutes Unleashed 25 January, 2003 Within 10 minutes, 75,000 hosts were infected � Fastest worm seen to date Resulted in bandwidth saturation and network failure Slammer Exploits Slammer Propagation Exploited buffer-overflow vulnerability in Slammer used a random number computers on the Internet running Microsoft’s generator to randomly select IP addresses SQL Server or Microsoft SQL Server Desktop Engine (MSDE) 2000. to attempt to infect A single 404 byte UDP packet is sent out to port � A potential bug in the randomizer limited the 1434, which then replicates itself if it succeeds scope of the hosts that were infected with the exploit � The process is then repeated Slammer experienced exponential growth Because all of the code could be sent in a single until networks became saturated and/or packet and there was no limit imposed by shut down. latency, Slammer was the fastest worm seen to date � 3 times faster than worms like Code Red
Recommend
More recommend
