Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction - - PowerPoint PPT Presentation

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Lecture 19 - Network Security

CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger

www.cse.psu.edu/~tjaeger/cse443-s12/

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Exploiting the network ...

• The Internet is extremely vulnerable to attack

– it is a huge open system ... – which adheres to the end-to-end principle

• smart end-points, dumb network
• Can you think of any large-scale attacks that would

be enabled by this setup?

2

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Malware

• Malware - software that exhibits malicious behavior

(typically manifest on user system)

– virus - self-replicating code, typically transferring by shared media, filesystems, email, etc. – worm - self propagating program that travels over the network

• The behaviors are as wide ranging as imagination

– backdoor - hidden entry point into system that allows quick access to elevated privileges – rootkit - system replacement that hides adversary behavior – key logger - program that monitors, records, and potentially transmits keyboard input to adversary – trojan - malicious software disguised as legitimate program

3

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Worms

• A worm is a self-propagating program.
• As relevant to this discussion
• 1. Exploits some vulnerability on a target host …
• 2. (often) embeds itself into a host …
• 3. Searches for other vulnerable hosts …
• 4. Goto (1)
• Q: Why do we care?

4

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

The Danger

• What makes worms so dangerous is that infection

grows at an exponential rate

– A simple model:

• s (search) is the time it takes to find vulnerable host
• i (infect) is the time is take to infect a host

– Assume that t=0 is the worm outbreak, the number of hosts at t=j is

2(j/(s+i))

– For example, if (s+i = 1), how many hosts are compromised at time t=32?

5

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

The result

500,000,000 1,000,000,000 1,500,000,000 2,000,000,000 2,500,000,000 3,000,000,000 3,500,000,000 4,000,000,000 4,500,000,000 5,000,000,000

6

“point of criticality”

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

The Morris Worm

• Robert Morris, a 23 year old doctoral student from

Cornell

– Wrote a small (99 line) program – November 3rd, 1988 – Simply disabled the Internet

• How it did it

– Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words – Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related

• Tries cracked passwords at related hosts (if necessary)
• Uses whatever services are available to compromise other hosts

– Scanned local interfaces for network information – Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself)

7

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Code Red

• Anatomy of a worm: Maiffret (good reading)
• Exploited a Microsoft IIS web-server vulnerability

– A vanilla buffer overflow (allows adversary to run code) – Scans for vulnerabilities over random IP addresses – Sometimes would deface the served website

• July 16th, 2001 - outbreak

– CRv1- contained bad randomness (fixed IPs searched) – CRv2 - fixed the randomness,

• added DDOS of www.whitehouse.gov
• Turned itself off and on (on 1st and 16th of month)

– August 4 - Code Red II

• Different code base, same exploit
• Added local scanning (biased randomness to local IPs)
• Killed itself in October of 2001

8

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Worms and infection

• The effectiveness of a worm is determined by how good it is at

identifying vulnerable machines – Morris used local information at the host – Code Red used what?

• Multi-vector worms use lots of ways to infect

– E.g., network, DFS partitions, email, drive by downloads … – Another worm, Nimda did this

• Lots of scanning strategies

– Signpost scanning (using local information, e.g., Morris) – Random IP - good, but waste a lot of time scanning dark or unreachable addresses (e.g., Code Red) – Local scanning - biased randomness – Permutation scanning - instance is given part of IP space

9

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Other scanning strategies

• Hit-list scanning

– Setup - use “low and slow” scanning to determine which hosts are vulnerable (i.e., create a hit list) – Start the worm, passing the list of vulnerable hosts, reduce/ device the list at each host – Gets past the slow start part, gets right into the exponential – Essentially removes the window to stop worm

10

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Other scanning strategies

• The doomsday worm: a flash worm

– Create a hit list of all vulnerable hosts

• Staniford et al. argue this is feasible
• Would contain a 48MB list

– Do the infect and split approach – Use a zero-day vulnerability

11

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Worms: Defense Strategies

• (Auto) patch your systems: most, if not all, large worm
• utbreaks have exploited known vulnerabilities (with patches)
• Heterogeneity: use more than one vendor for your networks
• Shield (Ross): provides filtering for known vulnerabilities, such

that they are protected immediately (analog to virus scanning)

• Filtering: look for unnecessary or unusual communication

patterns, then drop them on the floor

– This is the dominant method, getting sophisticated (Arbor Networks)

Operating System Network Interface Shield

Network Traffic

12

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

• Quarantine - how do stop it once it is out?

– Internet Quarantine: Requirements for Containing Self- Propagating Code. David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage

• Assume you have a LAN/WAN environment

– We have already talked about how to prevent – Q1: How do you recognize a worm? – Q2: How do you stop a worm?

• Much work in this area ...

– number of new addresses contacted – number of incomplete IP handshakes – number of connections to new local hosts (COI?)

