Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
how to own the internet

how to own the internet

Ratings: (0)|Views: 20|Likes:
Published by mcgraf

More info:

Published by: mcgraf on Aug 24, 2007
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





How to 0wn the Internet in Your Spare Time
Stuart Staniford
Vern Paxson
Nicholas Weaver
Silicon Defense ICSI Center for Internet Research UC Berkeley
stuart@silicondefense.com vern@icir.org nweaver@cs.berkeley.edu
The ability of attackers to rapidly gain control of vastnumbers of Internet hosts poses an immense risk to theoverall security of the Internet. Once subverted, thesehosts can not only be used to launch massive denial of servicefloods, butalsotostealorcorruptgreatquantitiesof sensitive information, and confuse and disrupt use of the network in more subtle ways.We present an analysis of the magnitude of the threat.We begin with a mathematical model derived from em-piricaldataofthespreadofCodeRedIinJuly, 2001. Wediscuss techniques subsequently employed for achiev-ing greater virulence by Code Red II and Nimda. In thiscontext, wedevelopandevaluateseveralnew, highlyvir-ulent possible techniques: hit-list scanning (which cre-ates a
worm), permutation scanning (which en-ables self-coordinating scanning), and use of Internet-sized hit-lists (which creates a
worm).We then turn to the to the threat of 
wormsthat spread more slowly but in a much harder to detect“contagion” fashion. We demonstrate that such a wormtoday could arguably subvert upwards of 10,000,000 In-ternet hosts. We also consider robust mechanisms bywhich attackers can control and update deployed worms.In conclusion, we argue for the pressing need to de-velop a “Center for Disease Control” analog for virus-and worm-based threats to national cybersecurity, andsketch some of the components that would go into sucha Center.
Research supported by DARPA via contract N66001-00-C-8045
Also with the Lawrence Berkeley National Laboratory, Universityof California, Berkeley.
Additional support from Xilinx, ST Microsystems, and the Cali-fornia MICRO program
1 Introduction
If you can control a million hosts on the Internet, youcan do enormous damage. First, you can launch dis-tributed denial of service (DDOS) attacks so immenselydiffuse that mitigating them is well beyond the state-of-the-art for DDOS traceback and protection technologies.Suchattackscouldreadilybringdowne-commercesites,news outlets, command and coordination infrastructure,specific routers, or the root name servers.Second, you can access any sensitive informationpresent on any of those million machines—passwords,credit card numbers, address books, archived email,patterns of user activity, illicit content—even blindlysearching for a “needle in a haystack,” i.e., informationthat might be on a computer somewhere in the Internet,for which you trawl using a set of content keywords.Third, not only can you access this information, but youcan sow confusion and disruption by corrupting the in-formation, or sending out false or confidential informa-tion directly from a user’s desktop.In short, if you could control a million Internet hosts,the potential damage is truly immense: on a scale wheresuch an attack could play a significant role in warfarebetween nations or in the service of terrorism.Unfortunatelyitisreasonableforanattackertogaincon-trol of a million Internet hosts, or perhaps even ten mil-lion. The highway to such control lies in the exploita-tion of 
: programs that self-propagate across theInternet by exploiting security flaws in widely-used ser-vices.
Internet-scale worms are not a new phenomenon[Sp89, ER89], but the severity of their threat has rapidlygrown with
the increasing degree to which the In-
We distinguish between the worms discussed in this paper—
active worms
email worms
) in that the latter requiresome sort of user action to abet their propagation. As such, they tend topropagate more slowly. From an attacker’s perspective, they also suf-fer from the presence of a large anti-virus industry that actively seeksto identify and control their spread.
    0    5    0    0    0    1    0    0    0    0    2    0    0    0    0
Days Since July 18, 2001
    D    i   s   t    i   n   c   t    R   e   m   o   t   e    H   o   s   t   s    A   t   t   a   c    k    i   n   g    L    B    N    L    J   u    l    1    9    A   u   g    1    S   e   p    1    S   e   p    1    9    O   c   t    1
Code Red I v2Code Red IINimda
Figure 1:
Onset of Code Red I v2, Code Red II, and Nimda:Number of remote hosts launching confirmed attacks corre-sponding to different worms, as seen at the Lawrence BerkeleyNational Laboratory. Hosts are detected by the distinct URLsthey attempt to retrieve, corresponding to the IIS exploits andattack strings. Since Nimda spreads by multiple vectors, thecounts shown for it may be an underestimate.
ternet has become part of a nation’s critical infrastruc-ture, and
the recent, widely publicized introductionof very large, very rapidly spreading Internet worms,such that this technique is likely to be particularly cur-rent in the minds of attackers.We present an analysis of the magnitude of the threat.We begin with a mathematical model derived from em-pirical data of the spread of Code Red I v2 in July andAugust, 2001 (Section 2). We then discuss techniquesemployed for achieving greater effectiveness and viru-lence by the subsequent Code Red II and Nimda worms(Section 3). Figures 1 and 2 show the onset and progressof the Code Red and Nimda worms as seen “in the wild.”In this context, we develop the threat of three newtechniques for highly virulent worms: hit-list scanning,permutation scanning, and Internet scale hit-lists (Sec-tion 4). Hit-list scanning is a technique for accelerat-ing the initial spread of a worm. Permutation scanningis a mechanism for distributed coordination of a worm.Combining these two techniques creates the possibilityof a
seemingly capable of infecting mostor all vulnerable targets in a few minutes to perhaps anhour. An extension of the hit-list technique creates a
worm, which appears capable of infecting the vul-nerable population in 10s of seconds:
so fast that nohuman-mediated counter-response is possible
.We then turn in Section 5 to the threat of a new class of 
So named for the quotation “In the future, everyone will have 15minutes of fame.”
    0    5    0    0    1    0    0    0    1    5    0    0    2    0    0    0
Days Since Sept. 20, 2001
