Internet Outbreaks Epidemiology and Defenses

Transcription

1 Internet Outbreaks Epidemiology and Defenses Geoffrey M. Voelker Collaborative Center for Internet Epidemiology and Defenses (CCIED) Computer Science and Engineering g UC San Diego February 28, 2007 With David Anderson, Jay Chen, Cristian Estan, Chris Fleizach, Ranjit Jhala, Flavio Junqueira, Erin Kenneally, Justin Ma, John McCullough, David Moore, Vern Paxson (ICSI), Stefan Savage, Colleen Shannon, Sumeet Singh, Alex Snoeren, Stuart Staniford (Nevis), Amin Vahdat, Erik Vandekeift, George Varghese, Michael Vrable, Nick Weaver (ICSI), Qing Zhang 1 Paradise Lost Our Goal Develop the understanding and technology to address large-scale subversion of Internet hosts Yahoo! and UPF 2 1

2 Threat Transformation Traditional threats Modern threats Attacker manually targets high-value system/resource Defender increases cost to compromise high-value systems Biggest threat: insider attacker Attacker uses automation to target all systems at once (can filter later) Defender must defend all systems at once Biggest threats: software vulnerabilities & naïve users Yahoo! 3 Large-Scale Enablers Unrestricted high-performance connectivity Large-scale adoption of IP model for networks & apps Internet is high-bandwidth, low-latency The Internet succeeded! Software homogeneity & user naiveté Single bug mass vulnerability in millions of hosts Trusting users ( ok ) mass vulnerability in millions of hosts Lack of meaningful deterrence Little forensic attribution/audit capability Effective anonymity No deterrence, minimal risk Yahoo! 4 2

3 Driving Economic Forces Emergence of profit-making payloads Spam forwarding (MyDoom.A backdoor, SoBig), Credit Card theft (Korgo), DDoS extortion, (many) etc Virtuous economic cycle transforms nature of threat Commoditization of compromised hosts Fluid third-party exchange market (millions)» Going rate for Spam proxying 3-10 cents/host/week Seems small, but 25k botnet gets you $40k-130k/yr» Raw bots,.01$+/host, Special orders ($50+) Hosts effectively becoming a criminal platform Innovation in both host substrate and its uses Sophisticated infection and command/control networks DDoS, SPAM, piracy, phishing, identity theft are all applications Yahoo! 5 Botnet Spammer Rental Rates >20-30k always online SOCKs4, url is de-duped and updated every >10 minutes. 900/weekly, Samples will be sent on request. >Monthly payments arranged at discount prices. 3.6 cents per bot week >$350.00/weekly - $1,000/monthly (USD) >Always Online: 5,000-6,000 >Updated every: 10 minutes 6 cents per bot week >$220.00/weekly - $800.00/monthly (USD) >Always Online: 9,000-10,000 >Updated every: 5 minutes 2.5 cents per bot week September 2004 postings to SpecialHam.com, Spamforum.biz Yahoo! and UPF 6 3

4 Why Worms? All of these applications depend on automated mechanisms for subverting large numbers of hosts Self-propagating programs continue to be the most effective mechanism for host subversion Prevent automated subversion severely undermine phishing, DDoS, extortion, etc. Our Goal: Develop the understanding and technology to address large-scale subversion of Internet hosts Yahoo! 7 Today Worm outbreaks What are we up against? Framing the worm problem and solutions What are our options? Two worm detection and monitoring techniques Fundamental basis for understanding and defending against large-scale Internet attacks EarlyBird: High-speed network-based content sifting Potemkin: Large-scale high-fidelity honeyfarm Current projects Yahoo! 8 4

5 Network Telescopes Idea: Unsolicited packets evidence of global phenomena Backscatter: response packets sent by victims provide insight into global prevalence of DoS attacks (and who is getting attacked) Scans: request packets can indicate an infection attempt from a worm (and who is current infected, growth rate, etc.) Very scalable: CCIED Telescope monitors 17M+ IP addrs (> 1% of all routable addresses of the Internet) Yahoo! : A DoS Odyssey Inferring global Internet DoS attacks using backscatter 4,000 DoS attacks/week, everyone a victim, intense, periodic Yahoo! and UPF 10 Moore et al., Inferring Internet Denial of Service Activity, USENIX Security,

6 2001: A Worm Odyssey CodeRed worm released in July 2001 Exploited buffer overflow in Microsoft IIS Infects 360,000 hosts in 14 hours (CRv2)» Propagation is limited by latency of TCP handshake Moore et al, CodeRed: a Case study Yahoo! on and the UPF Spread of an Internet Worm, IMW 2002 and 11 Staniford et al, How to 0wn the Internet in your Spare Time, USENIX Security 2002 Fast Worms Slammer/Sapphire released in January 2003 First ~1 min behaves like classic scanning worm» Doubling time of ~8.5 seconds >1 min worm saturates access bandwidth» Some hosts issue > 20,000 scans/sec» Self-interfering Peaks at ~3 min» >55 million IP scans/sec 90% of Internet t scanned in <10 mins Moore et al, The Spread of the Sapphire/Slammer Worm, IEEE Security Yahoo! and UPF 12 & Privacy, 1(4),

