Slashdot Mirror
Researchers Tout New Network Worm Weapon
coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."
One of the hardest things to account for when it comes to setting the limit for the number of scans a computer can resonably make must be bittorrent, a computer actively seeding files through bittorrent might connect to hundreds of computers for each file.
I suppose the admin of a corperate network will probably frown on active bittorrent use in general though.
Can useless messages be moderated within minutes of their posting?
Doesn't D-Link already supply this with UTM/NetDefence.
Don't iPhones send out an insane number of scans per minute? Isn't that why Duke University banned them from their network, and how that couple had a $3,000 data charge bill from taking their iPhone on a cruise, even though they didn't use it?
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Network admins quite often scan large amount of network space especially for vulnerabilities, I know, I do it every day. Device discovery on networks for monitoring, IP address management, the list goes on.
There is the alternative though...
http://xkcd.com/416/
Curiosity was framed; ignorance killed the cat. -- Author unknown
The network operations center at the RWTH-Aachen university in Germany automatically warns users when an infection of their computer is detected and after a short while, if the user does not remove the infection, takes the computer offline. They call the system "Blast-o-Mat", which hints at the cause of its inception. You can see the statistics here: http://www1.rz.rwth-aachen.de/kommunikation/betrieb/auto/status/blast-o-mat.php
Sorry, you must be new here. Car analogies are the only acceptable analogy on /.
Isn't the described method basically a slight variation on the whole IDS scheme? Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well. Granted I think the baseline is usually bandwidth usage or something of that sort, but this is basically the same thing.
Like putting too much air in a balloon!
But my UID Yours
Obligatory blog plug: http://www.caseybanner.ca/
...it has been posted on the front page of Slashdot, every future worm author will code their stuff to spread more slowly, so that the increase in scan rate is negligible. Hooray for self-obsoleting discoveries!
(Don't get me wrong, I'm a huge proponent of publicly posting computer security information. But this seems pretty easy to circumvent when considered, no?)
Here's the pdf http://www.ece.osu.edu/~shroff/journal/worm.pdf. Seems like if these countermeasures were put in place, viruses would have to be choosy about which hosts they scan instead of just scanning tons of random addresses if they wanted to propagate.
Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.
Seriously, let's see how this will work.
sysadmin: $max_scans_allowed = 10;
worm: sh1t! $max_scans_allowed = 10;
sysadmin: sh1t! $max_scans_allowed = 9;
worm: sh1t! $max_scans_allowed = 9;
sysadmin: sh1t! $max_scans_allowed = 8;
worm: sh1t! $max_scans_allowed = 8;
sysadmin: sh1t! $max_scans_allowed = 7;
worm: sh1t! $max_scans_allowed = 7;
sysadmin: sh1t! $max_scans_allowed = 6;
worm: sh1t! $max_scans_allowed = 6;
sysadmin: sh1t! $max_scans_allowed = 5;
worm: sh1t! $max_scans_allowed = 5;
sysadmin: sh1t! $max_scans_allowed = 4;
worm: sh1t! $max_scans_allowed = 4;
sysadmin: sh1t! $max_scans_allowed = 3;
worm: sh1t! $max_scans_allowed = 3;
sysadmin: sh1t! $max_scans_allowed = 2;
worm: sh1t! $max_scans_allowed = 2;
sysadmin: sh1t! $max_scans_allowed = 1;
worm: sh1t! $max_scans_allowed = 1;
sysadmin: sh1t! $max_scans_allowed = 0;
Unplug the internet, no communications allowed.
The easy way around this is to just slow down the rate of the scans and the type/quantity of scanning done at any one type. Whether it takes hours or weeks, time is not critical when you have millions of PCs at your disposal.
Anything that requires changes in most or all sub-networks is garantueed to fail. Just look at egress-filtering. Many network admins are still unable or unwilling to do it. And these people expect them to implement a worm detector in every subnet? Forget it.
BTW, the idea is not new: "A Fast Worm Scan Detection Tool for VPN Congestion Avoidance" in Proceedings of DIMVA 2005 uses the same idea, but in a context where it is actually implementable and useful. Online under http://www.tik.ee.ethz.ch/~ddosvax/publications/papers/dimva06scan.pdf.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
What a way to take down BitTorrent users!
I believe the poster meant The Ohio State University.
