Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CS6520 Test 3 > Lesson 11.1 - 11.3 - Internet Worms, Spam, Denial of Service Attacks > Flashcards

Lesson 11.1 - 11.3 - Internet Worms, Spam, Denial of Service Attacks Flashcards

1
Q

Virus

A

an infection of an existing program that results in the modification of the original program’s behavior
* Typically require user action/activity to spread (opening an attachment, running an executable file, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Worm

A

code that propagates/replicates across the network

  • Usually spread by exploiting flaws in existing programs or open services
  • Propagate automatically
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Types of viruses

A
  • Parasitic: typically infects an existing executable file
  • Memory-resident: infects running programs
  • Boot-sector: spreads whenever the system is booted
  • Polymorphic: encrypts part of the virus program using a randomly generated key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Key difference between viruses and worms

A
  • Viruses typically spread with manual user intervention. Worms typically spread automatically by scanning for vulnerabilities and infecting vulnerable hosts when vulnerabilities are discovered.
  • A worm might use any of the above techniques to infect a particular host before spreading further
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

First internet worm

A

Morris worm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You can model a worm and how it spreads using analogies from ______

A

Epidemiology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is/are the difference(s) between worms and viruses?

  • Worms do not have destructive payloads
  • Viruses only infect Windows machines
  • Viruses can spread more rapidly
  • Worms can spread automatically
A

-Worms can spread automatically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Lifecycle of an internet worm

A
  1. The infected machine might “scan” other machines on the internet to discover vulnerable hosts
  2. Infect the vulnerable machines that it discovers via remote exploit
    (3. Remain undetectable)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Morris Worm

A
  • Designed by Robert Morris, Jr. in 1988
    • It had no malicious payload but it ended up bogging down the machines it infected by spawning new processes uncontrollably and exhausting resources
    • Affected 10% of all internet hosts
    • Spread through 3 different propagation vectors
      • Tried to crack passwords using a small dictionary and a publicly readable password file, and also targeted hosts that were already listed in a trusted hosts file on the machine that was already infected
    • Ability to perform remote execution was one way that it was allowed to spread. The second way was in a buffer overflow vulnerability in the finger daemon. It was a standard buffer overflow exploit, which is a very common attack that makes remote exploits possible, effectively resulting in the ability to run arbitrary code at the root level privilege.
      • Third way that it spread was via the Debug command in sendmail, which is a mail sending service. In early sendmail, it was possible to execute a command on a remote machine by sending an SMTP message. The worm used this capability to spread automatically.
    • A key theme that we’ll see in the design of other worms is this use of multiple vectors, depending on the remote vulnerabilities that it’s trying to exploit.
    • The idea that any worm might be able to exploit multiple weaknesses in a system gives it more ways to spread and also often speeds up the propagation of the worm.
    • Worm design general approach (we see this a lot):
      • Scan, then spread, then remain undiscoverable/undiscovered so that it can continue to operate/spread without being removed from systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the 3 steps in a worm’s lifecycle?

  • Infect vulnerable host
  • Patching the host’s vulnerability
  • Scanning for vulnerable hosts
  • Remaining undetectable
A
  • Infect vulnerable host
  • Scanning for vulnerable hosts
  • Remaining undetectable

***Note: A worm does not necessarily need to patch the host’s vulnerability. Although, some internet worms have been known to do so to prevent other worms from subsequently infecting and interfering with the original worm infection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What was the first modern worm?

A

Code Red 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What were the 3 major outbreaks in the summer of 2001?