Advanced Methods

13

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Botnet Story

14

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

• A botnet is a network of software robots

(bots) run on zombie machines which run are controlled by command and control networks

– IRCbots - command and control over IRC – Bot herder - owner/controller of network – "scrumping" - stealing resources from a computer

• Surprising Factoid: the IRC server is

exposed. Botnets

15

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

• The actual number of bots, the size of the

botnets and the activity is highly controversial.

– As of 2005/6: hundreds of thousands of bots – 1/4 of hosts are now part of bot-nets – Growing fast (many more bots)

• Assertion: botnets are getting smaller(?!?)

Statistics (controversial)

16

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

What are botnets being used for?

• 50 botnets

– 100-20,000 bots/net

• Clients/servers

spread around the world

– Different geographic concentrations

Activities we have seen Stealing CD Keys: ying!ying@ying.2.tha.yang PRIVMSG #atta :BGR|0981901486 $getcdkeys BGR|0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :Microsoft Windows Product ID CD Key: (55274-648-5295662-23992). BGR|0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :[CDKEYS]: Search completed. Reading a user's clipboard: B][!Guardian@globalop.xxx.xxx PRIVMSG ##chem## :~getclip Ch3m|784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :- [Clipboard Data]- Ch3m|784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :If You think the refs screwed the seahawks over put your name down!!! DDoS someone: devil!evil@admin.of.hell.network.us PRIVMSG #t3rr0r0Fc1a :!pflood 82.147.217.39 443 1500 s7n|2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0Fc1a :\002Packets\002 \002D\002one \002;\002>\n s7n|2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0Fc1a flooding....\n Set up a web-server (presumably for phishing): [DeXTeR]!alexo@l85-130-136-193.broadband.actcom.net.il PRIVMSG [Del]29466 :.http 7564 c:\\ [Del]38628!zaazbob@born113.athome233.wau.nl PRIVMSG _[DeXTeR] :[HTTPD]: Server listening on IP: 10.0.2.100:7564, Directory: c:\\.

piracy mining attacks hosting

17

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

• 1988 - one-to-many or many-to-many chat (for BBS)
• Client/server -- TCP Port 6667
• Used to report on 1991 Soviet coup attempt
• Channels (sometimes password protected) are used to

communicate between parties.

– Invisible mode (no list, not known) – Invite only (must be invited to participate)

IRC

Server Server Server Server Server

18

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

IRC botnets

• An army of compromised hosts (“bots”) coordinated via a

command and control center (C&C). The perpetrator is usually called a “botmaster”.

“A botnet is comparable to compulsory military service for windows boxes”

• - Bjorn Stromberg

IRC Server Bots (Zombies)

Find and infect more machines!

19

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Typical (IRC) infection cycle

• ptional

Bots usually require some form of authentication from their botmaster

20

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

• Worms, Trojan horses, backdoors
• Note: the software on these systems is updated
• Bot theft: bot controllers penetrate/"steal" bots.

Infection

21

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Not only for launching attacks ...

• Some botmasters pay very close attention to

their bots

– hence covert infiltration is important

• In many cases, Botmasters “inspect” their bots

fairly regularly, and isolate certain bots (“cherry picking”)

#HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara #HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s #HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s #HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- ** #HINDI-FILMZ :** I M 100% Desi !! ** #HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB #HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara #HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s #HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s #HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- ** #HINDI-FILMZ :** I M 100% Desi !! ** #HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB

That’s a lot of movies served! ( ~ 300)

22

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 23

Measuring botnet size

• Two main categories

– Indirect methods: inferring botnet size by exploiting the side-effects of botnet activity

(e.g., DNS requests)

– Direct methods: exploiting internal information from monitoring botnet activity

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

• Approach: infiltration templates based on collected

honeynet data, e.g., observing compromised hosts that are identified within the channel

• How many?

– 1.1 million distinct user IDs used – 425 thousand distinct IP addresses

• Issues:

– NAT/DHCP? – “Cloaked” IP address (SOCKS proxies?) – Botnet membership overlap

How many bots?

24

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Botnet size, what does it mean?

• Infection Footprint: the total number of infected bots

throughout a botnet’s lifetime – Relevance: how wide spread the botnet infection

• Effective Botnet Size: the number of bots simultaneously

connected to the command and control channel – Relevance: the botnet capacity to execute botmaster commands (e.g., flood attacks)

• An Example:

– While a botnet appeared to have a footprint of 45,000 bots, the number of online bots (i.e. its effective size) was < 3,000

25

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Take away

• Internet malware is used to gain control of hosts

– Lots of them potentially

• Worms: self-propagating malware

– Lifecycle

• Find, Infect, Propagate

– Zero-day

• Botnets

– Network of zombies under command and control – Used for a variety of malicious purposes – Key concern: botnet size

26