I've been running the following iptables rules on our routers for at least the last year or two:
iptables -A ssh_attack -m hashlimit --hashlimit 200/min --hashlimit-mode srcip --hashlimit-name ssh_attack --hashlimit-htable-size 599 --hashlimit-htable-max 4096 -j RETURN
iptables -A ssh_attack -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SSH-Attack:"
iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ssh_attack
In other words, for each internal host allow them to make 200 outbound SSH connections per minute (tracked individually). If they exceed that limit, log a message.
We then have a nagios plugin that checks for this message being in "dmesg". If it is, we get paged.
We watch the sites we host pretty closely, so we don't often run into them getting compromised. The last one was because a host admin re-enabled password logins in SSH *AND* set up a guest account with a password like "guest". Only the guest account was compromised, but I digress.
The thing is that people who compromise these hosts pretty much always use that host to scan for other hosts to attack. And looking for weak passwords on other hosts via SSH seems to be pretty common.
So, once we saw this it was a no-brainer to set up something to alert us when someone started doing it.
Sean
I used to work as the admin for a small wireless ISP company seven years ago. The equipment they used was easily broken by an infected machine (I think sasser was the big one back then), as the radios packet per second limit was very low compared to other last mile solutions.
:0
To thwart attacks and keep the network working, I would have ntop running at the gateway looking for lots of SYN with no ACK, a usual sign of an infected machine. I would have to kick them off at the node and then politely call them and ask them to have the infection fixed... Once or twice I had to do it myself.
This was a very small company. The original planners set up a whole network on extremely flat land, with an 80 foot tree line and plenty of trees. It was tough enough getting enough customers on each node to justify the costs..
Good times.
Like Windows made MS-DOS viruses something to be mentioned in the past, I don't get why people just stop making slapdash hacks, and move to a platform that is 100% immune to this type of malicious software. MacOS has had -zero- remote rootings in the wild in its whole history. Even the vaunted OpenBSD has had three remote holes on its record.
I say leave the worm finding to the Windows and Linux people who are vulnerable to this stuff, and we Mac people can just point and snicker, because a worm or a botnet "client" is just plain impossible to implement on MacOS.
Of course, this works only if the host doing the scanning doesn't become infected. I don't see how to gurantee this, although of course one can reduce the probability that the scanning host won't become infected by locking it down to a much higher degree than ordinary hosts that need to be flexible to mee the needs of their users.
At the end of the day, this is nothing more than network intrusion detection, employing an incredibly simple anomaly detection algorithm. Surely this isn't news?
Maybe it's because I haven't had my coffee, but after reading the headline as 'Researchers Tout New Worm Weapon' the only thing I could think of was, 'Holy crap, System Shock is for real...'
they want their network problems back
I've been a network specialist/admin for a few companies including banks and a univeristy, and my personal idea/solution is a quasi-vlan system where each workstation is unable to talk directly to other workstations within the same LAN/Campus. Think about it, allow workstations to talk to servers and necessary resources but not directly to each other.
There is no need anymore. People need to connect to the Internet and file servers, etc. Rarely if ever is it actually necessary or preferable to have people connect to each other. The servers *should* be the best updated and protected systems and much easier to trust than Joe Sixpacks PC.
You stop worms from impacting you locally, and at worst your Internet pipe gets congested by a big outbreak which can be easier traced and combated when you aren't also fighting a spreading fire.
http://teasphere.wordpress.com - A little spot of tea
Vpro (aka AMT) can do this with built in hueristics and even put the port with Cisco equiptment in the mix into a remediation vlan segmented from your prod network. Or shut it down boot to network ISO av disk and perform pre os scan of hard drive. This will even work with the newest safeboot harddrive encryption.
...are not worms.
...blocking Bittorrent isn't a bug, it is a feature.
Help poke pirates in the eyepatch, arr.
So these researchers design a way to help stop fast spreading network killing worms by giving anyone who knows how to spoof an IP address the option to shut off hosts at will?
I'm betting that you have never been in a hurry but had to buy a new copy of Windows to replace the OEM version that just was FUBAR by a virus or malicious piece of software, or perhaps even by a malignant end user who knows far too much about the delete command and far too little about the windows and system directories.
Unbootable does NOT even begin to describe what you have on your hands. Brick, on the other hand, gets kind of close and conveys the proper frame of mind when you have experienced that kind of frustration. I believe that those who advocate the changing and fluid nature of a language would approve of that use of the word as confined to the electronics realm.