A

Code Red 1 v2, Code Red 2, and Nimda

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Code Red 1

A
  • Exploited a buffer overflow in Microsoft’s IIS server, and would spread on the 1st-20th of each month by finding new targets using a random scan of IP address space.
  • It would spawn 99 new threads which generated IP addresses at random and then looked for vulnerable instances of IIS.
  • Version 2 of Code Red 1 was released 6 days later
    • Fixed the random scanning bug, so that each instance of the worm scanned a different IP address space
    • After the scanning bug was fixed, the worm was able to compromise 350K hosts in 14 hours
      • By most estimates, that was the complete set of hosts running the vulnerable version of IIS on the entire Internet
        • Payload was to mount a DOS attack on whitehouse.gov, but a bug in the coding caused the worm to die on the 20th of each month.
        • Fortunately, the attack was launched at a particular IP address, and not at the domain name, so the operators needed only to move the web server to a different IP address to defend against the DOS attack. A better worm design would have been much more catastrophic.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Code Red 2

A

Code Red 2 exploited the same vulnerability but had a different payload.

  • Released on Aug 4 2001
  • Called Code Red 2 mainly because of a comment in the code
    * Only spread on Windows 2000 (crashed on Windows NT)
    * The scan preferred nearby addresses. It would choose addresses from the same /8 with probability 1/2, from the same /16 with probability 3/8, and randomly from the entire Internet with the remaining 1/8 probability
    * Why? Because if there was one vulnerable host on the network, there was likely to be more, because the same administrator that failed to patch the compromised machine might have other machines on the same network that were also vulnerable. This notion of preferential scanning can speed up infections in some cases by increasing the probability that scanning will find another vulnerable host.
  • Payload: IIS backdoor.
  • Worm was completely dead by design by Oct 1 2001
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Nimda

A

Nimda: released on Sept 18 2001 and was interesting mostly because it spread using multiple propagation vectors

  • It was effectively multi-modal
  • Used same IIS vulnerability as Code Red 1 and 2, it also spread by:
    * Bulk email (in an attachment)
    * Copied itself across open network shares
    * Installed an exploit code on web pages on the core running web server running on the machine so that any browser that visited the web page for that server would become infected itself
    * Scan for the Code Red 2 backdoors that that worm had installed
  • The multi-modal nature meant signature-based defenses don’t necessarily help. Nimda was able to leap firewalls because it was able to spread via email or backdoors.
  • This was the first instance of a worm that exploited what we call a zero-day attack, which is when a worm first appears in the wild, and the signature of the worm is not extracted until minutes or hours later. Zero-day attacks are particularly virulent because the worm can spread extremely quickly before any type of signature-based anti-virus has a chance to catch up and prevent the infections in the first place.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How to design a very fast spreading worm?

A

Increase the # of initial compromised rate (K)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How to calculate # of new infections in a given time period (dt)

A

Nda = (Na) * k(1 - a)dt

where:
K = initial compromised rate
N = # of vulnerable hosts
a = fraction of hosts already compromised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How to increase the compromised rate

A
  • Increase compromise rate (K) to design a very fast spreading worm:
    * Create a hit list (list of vulnerable hosts) ahead of time. The curve showed that the time to infect the first 10,000 hosts dominates infection time, so if we start by performing stealthy scans or some reconnaissance before we start spreading, we can get rid of the initial flat part of the curve where it’s effectively dormant.
    * Use permutation scanning: every compromised host has a shared permutation of an IP address list to scan for vulnerabilities. Each host starts at its own IP address in the list and works down, different infected hosts wills tart scanning from different parts of the list, ensuring that compromised hosts don’t duplicate each other’s work.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Permutation scanning

A

(used to increase compromised rate)

every compromised host has a shared permutation of an IP address list to scan for vulnerabilities. Each host starts at its own IP address in the list and works down, different infected hosts wills tart scanning from different parts of the list, ensuring that compromised hosts don’t duplicate each other’s work.

20
Q

Slammer worm

A

used techniques mentioned in class (hit list, permutation scanning) to spread quickly in January 2003

    * Exploited a buffer overflow in Microsoft’s SQL Server
    * In addition to using fast scanning techniques, the entire Slammer code fit in a single small UDP packet. It contained the worm binary, followed by an overflow pointer back to itself.  It was a classic buffer overflow combined with random scanning.
    * Once control was passed to the worm code, it randomly generated IP addresses, and attempted to send a copy of itself to port 1434 on other hosts.
        * Brilliant aspect of it: because it was spread via a single UDP packet, it was connectionless. It could spread and was no longer limited by the latency of network RTT, but only by the bandwidth of the network.
    * Cost 1.2 Billion dollars in damage, and temporarily knocked out critical elements of infrastructure, including BOA’s ATM network, an entire cell phone network in South Korea, and five root DNS servers, as well as Continental Airlines’ ticket processing software.
    * It did NOT have a malicious payload, but the bandwidth exhaustion on the network caused resource exhaustion on affected machines.
    * The damage shown in the map was done in just 30 minutes due to the very lightweight nature in which Slammer spread
21
Q

Which worm did NOT have a malicious payload?

