Lecture 19 - Network Security

Lecture 19 - Network Security

CMPSC 443 - Spring 2012

Introduction Computer and Network Security

Professor Jaeger

Exploiting the network ...

• The Internet is extremely vulnerable to attack

– which adheres to the end-to-end principle

• smart end-points, dumb network

• Can you think of any

large-scale attacks

that would

be enabled by this setup?

Malware

•

Malware

- software that exhibits malicious behavior

(typically manifest on user system)

– virus - self-replicating code, typically transferring by shared media, filesystems, email, etc.

– worm - self propagating program that travels over the network

• The behaviors are as wide ranging as imagination

– backdoor - hidden entry point into system that allows quick access to elevated privileges

– rootkit - system replacement that hides adversary behavior – key logger - program that monitors, records, and potentially

transmits keyboard input to adversary

Worms

•

A worm is a self-propagating program.

•

As relevant to this discussion

1. Exploits some vulnerability on a target host … 2. (often) embeds itself into a host …

3. Searches for other vulnerable hosts … 4. Goto (1)

The Danger

• What makes worms so dangerous is that infection

grows at an exponential rate

– A simple model:

• s (search) is the time it takes to find vulnerable host

• i (infect) is the time is take to infect a host

– Assume that t=0 is the worm outbreak, the number of hosts at t=j is

2

(j/(s+i))

– For example, if (s+i = 1), how many hosts are compromised at time t=32?

The result

The Morris Worm

• Robert Morris, a 23 year old doctoral student from

Cornell

– Wrote a small (99 line) program – November 3rd, 1988

– Simply disabled the Internet

• How it did it

– Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words

– Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related

• Tries cracked passwords at related hosts (if necessary)

• Uses whatever services are available to compromise other hosts

– Scanned local interfaces for network information

– Covered its tracks (set is own process name to sh, prevented

Code Red

• Anatomy of a worm: Maiffret (good reading)

• Exploited a Microsoft IIS web-server vulnerability

– A vanilla buffer overflow (allows adversary to run code) – Scans for vulnerabilities over random IP addresses

– Sometimes would deface the served website

• July 16th, 2001 - outbreak

– CRv1- contained bad randomness (fixed IPs searched) – CRv2 - fixed the randomness,

• added DDOS of www.whitehouse.gov

• Turned itself off and on (on 1st and 16th of month)

– August 4 - Code Red II

• Different code base, same exploit

• Added local scanning (biased randomness to local IPs) • Killed itself in October of 2001

Worms and infection

• The effectiveness of a worm is determined by how good it is at identifying vulnerable machines

– Morris used local information at the host – Code Red used what?

• Multi-vector worms use lots of ways to infect

– E.g., network, DFS partitions, email, drive by downloads … – Another worm, Nimda did this

• Lots of scanning strategies

– Signpost scanning (using local information, e.g., Morris)

– Random IP - good, but waste a lot of time scanning dark or unreachable addresses (e.g., Code Red)

– Local scanning - biased randomness

Other scanning strategies

• Hit-list scanning

– Setup - use “low and slow” scanning to determine which hosts are vulnerable (i.e., create a hit list)

– Start the worm, passing the list of vulnerable hosts, reduce/ device the list at each host

– Gets past the slow start part, gets right into the exponential – Essentially removes the window to stop worm

0 500,000,000 1,000,000,000 1,500,000,000 2,000,000,000 2,500,000,000 3,000,000,000 3,500,000,000 4,000,000,000 4,500,000,000 5,000,000,000

Other scanning strategies

• The doomsday worm: a flash worm

• Staniford et al. argue this is feasible • Would contain a 48MB list

– Do the infect and split approach – Use a zero-day vulnerability

Worms: Defense Strategies

• (Auto) patch your systems: most, if not all, large worm

outbreaks have exploited known vulnerabilities (with patches) • Heterogeneity: use more than one vendor for your networks • Shield (Ross): provides filtering for known vulnerabilities, such

that they are protected immediately (analog to virus scanning)

• Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor

– This is the dominant method, getting sophisticated (Arbor Networks)

Operating System

Network Interface

• Quarantine - how do stop it once it is out?

– Internet Quarantine: Requirements for Containing Self-Propagating Code. David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage

• Assume you have a LAN/WAN environment

– We have already talked about how to prevent – Q1: How do you recognize a worm?

– Q2: How do you stop a worm?

• Much work in this area ...

– number of new addresses contacted – number of incomplete IP handshakes

– number of connections to new local hosts (COI?)