    D    i   s   t    i   n   c   t    R   e   m   o   t   e    H   o   s   t   s    A   t   t   a   c    k    i   n   g    L    B    N    L    O   c   t    1    O   c   t    1    5    N   o   v    1    N   o   v    1    5    D   e   c    1    D   e   c    1    5    J   a   n    1    J   a   n    1    5
NimdaCode Red I v2Code Red II
Figure 2:
The endemic nature of Internet worms: Numberof remote hosts launching confirmed attacks corresponding todifferent worms, as seen at the Lawrence Berkeley NationalLaboratory, over several months since their onset. Since July,139,000 different remote Code Red I hosts have been con-firmed attacking LBNL; 125,000 different Code Red II hosts;and 63,000 Nimda hosts. Of these, 20,000 were observed tobe infected with two different worms, and 1,000 with all threeworms. (Again, Nimda is potentially an underestimate becausewe are only counting those launching Web attacks.)
worms. These spread more slowly, but in amuch harder to detect “contagion” fashion, masquerad-ing as normal traffic. We demonstrate that such a wormtoday could arguably subvert upwards of 10,000,000 In-ternet hosts.Then in Section 6, we discuss some possibilitiesby which an attacker could control the worm usingcryptographically-secured updates, enabling it to remaina threat for a considerable period of time. Even whenmost traces of the worm have been removed from thenetwork, such an “updatable” worm still remains a sig-nificant threat.Having demonstrated the very serious nature of thethreat, we then in Section 7 discuss an ambitious butwe believe highly necessary strategy for addressing it:the establishment at a national or international levelof a “Center for Disease Control” analog for virus-and worm-based threats to cybersecurity. We discussthe roles we envision such a Center serving, and offerthoughts on the sort of resources and structure the Cen-ter would require in order to do so. Our aim is not tocomprehensively examine each role, but to spur furtherdiscussion of the issues within the community.
2 An Analysis of Code Red I
The first version of the Code Red worm was initiallyseen in the wild on July 13th, 2001, according to RyanPermeh and Marc Maiffret of Eeye Digital Security[EDS01a, EDS01b], who disassembled the worm codeand analyzed its behavior. The worm spread by compro-mising Microsoft IIS web servers using the .ida vulner-ability discovered also by Eeye and published June 18th[EDS01c] and was assigned CVE number CVE-2001-0500 [CV01].Once it infected a host, Code-Red spread by launching99 threads which generated random IP addresses, andthen tried to compromise those IP addresses using thesame vulnerability. A hundredth thread defaced the webserver in some cases.However, the first version of the worm analyzed byEeye, whichcametobeknownasCRv1, hadanapparentbug. The random number generator was initialized witha fixed seed, so that all copies of the worm in a particularthread, on all hosts, generated and attempted to compro-mise exactly the same sequence of IP addresses. (Thethread identifier is part of the seeding, so the worm had ahundred different sequences that it explores through thespace of IP addresses, but it only explored those hun-dred.) Thus CRv1 had a linear spread and never com-promised many machines.On July 19th, 2001, a second version of the worm beganto spread. This was suspected informally via mailing listdiscussion, then confirmed by the mathematical analysiswe present below, and finally definitively confirmed bydisassembly of the new worm. This version came to beknown as CRv2, or Code Red I.Code Red I v2 was the same codebase as CRv1 in al-most all respects—the only differences were fixing thebug with the random number generation, an end to website defacements, and a DDOS payload targeting the IPaddress of 
.We developed a tentative quantitative theory of whathappened with the spread of Code Red I worm. The newversion spread very rapidly until almost all vulnerableIISserversontheInternetwerecompromised. Itstoppedtrying to spread at midnight UTC due to an internal con-straint in the worm that caused it to turn itself off. It thenreactivated on August 1st, though for a while its spreadwas suppressed by competition with Code Red II (seebelow). However, Code Red II died by design [SA01]on October 1, while Code Red I has continued to makea monthly resurgence, as seen in Figure 2. Why it con-tinues to gain strength with each monthly appearance re-mains unknown.
We call this model the Random Constant Spread (RCS)model. The model assumes that the worm had a goodrandom number generator that is properly seeded. Wedefine
as the total number of vulnerable servers whichcan be potentially compromised from the Internet. (Wemake the approximation that
is fixed—ignoring bothpatching of systems during the worm spread and normaldeploying and removing of systems or turning on andoff of systems at night. We also ignore any spread of theworm behind firewalls on private Intranets).
is the initial compromise rate. That is, the numberof vulnerable hosts which an infected host can find andcompromise per hour at the start of the incident, whenfew other hosts are compromised. We assume that
isa global constant, and does not depend on the processorspeed, network connection, or location of the infectedmachine. (Clearly, constant
is only an approxima-tion.) We assume that a compromised machine picksother machines to attack completely at random, and thatonce a machine is compromised, it cannot be compro-mised again, or that if it is, that does not increase therate at which it can find and attack new systems. Weassume that once it is compromised, it stays that way.
is a time which fixes when the incident happens.We then have the following variables:
is the proportion of vulnerable machines whichhave been compromised.
is the time (in hours).Now, we analyze the problem by assuming that atsome particular time
, a proportion of the machines
have been compromised, and then asking how manymore machines,
, will get compromised in the nextamount of time
. The answer is:
= (
(1)The reason is that the number of machines compromisedin the next increment of time is proportional to the num-ber of machines already compromised (
) times thenumber of machines each compromised machine can
One possibility is that, since the default install of Windows 2000server includes IIS, new vulnerable machines have been added to theInternet.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->