A

Slammer worm

…but the bandwidth exhaustion on the network caused resource exhaustion on affected machines.

World-wide damages occurred in 30 mins

22
Q

What allowed Slammer to spread quickly?

  • TCP/reliable transport
  • UDP/connectionless transport
  • Infected many OS types
  • Could fit in a single packet
A
  • UDP/connectionless transport

- Could fit in a single packet

23
Q

What is spam?

A

Unwanted commercial email

24
Q

Most spam goes to a spam folder, so what’s the problem?

A
  • It remains a scourge today for network operators:
    * Someone has to design the filters that separate good traffic from bad traffic
    * Even if traffic is labeled as spam, if it’s accepted for delivery, the internet’s mail protocols dictate that the server has to keep the mail, because it has told the receiver that it accepted the mail. Leads to possibility for spam to consume significant storage space on email servers.
    * Can create security problems for users who receive spam emails, if they contain a payload that could be harmful, such as malware or a phishing attack.
  • Even though you may not see spam because of filters, ~95% of all email traffic is spam. Some reports from the Anti-Phishing Working Group suggest that 1 in every 87 emails is a phishing attack. There’s ~50,000 unique phishing attacks in a month.
25
Q

Spam filter

A
  • Prevent the message from reaching the user’s inbox in the first place.
  • How to differentiate spam (bad messages) from “ham” (legitimate messages)?
  • Three ways to construct filters:
26
Q

Three ways to construct spam filters

A
  • Content-Based: actually look at what’s in the mail for particular words like Viagra or Rolex
    - Problem: easy to evade: spellings can be changed, message can be in the form of images, MP3s, etc.
    - Those maintaining the filters suffer a relatively high cost because the filters must be continually updated as content changes, and the means of carrying the content becomes more sophisticated
  • IP address of sender: often called blacklisting
  • Behavioral features (sender’s sending behavior): How the mail is sent (at a particular time of day? sent in a batch of emails that are all roughly the same size?)
27
Q

What is/are problem(s) with content-based filters?

  • Too slow
  • Easy for attackers to evade
  • Words are difficult to parse
A

-Easy for attackers to evade

28
Q

How does an IP blacklist work?

A
  • Sender sends email to receiver
  • Receiver sends query for that IP address to a blacklist, or a DNS-based based blacklist, sometimes called a DNSBL, such as spamhaus
  • Depending on whether IP address appears in that list, receiver can then decide whether to receive the message or terminate the connection and not even accept the mail in the first place. This saves the operator the trouble of even having to store the message
29
Q

Spam filter based on behavioral features

A

Based on how the message is sent, including:

    * Geographic location of sender and receiver
    * Set of target recipients
    * Upstream ISP
    * Our inference as to whether the sender is a member of a Botnet (a network of compromised hosts that are doing the bidding of some control server)
30
Q

Challenges with using behavioral features for spam filter

A
  • Understanding network behavior

* Building classifiers using network-level features to execute filtering

31
Q

How can a spammer evade spam blocking efforts?