• A

botnet

is a network of software robots

(bots) run on

zombie machines

which run are

controlled by

command and control

networks

–

IRCbots

- command and control over IRC

–

Bot herder

- owner/controller of network

– "

scrumping

" - stealing resources from a computer

• Surprising Factoid: the IRC server is

exposed.

• The actual number of bots, the size of the

botnets and the activity is highly controversial.

– As of 2005/6: hundreds of thousands of bots

– 1/4 of hosts are now part of bot-nets

– Growing fast (many more bots)

•

Assertion

: botnets are getting smaller(?!?)

What are botnets being used for?

Activities we have seen Stealing CD Keys:

[email protected] PRIVMSG #atta :BGR|0981901486 $getcdkeys

BGR|[email protected] PRIVMSG #atta :Microsoft Windows Product ID CD Key: (55274-648-5295662-23992).

BGR|[email protected] PRIVMSG #atta :[CDKEYS]: Search completed.

Reading a user's clipboard:

B][[email protected] PRIVMSG ##chem## :~getclip

Ch3m|[email protected] PRIVMSG ##chem##

:-[Clipboard Data]- Ch3m|[email protected] PRIVMSG ##chem## :If You think the refs screwed the seahawks over put your name down!!!

DDoS someone:

[email protected] PRIVMSG #t3rr0r0Fc1a :!pflood 82.147.217.39 443 1500 s7n|[email protected] PRIVMSG #t3rr0r0Fc1a :\002Packets\002 \002D\002one \002;\002>\n s7n|[email protected] PRIVMSG #t3rr0r0Fc1a flooding....\n

Set up a web-server (presumably for phishing):

[DeXTeR][email protected] PRIVMSG [Del]29466

:.http 7564 c:\\ [Del][email protected] PRIVMSG _[DeXTeR] :[HTTPD]: Server listening on IP: 10.0.2.100:7564, Directory: c:\\.

piracy

mining

attacks

• 1988 - one-to-many or many-to-many chat (for BBS) • Client/server -- TCP Port 6667

• Used to report on 1991 Soviet coup attempt

• Channels (sometimes password protected) are used to communicate between parties.

– Invisible mode (no list, not known)

– Invite only (must be invited to participate)

IRC

IRC botnets

• An army of compromised hosts (“bots”) coordinated via a

command and control center (C&C). The perpetrator is usually called a “botmaster”.

“A botnet is comparable to compulsory military service for windows boxes”

-- Bjorn Stromberg

IRC Server

Bots (Zombies)

Find and infect more

Typical (IRC) infection cycle

optional

• Worms, Trojan horses, backdoors

•

Note

: the software on these systems is updated

•

Bot theft

: bot controllers penetrate/"steal" bots.

Not only for launching attacks ...

• Some botmasters pay very close attention to

their bots

– hence

covert

infiltration is important

• In many cases, Botmasters “inspect” their bots

fairly regularly, and isolate certain bots (

“cherry

picking”

)

#HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara

#HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s

#HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s

#HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- **

#HINDI-FILMZ :** I M 100% Desi !! **

#HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB

#HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara

#HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s

#HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s

#HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- **

#HINDI-FILMZ :** I M 100% Desi !! **

#HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB

Measuring botnet size

• Two main categories

– Indirect methods: inferring botnet size by exploiting the side-effects of botnet activity (e.g., DNS requests)

– Direct methods: exploiting internal information from monitoring botnet activity

• Approach: infiltration templates based on collected

honeynet

data, e.g., observing compromised hosts

that are identified within the channel

• How many?

– 1.1 million distinct user IDs used – 425 thousand distinct IP addresses

• Issues:

– NAT/DHCP?

– “Cloaked” IP address (SOCKS proxies?) – Botnet membership overlap

Botnet size, what does it mean?

• Infection Footprint: the total number of infected bots throughout a botnet’s lifetime

– Relevance: how wide spread the botnet infection

• Effective Botnet Size: the number of bots simultaneously connected to the command and control channel

– Relevance: the botnet capacity to execute botmaster commands (e.g., flood attacks)

• An Example:

– While a botnet appeared to have a footprint of 45,000 bots, the number of online bots (i.e. its effective size) was <

Take away

• Internet malware is used to gain control of hosts – Lots of them potentially

• Worms: self-propagating malware – Lifecycle

• Find, Infect, Propagate

– Zero-day • Botnets

– Network of zombies under command and control – Used for a variety of malicious purposes