7 Was Slammer really fast? Yes, it was orders of magnitude faster than CodeRed No, it was poorly written and unsophisticated Who cares? It is literally an academic point The current debate is whether one can get < 500ms Bottom line: way faster than people! Staniford et al, The Top Speed of Flash Worms, ACM WORM, 2004 Yahoo! 13 Understanding Worms Worms are well modeled as infectious epidemics Homogeneous random contacts Classic SI model N: population size S(t): susceptible hosts at time t I(t): infected hosts at time t β: contact rate i(t): I(t)/N, s(t): S(t)/N i e 1+ e β ( t T ) ( t) = β ( t T ) Staniford, Paxson, Weaver, How to 0wn the Internet Yahoo! and UPF 14 in Your Spare Time, USENIX Security

8 What Can We Do? 1) Reduce number of susceptible hosts S(t) Prevention 2) Reduce number of infected hosts I(t) Treatment 3) Prepare for the inevitable N Survival 4) Reduce the contact rate β Containment t Yahoo! 15 Prevention Reduce # of susceptible hosts S(t) Software quality: eliminate vulnerability Static/dynamic testing [e.g., Cowan, Wagner, Engler] Active research community, taken seriously in industry» Security code review alone for Windows Server 2003 ~ $200M Traditional problems: soundness, completeness, usability Software updating: reduce window of vulnerability Most worms exploit known vulnerability (10 days 6 months)» Sapphire: Vulnerability & patch July 2002, worm January 2003 Some activity (Shield [Wang04]), yet critical problem Is finding security holes a good idea? [Rescorla04] Software heterogeneity: reduce impact of vulnerability Artificial heterogeneity [Forrest02] Exploit existing heterogeneity [Junqueira05] Yahoo! 16 8

9 Treatment Reduce # of infected hosts I(t) Disinfection: Remove worm from infected hosts Develop specialized vaccine in real-time Distribute at competitive rate» Counter-worm, anti-worm Code Green, CRclean, Worm vs. Worm [Castaneda04]» Exploit vulnerability, patch host, propagate Seems tough [Weaver06]» Legal issues of using exploits, even if well-intentioned» Propagation race problem Automatically patch vulnerability [Keromytis03], [Sidiroglou05] Auto-generate and test patches in sandbox Apply within administration domain Requires source, targets known exploits (e.g., overflows) Yahoo! 17 Survival Prepare for inevitable Game of escalation Approach: Informed replication Worms represent large-scale dependent failures Model software configurations model dependent failures Replicate data on hosts with disjoint configurations Exploit existing software heterogeneity Even with software skew, only need 3 replicas Phoenix Cooperative backup system using informed replication [Junqueira et al., Surviving Internet Catastrophes, USENIX 2005] Yahoo! 18 9

10 Reactive Containment Reduce contact rate β Slow worm down Throttle connection rate to slow spread [Twycross03] Important capability, but worm still spreads Quarantine Detect and block worm How feasible is it? Yahoo! 19 Defense Requirements Any reactive defense is defined by: Reaction time how long to detect worm, propagate information, and activate response Containment strategy how malicious behavior is identified Deployment scenario who participates in the system Given these, what are the engineering requirements for any effective defense? [Moore et al., Internet Quarantine: Requirements for Containing Self-Propagating Code, Infocom 2003] Yahoo! 20 10

11 Containment Requirements Universal deployment for Code Red Address filtering g( (blacklists), must respond < 25 mins Content filtering (signatures), must respond < 3 hours For faster worms (slammer): seconds Worse for non-universal deployment Bottom line: very challenging (at global scale) Reaction time e Yahoo! and UPF 21 Propagation rate (probes/sec) Scalable Detection and Monitoring Detection and monitoring are fundamental for understanding and defending against worms Lessons from containment Need to detect worms in less than a second How can we do this? Know thy enemy What does the worm/virus/bot do? Who is controlling it? Yahoo! 22 11

12 Signature Inference Challenge: In less than a second Detect worm probes Characterize worm packets with a byte signature Approach Monitor network Identify packets with common strings spreading like a worm Use signature for content filtering Yahoo! 23 Content Sifting Assume unique, invariant string W for all worm probes Works today, but not forever Consequences Content prevalence: W more common in worm traffic Address dispersion: traffic with W has many distinct src/dests Content Sifting Identify W with high prevalence and high dispersion Use W as filter signature in network [Singh et al., Automated Worm Fingerprinting, OSDI 2004] Yahoo! 24 12