It becomes an even more appropriate usage when you consider that most consumer electronics products are or are very close to throw-away status. That is to say that once they malfunction permanently, it is cheaper to replace them with new units than to have them repaired. This leaves you with something that is about the same use to the average person in their home or office as a brick, Acme or otherwise.
You personally are welcome to not use the word in that context. The rest of us, meh... fsck it, it works for me.
Worms are ugly, but they are not that smart so it won't take long to stop them most likely.
Learn about Programming (C++ ASM) and Web Design and Development (PHP, CSS, Photoshop) from InfernoDevelopment.com
> Stopping DDoS attacks is even MORE important.
What if a "you're DoS-ing me" reply packet was added to TCP/IP, which could be picked up at the ISP level and would (ideally) cause the ISP to throttle that user's bandwidth to the site in question for a short period of time?
The problem with this kind of hacked-on solution is that it often causes other vulnerabilities --- in this case, what if the botnet was set up to spread faked "you're DoS-ing me" packets? One could hope that ISPs would filter such outgoing packets (from their home users), but given the general lack of cooperation of the ISPs against network hacking (or has this changed? Have any ISPs finally implemented egress filters for packets with faked headers nowadays?) I wouldn't hold my breath...
What's wrong with looking at the router lights blinking when the system shouldn't be doing anything and saying "Heeey, that's not right !" ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I scour the local dumpsters for computers (college dorm room dumpsters on move-out day are a freakin' gold mine), reinstall the OS, and do some good with them. Or just fix them and sell them back to the idiots who threw them away in the first place. LMAO.
A system called Quarantainenet attempting to do the same detection and isolation has been up and running for 5+ years at the University of Twente in the Netherlands. It's even evolved into a separate company, which appears to cover several more universities and ISP's in the Netherlands with the system.
I don't think it means what you think it means.
No sig today...
Why to spend money to treat effects when you could prevent cause in first place using SELinux or AppArmor (those kind technics are for Windows too)?
Sorrowfully worms have long gone out of fashion. Today it is trojans, backdoors and rootkits, which do not spread, but are being spread by spammers, ad-ware and massive automated drive-by download hack attacks. The researchers' method is often useless against these current threats.
If a machine gets infected by a worm, the anti-virus software must have failed to detect that worm. So, you get a report warning you about a particular machine, run a virus scan and find nothing. Now what?
What you need to do is have the software running on the PC itself, so that it can monitor what task is actually running the scans so a human can check it.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
We purchased a Forescout appliance 2 years ago which does the exact same thing. I wonder if the OSU research was reading http://www.forescout.com/counteract/index.html As an OSU Alum, I am embarrassed by this tripe.
oh yeah we all know how restricting number of halfopen connections in SP2 worked great /sarcasm
We have been doing this kind of analysis and mitigation since the days of blaster. Nothing new, but yes, it does work quite effectively for rapidly spread worms.
Existence is futile
OSU scientists decided to focus on the issue of network worms when they were frustrated by efforts to diffuse offensive attacks by SEC virus. The Florida and LSU variants proved to be too much to handle, and the scientists choked under the pressure.
I've personally witnessed some pretty flaky setups in other places, including banks. Chase used to do file transfers to Bank One via freaking HYPERTERMINAL on one IT guy's laptop. They later "improved" it by moving the same process to a PC in the data center, but still dialing externally on the same 56k modem using the same insecure Hyperterminal. All this workaround was done because Bank One no longer accepted the IP address of Chase's new mainframe.
Safe to say, not all banks have competent admins. I won't even start on a certain financial company whose credit union PC was compromised from a night worker internally who used it to surf the web, to get outside the company's overly restrictive firewall.
Don't know if you were joking or not (you were modded funny), but I wish I could easily block bittorrent traffic with my netgear router, or at least throttle it. I share my connection with tenants in our house, and it would be great to be able to limit their bandwidth rather than telling them not to use bittorrent.
Los Alamos National Laboratory has been doing this with NARQ and EMAAD since about then, except their system autoreacts and stops the worms.
http://public.lanl.gov/netsys/analytics/mining.shtml
http://www.osti.gov/doepatents/details.jsp?query_id=0&page=0&ostiID=927841
http://www.lanl.gov/news/newsletter/071706.pdf (page 8)
Etc.
This is already being done by ProCurve Networking (by HP)
http://www.hpl.hp.com/news/2003/jan_mar/throttling.html