The Coral Project: Defending against Large-scale Attacks on the Internet. Chenxi Wang

Transcription

1 1 The Coral Project: Defending against Large-scale Attacks on the Internet Chenxi Wang

2 The Motivation 2 Computer viruses and worms are a prevalent threat Slammer worm infected 90% of the vulnerable hosts within 10 minutes Existing defenses are local (e.g., scanning) like curing a contagious disease in one patient Global and coordinated defenses like prevention of a contagious spread in a population

3 The Coral Project 3 Objective: Developing global defense mechanisms against propagation of viruses and worms Approach Understanding the global behaviors New defenses

4 Understanding Propagation Behaviors 4 Infection topology Random scanning vs. application-level Saturation time How fast does it spread? Epidemic conditions Why some infections take off while others don t? Effect of containment/patching strategies Containment deployment Prioritized patching/immunization?

5 Background Epidemiological Models 5 Susceptible Population Topology: G=(V,E) Birth rate β (on every edge e) Curing rate δ (on every node v) Average connections α Deterministic time evolution of infection density η t dη t dt = βαη (1 η ) t t δη t Birth term Death term

6 Background Epidemiological Models 6 infection evolution infection dens worm virus Time β = 0.5, α = 2, worm (δ = 0), virus (δ = 0.3)

7 Propagation Topology 7 Random Scanning Worms Close to homogeneous viruses/worms Power law social network, p(k) = k -γ Skewed distribution [Faloutsos 01]: Internet observes a power-law topology

8 Homogeneous vs. Power-law 8 Number of Infected Nodes Time α = 2 Simulation δ/β = 0.8 Model δ/β = 0.8 Simulation δ/β = 1.6 Model δ/β = 1.6 Simulation δ/β = 2.4 Model δ/β = 2.4 Simulation on the Oregon data shows discrepancy with the homogeneous model

9 9 Our Work: Topology-neutral Epidemic Model = + + = = :neighbor 1,,, 1, 2 1, 1,, 1,,, ) (1 ) (1 ) (1 1 j t j t k t k t i t k t i t k t i t i i t i t p p p p p p β ζ ζ δ ζ δ ζ η ζ k,t : probability a k-linked node will NOT receive infections p i,t : probability node i is infected at time t Epidemic Spreading: An Eigenvalue Viewpoint, Wang, Chakrabarti, Wang, Faloutsos, 2003 Symposium of Reliable and Distributed Systems. SRDS 03

10 Evaluation (homogeneous) Number of Infected N α = Time β = 0.2; δ = 0.24 β = 0.2; δ = 0.48 β = 0.2; δ = 0.72 Simulation Simulation Simulation Our Model Our Model Our Model hm Model hm Model hm Model 1000-node homogeneous network hm model Our model Simulation

11 Evaluation (power-law) 11 Number of Infected Nodes Time δ = 0.08 Simulation Our Model SV Model Real-world node Oregon network SV model Our model Simulation Equal or outperform predictions by models for specific topologies

12 Understanding Propagation Behaviors 12 Infection topology Random scanning vs. application-level Saturation time How fast does it spread? Epidemic conditions Why some infections take off while others don t? Effect of containment/patching strategies Containment deployment Prioritized patching/immunization?

13 Epidemic Threshold 13 Epidemic threshold τ predicts the condition for epidemic spreading If β/δ > τ, epidemic ensues If β/δ < τ, infection dies out Well known thresholds τ = 1/ α, for homogeneous network [kephart and white 91] τ 0, for infinite power-law graph [Pastor-Satorras 02] τ = α / α 2 for finite power-law graph [Pastor-Satorras 02] What is the threshold for an arbitrary topology?

14 Epidemic threshold 14 Epidemic threshold condition: τ = 1/ λ 1,A where λ 1,A is the largest eigenvalue of the adjacency matrix A of the topology Epidemic Spreading: An Eigenvalue Viewpoint 2003 Symposium of Reliable and Distributed Systems. SRDS 03

15 Epidemic Threshold Condition 15 [sufficiency]: If β/δ > τ = 1/ λ 1,A, the infection will die out over time, irrespective of initial infection size. [necessity]: If infection probability of each node 0 as t, β/δ < τ = 1/ λ 1,A must be true λ 1,A = α for homogeneous networks, τ = 1/ α λ 1,A = for infinite powerlaw graphs, τ = 0 λ 1,A α/ α 2 for finite powerlaw graphs, τ α 2 /α

16 Oregon 10900: τ = 0.017; δ c = Threshold Prediction in Action (Oregon) 16 Number of Infected Nodes Time δ: Oregon β = β/δ = 0.02 (above) β/δ = (at the threshold) β/δ = (below

17 Threshold Prediction in Action 17 Number of Infected Nodes β/δ = 0.08(below) Time δ: Star 100: τ = ; δ c = Star β= β/δ = 0.4 (above) β/δ = 0.2 (above) β/δ = (close)

18 Our Prediction vs. Previous Predictions 18 SV Our SV Our β/δ Oregon β/δ Star

19 Eigenvalue Threshold: Intuition 19 Eigenvalues for matrix A A X = λ X A t λ 1 t C Graph theory intuitions Eigenvalues correspond to size of clusters and the connectivity Stronger connections, larger clusters larger eigenvalues Larger eigenvalues: smaller threshold easier to spread

20 More about the Threshold Number of Infected Nodes Time δ: Below the threshold, the epidemic dies out exponentially Star 100 node: τ = ; δ = Phase transition behavior at the threshold Model β= 0.01

21 Understanding Propagation Behaviors 21 Infection topology Random scanning vs. application-level Saturation time How fast does it spread? Epidemic conditions Why some infections take off while others don t? Effect of containment/patching strategies Containment deployment Prioritized patching/immunization?