13 Content Sifting in Early Bird Challenges: Time and space Must touch every byte in all packets (1 Gbps 12 us/packet) Simple algorithm consumes 100 MB/s of memory Approach: Careful algorithms and data structures Incremental hash functions Value-based sampling Multi-state filters and multi-resolution and counting bitmaps Combined: 60 us/packet in software Works well in practice Deployed at UCSD CSE for 8 months Detected every worm outbreak reported on security lists Identified unknown worms (Kibvu, Sasser) Yahoo! 25 Tech Transfer Content sifting technologies patented by UC and licensed to startup, Netsift Inc. Netsift significantly improved performance, features Hardware implementation, new capabilities In June 2005, Netsift was acquired by Cisco Yahoo! 26 13

14 Going Further Network telescopes, content sifting have limitations Passive observation, no interaction with malware Lexical domain is limited» Evasion through polymorphism, protocol framing, encryption Want to answer deeper questions What does a worm/virus/bot do? What vulnerabilities are exploited, and how? Who is controlling it, how is it controlled? Alternative: Endpoint monitoring Yahoo! 27 Scalability/Fidelity Tradeoff Telescopes + Responders (isink, honeyd, Internet Motion Sensor) Network Telescopes (passive) VM-based Honeynet (e.g., Collapsar) Live Honeypot Most Scalable Highest Fidelity Yahoo! 28 14

15 Can We Achieve Both? Naïve approach: one machine per IP address 1M addresses = 1M hosts = $2B+ investment Overkill most resources will be wasted In truth, only necessary to maintain the illusion of continuously live honeypot systems Maintain illusion on the cheap using Network multiplexing Host multiplexing Yahoo! 29 Network-Level Multiplexing Most addresses are idle at any given time Late bind honeypots to IP addresses Most traffic does not cause an infection Recycle honeypots if can t detect anything interesting Only maintain honeypots of interest for extended periods One honeypot for every IP addresses Yahoo! 30 15

16 Host-level multiplexing CPU utilization in each honeypot is quite low (<<1%) Use VMM to multiplex honeypots on single machine Done in practice, but limited by memory bottleneck Memory coherence property Few memory pages are actually modified in input Share unmodified pages between VMs copy-on-write One physical machine for honeypots Yahoo! 31 Potemkin: A High-Fidelity, Large-Scale Honeyfarm Gateway: Multiplexes traffic onto VM honeypots Potemkin VMM: Multiplexes VMs on servers Yahoo! and UPF 32 Vrable et al., Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm, SOSP

17 Potemkin VMM Modified Xen using shadow translate mode Integrated into VT for Windows support Clone manager instantiates frozen VM image and keeps it resident in physical memory Flash cloning: memory instantiated via eager copy of PTE pages and lazy faulting of data pages (no software startup) Delta virtualization: copy implemented as copy-on-write (no memory overhead for shared code/data) Supports hundreds of simultaneous VMs per host Overhead: currently takes ms to create new VM Imperceptible to human user and under TCP handshake timeout Wildly unoptimized (e.g., includes multiple Python invocations)» Pre-allocated VM s can be invoked in ~5ms Yahoo! 33 Summary Internet hosts are highly vulnerable to worm outbreaks Millions of hosts can be taken before anyone realizes Supports vibrant ecosystem of criminal activity Containment (Quarantine) requires automated response Prevention is a critical element, but outbreaks inevitable Need scalable detection, can also plan to survive (Phoenix) Different detection strategies, monitoring approaches High-speed network-based content t sifting (EarlyBird) Large-scale high-fidelity honeyfarm (Potemkin) Smart bad guys still have a huge advantage Escalation: Rapid innovation in both problems and solutions Yahoo! 34 17

18 Underground Economy Acquisition, trade, liquidation of illicit digital goods ccard, phishing, bots, malware, scams, Online markets, market enablers, cash out, Hypothesis: Understanding the underground economy will help us develop/target technology Where are economic bottlenecks? Where is value-chain brittle? Where are participants exposed? Transaction volume/price dynamism? Data sources Spam, IRC feeds/web forums, phishing drop sites Have one spam feed (200K/day), developing relationships for others but always looking for more data Yahoo! 35 Spamscatter Monitor scam sites advertised in spam Extract URLs to scams from spam Probe, download pages for a week Identify multiple sites for the same scam Image shingling: tolerates ad rotation, etc. Workload Spam from 4-letter TLD (200,000 spams/day) What do we find? 2,300 scams/week 60% scam sites in U.S.» (vs. 13% spam relays) Only 10% scams malicious» (vs. pharm, s/w, merchandise, etc.) 38% sites hosted multiple scams Yahoo! 36 18

19 Other Projects Self-moderating outbreaks (get 80% and stop) [Ma05] Prevalence of polymorphism p in exploits [Ma06] Forensics with honeyfarm Network dynamics, network and host support Data-centric attribution and policy enforcement These files should not leave the corporate network These files always need to be encrypted on disk/network And any objects derived from them ( s w/ attachments, cutand-paste, etc.) Use generalized taint mechanisms and virtual machines Privacy-preserving packet attribution Attribution: routers, hosts can verify packet sources Privacy: but not reveal contents Attribution one step towards deterrence Yahoo! 37 For More Info Yahoo! and UPF 38 19