A
  1. Hijack an IP prefix for a short period of time
    2. Send spam
    3. At end of the attack, withdrawal the prefix
32
Q

Ephemeral IP addresses

A

Spammers use these, essentially rendering IP blacklists ineffective. On any given day, 10% of spam senders are from previously unseen IP addresses

33
Q

Single-packet features to determine spam

A

Work well, determine spam based on first packet that a sender sends. Includes:

    * Distance b/w sender and receiver
    * Density in IP space in terms of how many other mail senders are nearby
    * Local time of day at the sender
    * AS of the sender’s IP
34
Q

Single-message techniques

A

These can be effective if willing to look beyond first packet:

    * # of recipients
    * length of message
35
Q

If willing to look at a group of email messages…

A

can see how message length varies over time or across a group of different messages

36
Q

SNARE

A

Combining single-packet, single-message, and beyond, give us a tool called SNARE (Spatiotemporal network-level automated reputation engine)

    * SNARE achieved a 70% detection rate with a false positive rate of 0.1%
    * This is good enough to be used in practice, providing comparable performance to state of the art IP-based blacklists such as Spamhaus, but only uses network-level features, thus making it less susceptible to the ephemeral nature of IP-based blacklisting
37
Q

What is a DoS attack?

A

Denial of Service Attack

  • An attack that attempts to exhaust various resources, such as:
    * Network bandwidth
    * TCP connections (e.g. a host might have only a limited # of TCP connections it can open)
    * Server resources (e.g. victim might be a web server running complicated scripts to render web pages, and if it gets a bunch of bogus requests, the server could spend a lot of resources rendering pages for requests that are not legitimate)
38
Q

When did DoS attacks become DDoS attacks?

A
  • Before 2000: DoS attacks were typically single-source

* After 2000: with the rise of internet worms, they became distributed, effectively being launched from many attackers

39
Q

3 defenses against DoS attacks

A
  • Ingress filtering:
    * Fool proof in stub AS situation
  • URPF (reverse path filtering) Checks:
    • Solution for the core
    • Use routing table to determine whether a packet could feasibly arrive on a particular incoming interface
      * Benefits of URPF:
      * It’s automatic
      * Requires symmetric routing, and we know that routing in the internet is often asymmetric. So, anywhere where asymmetric routing is the case, it is not possible to use URPF.
  • TCP Syn Cookies
    • Used to defend against TCP-based DoS attacks
40
Q

TCP Handshake process

A
  1. Client sends a SYN packet to server
    1. Server responds with a SYN-ACK
    2. Client returns ACK, at which point the connection is established
41
Q

Problem with TCP handshake

A

The client can send a SYN and cause the server to allocate a socket buffer for that TCP connection, but if the client never returns, the client can coerce the server to allocate many socket buffers simply by sending a lot of SYNs and never returning. These can even be from spoofed IP addresses. The client has no accountability and no obligation to return and send the final ACK, but can cause the server to allocate resources.

42
Q

Solution to TCP handshake vulnerability to DoS attack

A

TCP SYN cookies

When the server receives a SYN from the client, instead of allocating a socket buffer for the tuple associated with the connection, it keeps no state, and instead picks an initial sequence # for the connection that’s a function of the client’s IP address and port, and the server’s IP address and port, as well as a random knots to prevent replay attacks. An honest client that returns can then reply with an ACK with that sequence number in the packet. The server can check that sequence number, simply by rehashing all of the information that it already has, thereby determining that the acknowledgment here corresponded to the previous SYN-ACK that it had sent the client, without requiring the server to store any state. If the sequence number matches, then the server actually establishes the connection.

43
Q

What is/are advantage(s) of SYN cookies?

  • Can be applied in the network “core”
  • Prevent server from exhausting state after TCP SYN
  • Defends against UDP flooding attacks
A

-Prevent server from exhausting state after TCP SYN

44
Q

What is Backscatter used for?

A

To infer DoS attacks

45
Q

Suppose our telescope is monitoring 2^16 IP addresses, and in that telescope we see 100,000 packets/second. What is the total attack rate?

A

Since we’re monitoring 1 2^16th of the entire internet, we simply need to take the rate that we’ve observed and invert that.

We end up with a rate of 6.5 billion pps.

46
Q

Equation to compute total attack rate

A

m = x * ((2^32)/n), where n is the # of IP addresses we’re monitoring

If telescope is /8, then n is 2^24. So n is 2^(32-telescope)

CS6520 Test 3 (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions