« August 2005 | Main | October 2005 »
Early Detection of BGP Instabilities Resulting from Internet Worm Attacks
This is an interesting proposal, but I'm not sure that routing disruptions are the right place to detect the spread of a worm. After all, the preceeding days' worth of posts showed how large the routing disruptions can be, but there's always some BGP disruption that is going on. What's more, only a small number of worms have truly impacted BGP routing tables.
The increasing incidences of worm attacks in the Internet and the resulting instabilities in the global routing properties of the Border Gateway Protocol (BGP) routers pose a serious threat to the connectivity and the ability of the Internet to deliver data correctly. In this paper we propose a mechanism to detect/predict the onset of such instabilities which can then enable the timely execution of preventive strategies in order to minimize the damage caused by the worm. Our technique is based on online statistical methods relying on sequential change-point and persistence filter based detection algorithms. Our technique is validated using a year's worth of real traces collected from BGP routers in the Internet that we use to detect/predict the global routing instabilities corresponding to the Code Red II, Nimda and SQL Slammer worms.
Source: Early Detection of BGP Instabilities Resulting from Internet Worm Attacks, S. Deshpande, M. Thottan, B. Sikdar.
September 30, 2005 in Code Red, detection, Nimda, papers, routing, SQLSlammer | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Observation and Analysis of BGP Behavior Under Stress
Continuing with the theme of a worm outbreak's effect on routing, here is a Nanog presentation on the effect of Code Red and Nimda on routing in September, 2001.
Despite BGP's critical importance as the de-facto Internet inter-domain routing protocol, there is little understanding of how BGP actually performs under stressful conditions when dependable routing is most needed. In this paper, we examine BGP's behavior during one stressful period, the Code Red/Nimda attack on September 18, 2001.
The attack was correlated with a 30-fold increase in BGP update messages at a monitoring point that peers with a number of Internet service providers. Our examination of BGP's behavior during the event concludes that BGP exhibited no significant abnormality, and that over 40% of the observed updates can be attributed to the monitoring artifact in current BGP measurement settings.
Our analysis, however, does reveal several weak points in both the protocol and its implementation, such as BGP's sensitivity to transport session reliability, its inability to avoid the global propagation of small local changes, and certain implementation features whose otherwise benign effects are only amplified under stressful conditions. We also identify areas for improvement in the current network measurement and monitoring effort.
Source: Abstract: Observation and Analysis of BGP Behavior Under Stress, Lan Wang, Xiaoliang Zhao, Dan Pei, Randy Bush, Daniel Massey, Allison Mankin, Felix Wu, Lixia Zhang.
September 29, 2005 in Code Red, Nimda, routing, slides | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
A first look at Saturday’s MS-SQL worm as seen by BGP activity recorded by the RIS project
Here's a very short (10 slides) slide deck presented at the RIPE 44 meting a couple of years ago. A first look at Saturday’s MS-SQL worm as seen by BGP activity recorded by the RIS project, James Aldridge, Arife Vural, RIPE NCC New Projects group. It's some more routing information on the effect of SQLSlammer, showing that while the disruptions were very real and widespread, their impact was minimal when the larger Internet topology is taken into account.
September 28, 2005 in routing, slides, SQLSlammer | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Importance-Scanning Worm Using Vulnerable-Host Distribution
This is a short paper (only 6 pages), but it brings up an interesting approach backed by game theory.Most Internet worms use random scanning. The distribution of vulnerable hosts on the Internet, however, is highly non-uniform over the IP-address space. This implies that random scanning wastes many scans on invulnerable addresses, and more virulent scanning schemes may take advantage of the non-uniformity of a vulnerable-host distribution. Questions then arise how attackers may make use of such information, and how virulent the resulting worm may be. These issues provide “worst-case scenarios” for defenders and “best-case scenarios” for attackers if the vulnerable-host distribution is available. This work develops such a scenario as the so-called importance scanning. Importance scanning results from Importance Sampling in statistics that scans IP-address space according to an empirical distribution of vulnerable hosts. An analytical model is developed to relate the infection rate of worms with the importance scanning strategies. Experimental results based on parameters chosen from Code Red and Slammer worms show that an importance-scanning worm can spread much faster than both a random-scanning worm and a routing worm. Furthermore, a game-theory approach suggests that the best strategy for defenders is to scatter applications uniformly in the entire IP address space.Source: Importance-Scanning Worm Using Vulnerable-Host Distribution, Zesheng Chen and Chuanyi Ji.
September 27, 2005 in defense, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Worm Mitigation Technical Details
If you've been wondering how some very large networks have been able to use their network layer to defeat worm outbreaks, you should look over this Cisco technical document. It shows you how to track and defeat worms using NetFlow analysis tools.Internet worms have had a severe impact on many enterprise customers. Recently developed tools and architectural techniques can be employed to assist with the mitigation of worm activity in an enterprise environment.Source: Worm Mitigation Technical Details, Cisco systems website.This paper provides:
This document has been written from a solution standpoint. It is primarily designed to provide a tool kit for dealing with the issue of Internet worms within an enterprise environment. Although this is the primary motivation of this document, the overall solution has application well beyond this primary purpose and additionally provides capability for detecting and responding to other security incidents.