22 Patching and Immunization 22 Patch/immunization: fix host vulnerabilities

23 Prioritized Patching Strategy? 23 Eigen Nodes Increase the threshold Graph cutting minimum nodes so that the largest connected component is at most size k

24 Containment Deployment 24 Containment Slows down the malicious spread, buys time for heavy weight schemes [Williamson02] limits outgoing IP [Williamson03] limits addresses [Zhen04] limits outgoing IP for nodes with large failed connections Containment Deployment Strategies How many? Where? Dynamic Quarantine of Internet Worms 2004 Dependable Systems and Networks (DSN 04).

25 Deployment Strategy Study 25 Where would you deploy Rate Limiting (RL)? Hub node Leaf nodes

26 Star Topology Example 26 50% RL significantly more effective at the hub node

27 Deployment Strategy on the Internet 27 End hosts Edge routers Backbone routers

28 Worm Spread Model 28 dη t dt = βαη (1 η ) t t Birth term D η t = where λ=βα

29 End Host Rate Limiting 29 Gives the model for end host q: percentage rate limited β 1 : Normal contact rate β 2 Limited contact rate η t = RL on end host yields a linear slow down

30 End Host Rate Limiting 30 50%

31 Edge Router Rate Limiting 31 Random Propagation worms (RP) The worm connects to randomly generated IP addresses Every node in the network has an equal chance of being infected Local-Preferential worms (LPP) Worm generates local addresses with higher probability Propagates much faster locally before it infects remote machines

32 RP and LPP worms across subnets 32 50% Rate limiting for LPP is less effective across subnets

33 Backbone Rate Limiting 33 50% η t =

34 Simulation Evaluation 34 Network Simulator 2 (NS-2) based simulations Experiments conducted on a 1000 node power law graph Similar to AS topology Generated by BRITE Simulations begin with a random set of infected hosts

35 Simulations of Rate Limiting (RP) 35 50% RL at backbone routers renders a significant slowdown

36 Simulations of RL (LLP worms) 36 50% Local preferential worms spread quicker than RP worms

37 Simulations of Edge Router RL 37 50% RL for random propagation worms performs slightly better

38 Recap 38 Rate limiting on individual hosts Achieves linear slowdown Edge router rate limiting Achieves linear slowdown Backbone router rate limiting Near exponential slow down

39 Ongoing Work Worm Defenses Infected Host Behavior (sobig) All outgoing TCP flows All successful SMTP flows All failed SMTP conn. attempts Outgoing TCP flows Days A Study of Mass-mailing Worms 2004 Workshop of Rapid Malcode (WORM 04)

40 Worm Defenses Average Distinct IPs for Infected Clients (SoBig) All distinct IPs SMTP succ. conn. distinct IPs SMTP failed. conn. distinctips Number of distinct IPs Days

41 Worm Defenses 41 Williamson s throttling Pro: Effective against random scanning worms Con: Less so against application-level worms (e.g., worms) Con: Need majority participation Williamson s rate limiting Implemented on mail servers Con: worms with SMTP engines not affected Zhen rate limiting based on failed connection [Zhen2004] Pro: Effective against random scanning worms Con: Do not work against application-level worms

42 Worm Defenses 42 Hypothesis: containment based on DNS traffic? Random scanning worms have no DNS translations worms do, majority MX lookups New containment vantage point DNS server + Edge router?

43 SoBig DNS Behavior SMTP new DNS entries All TCP new DNS entries SMTP DNS refreshes All TCP DNS refreshes TCP flows Days

44 SoBig: Mail Server DNS Behavior SMTP new entries All TCP new entries SMTP refreshes All TCP refreshes 3500 TCP flows Days

45 SoBig: Normal Client DNS Behavior Average DNS Translations for Normal Clients (SoBig) SMTP new DNS entries All TCP new DNS entries SMTP DNS refreshes All TCP DNS refreshes TCP flows Days

46 Overall Flows Overall successful TCP flows (sobig) All successful SMTP flows All successful HTTP flows All successful flows TCP flows Days

47 Recap 47 worms induce large number of DNS MX lookups Hypothesis two stage rate limiting: Rate limit MX lookups (DNS server) Rate limit outgoing connections w/o DNS translations (edge router)

48 Open Research Questions 48 Rate limit within the network core How? Performance concerns? Optimal patching strategy Universal algorithm for arbitrary graphs? Alternative rate limit strategies? MX lookups? Connections w/o DNS translations? Connection patterns source to destination?

49 The Coral Project 49 CMU (ECE, CS, CERT, EPP), Symantec, Akamai John McHugh

50 Contact info 50 Chenxi Wang