- A conceptual overview of worm mitigation techniques
- Details for deployment of these techniques into an overall solution for enterprise customers
September 26, 2005 in defense, tools | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Sapphire/Slammer Worm Impact on Internet Performance
SQLSlammer was one of the largest impacts on routing caused by the release of malicous code. This report looks at the effects and presents several measurements during the worm's outbreak in January, 2003.Looking at all data we can conclude that the Internet did not come to a global "meltdown" even though some individual sites were highly affected by this worm. Sixty percent of the measured relations do not show any sign of deterioration. This indicates most backbone links were fine and the problems were localized in edge sites or their immediate upstream provider. Also, eleven of the thirteen root servers remained accessible.Source: Sapphire/Slammer Worm Impact on Internet Performance, James Aldridge, Daniel Karrenberg, Henk Uijterwaal and René Wilhelm, New Projects Group / RIPE NCC, February 10, 2003.This data clearly shows that many of the routine measurements taken by the RIPE NCC can be used to detect widespread problems in the Internet infrastructure and to differentiate them from local problems. This can be crucial information to NOCs at the time of a problem. We are investigating how we can combine this data and make it available in real time.
September 24, 2005 in slides, SQLSlammer | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Call for Participation: Workshop on Rapid Malcode (WORM 2005)
Thank you to Angelos D. Keromytis for passing this on.
In the last several years, Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. The vehicles for these outbreaks, malicious codes called "worms", take advantage of the combination of software monocultures and the uncontrolled Internet communication model to quickly compromise large numbers of hosts. Such worms are increasingly being used as delivery mechanisms for various types of malicious payloads, including remote-controlled "zombies", spyware and botnets. Recent incidents have also reveals the use of new propagation techniques as well as the use of worms to target small user communities or specific applications. Current operational practices have not been able to manage these threats effectively.
WORM 2005 is the 3rd in a series of one-day annual workshops focusing on the problem of self-propagating malicious programs. The workshop brings together researchers and security practitioners from academia, industry and the government. WORM will be held in conjunction with the ACM CCS conference, on November 11, 2005 at George Mason University (GMU), Fairfax campus.
The workshop program, which consists of a mix of invited talks and
presentations of refereed papers, can also be found at:
http://www1.cs.columbia.edu/~angelos/worm05/worm-prog.html
The WORM 2005 web page:
http://www1.cs.columbia.edu/~angelos/worm05
WORM is sponsored by ACM SIGSAC with contributions from DARPA.
September 23, 2005 in events | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
The Evolution of Malicious Agents
I enjoy studying history, mainly because it helps you understand where you may find things heading in the near term. This paper is no different.In the context of this paper, a malicious agent is a computer program that operates on behalf of a potential intruder to aid in attacking a system or network. Historically, an arsenal of such agents consisted of viruses, worms, and trojanized programs. By combining key features of these agents, attackers are now able to create software that poses a serious threat even to organizations that fortify their network perimeter with firewalls.Source: The Evolution of Malicious Agents by Lenny Zeltser.This paper examines the evolution of malicious agents by first looking at replication and propagation mechanisms of programs such as the Morris Worm and the Melissa Virus. These programs are effective for illustrating the rate at which malicious agents can spread, as well as for demonstrating the ease with which they are able to penetrate the organization's network defenses.
Next, the paper discusses spying viruses such as Caligula, Marker and Groov, which, after infecting a computer system, report their findings to the home base. These viruses are limited in that their behavior has to be programmed in advance. However, they are especially dangerous because they utilize outbound connections to communicate with their authors, and can be used as powerful reconnaissance scanners. Because many firewall policies do not restrict outbound traffic such as HTTP and FTP, these viruses are able to stay in contact with their authors even when operating in an organization that considers itself secured from the outside.
The paper proceeds by analyzing features and limitations of remotely controlled agents such as Back Orifice and NetBus, as well as of distributed denial-of-service software such as Trinoo and TFN. These programs can provide attackers with the ability to remotely issue commands on the infected machine. In addition, distributed denial-of-service programs have the ability to coordinate actions of multiple agents, providing their operators with multiple attack launching points. However, current versions of these programs do not have propagation capabilities of viruses and worms, and are effectively prevented from accepting commands from the operator by most firewalls because the controlling traffic is primarily inbound.
Finally, the paper details the possibility of a new breed of malicious agents that combine propagation capabilities of old-fashioned viruses and worms with the interactivity of remotely controlled agents by using outbound traffic to obtain instructions. In particular, the paper focuses on the RingZero trojan, as an example of an existing malicious agent that already exhibits many of these characteristics.
As the result of such evolution, organizations may be faced with a remotely controlled worm that has the ability to infiltrate networks via open channels such as e-mail or Web browsing, can be controlled via outbound connections such as HTTP and FTP, which can pass through many firewalls, and has propagation capabilities that maximize its ability to perform an effective distributed attack.
September 22, 2005 in malware , papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Non Conventional Virus Attack
Another paper on the "worst case scenario", but this one takes a slightly different tact with respect to the targets.Cyber-attack by means of "non-conventional" virus or worms adapted to the telecom world (SDH equipment, management networks, management systems, satellite receivers, etc.) could totally make unusable all the main networks of telecommunication of a country paralyzing the activity in critical sectors like electrical, audio-visual and the banking one at the same time (as long as this attack was planned and executed at the same time on all the networks. We present here a new vision in the existing threads regarding critical telecommunication infrastructures and Homeland Security.Source: Non Conventional Virus Attack by Raul Alvarez.
September 21, 2005 in new trends, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Malicious Code in Depth
Worms are just one type of malware that is available on the Internet. This short writeup introduces you to many of the common types of malware out there and the traits they share and also where they differ.Malicious code refers to a broad category of software threats to your network and systems. Perhaps the most sophisticated types of threats to computer systems are presented by malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or destroys data, steals data, allows unauthorized access Exploits or damage a system, and does something that user did not intend to do, is called malicious code. This paper will briefly introduce you to the various types of malicious code you will encounter, including Viruses, Trojan horses, Logic bombs and Worms.Source: Malicious Code in Depth by Mohammad Heidari on December 1, 2004.
September 20, 2005 in malware , papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
