1
On the Performance of InternetWorm Scanning Strategies
Cliff C. Zou, Don Towsley, Weibo Gong
Univ. Massachusetts, Amherst
2
Motivation
Hackers have tried various scanning strategies intheir scan-based worms
Uniform scan Code Red, Slammer
Local preference scan Code Red II
Sequential scan Blaster
Possible scanning strategies:
Target preference scan (selective attack from a routing worm)
Divide-and-conquer scan
How do they affect a worm’s propagation?
Mean value analysis (based on law of large number)
Numerical solutions; Simulation studies.
3
Some Analysis Conclusions
Equivalent when hosts are uniformly distributed
Uniform scan
Sequential scan
Divide-and-conquer scan
Local preference scan increases a worm’s speed
When vulnerable hosts are not uniformly distributed
Optimal local scan prob. p when local network size
Sequential scan selecting starting point locally slowsdown worm propagation speed
Selective attack global scan or target-only scandetermined by distribution of vulnerable hosts.
4
Two Guidelines in Defense
Prevent attackers from
Identifying IP addresses of a large number ofvulnerable hosts Flash worm, Hit-list worm
Obtaining address information to reduce aworm’s scanning space Routing worm
Worm monitoring system
IP space coverage is not the only issue
Should monitor as many as possible welldistributed IP blocks non-uniform scan worm
5
Epidemic Model Introduction
Model for homogeneous system
Model for interacting groups
: # of infectious
: infection ability
: # of hosts
: scan rate
For worm modeling:
: scanning space
6
Infinitesimal Analysis of Epidemic Model
From time t to t+: ( ! 0)
Vulnerable hosts [N-I(t)]; infected hosts I(t).
An infected host infects vulnerable hosts.
Negligible of Prob. “two scans hitting the same vulnerable host”.
Newly infected hosts:
Negligible of Prob. “two infected hosts infect the same vulnerable host”.
Thus I(t+) is
: # of hosts
: scan rate
: scanning space
: # of infectious
: small time interval
Prob. p of a worm copy hitting a specific IP address during :
7
Idealized Worm
Know IP addresses of all vulnerable hosts
Perfect worm
Cooperation among worm copies
Flash worm
No cooperation; random scan
Complete infection within seconds
8
Uniform Scan Worm
Traditional worm: Code Red, Slammer
Uniformly scans the entire IPv4 space ( = 232 )
Hit-list worm: [Staniford et al. 2002]
Knowing IP addresses of a fraction of vulnerable hosts.
Has a large number of initially infected hosts I(0).
Routing worm: [Zou et al. 2003]
Using BGP routing table to reduce worm scanning space.
Has a bigger infection ability
9
Uniform ScanWorms Comparison
Defense: Crucial to prevent attackers from
Identifying IP addresses of a large number of vulnerable hosts Flash worm, Hit-list worm
Obtaining address information to reduce a worm’s scanning space Routing worm
• Hit-list worm has
a hit-list of I(0)=10,000
• Routing worm has=0.286£ 232
• Other parameters:
N=360,000
=358/min
I(0)=10
10
Divide-and-Conquer Scan Worm
Divide-and-conquer scan:
An infected host gives half of its scanning space to itsnewest infected child host.
At time t, each worm copy has
Scanning space:
Vulnerable hosts:
Use infinitesimal analysis technique.
Conclusion: when vulnerable hosts are uniformlydistributed, divide-and-conquer scan is equivalentto uniform scan.
11
Local Preference Scan Worm
Model: epidemic in interacting groups
Analysis: assume K “/n” networks
Prob. p: uniformly scan local “/n” network
Prob. (1-p): uniformly scan others
Conclusions:
Vulnerable hosts uniformly distributed:
No difference as long as the worm spreads out to every network.
Vulnerable hosts not uniformly distributed:
Analysis: hosts uniformly distributed in m out of K networks
Local preference scan increases a worm’s speed.
12
Local preference scan increases speed (when vulnerable hosts arenot uniformly distributed)
Local scan on Class A (“/8”) networks: p* 1
Local scan on Class B (“/16”) networks: p* 0.85
Code Red II: p=0.5 (Class A), p=0.375 (Class B) Smaller than p*
Local Preference Scan Worm
Class A local scan (K=256, m=116)
Class B local scan (K=216, m=116£28)
13
Sequential Scan Worm
Sequential scan:
Sequentially scans IP addresses from a starting point.
Blaster worm selects its starting point locally with p=0.4
Such local preference slows down worm propagation.
Reason: child worm copies are more likely to be wasted onrepeating their parents’ scanning trails.
Sequential scan is equivalent to uniform scan when
Vulnerable hosts uniformly distributed in IPv4 space.
The worm selects starting point uniformly.
14
Simulations agree with our analyses.
Analysis limitation (mean value analysis):
No consideration of variability.
Sequential Scan Worm Simulation Study
Comparison of uniform scan, sequential scan with/without local preference
(100 simulation runs; vulnerable hosts uniformly distributed in entire IPv4 space)
15
Sequential Scan Worm Simulation Study
Observations:
Local preference in selecting starting point is a bad idea.
Mean value analysis cannot analyze variability.
Uniform scan, sequential scan with/without local preference (100 simulation runs)
Vulnerable hosts uniformly distributed in BGP routable IP space (28.6% of IPv4 space)
16
Selective Attack Worm
Target domain:
Other domains:
Target-only scan:
Global scan:
Conclusion:
Target-only scan is faster when vulnerable hosts aremore densely distributed in the target domain than inother domains ( c1<c2 )
17
Worm Monitoring System Design
“Network telescope” monitoring system: [Moore 2002]
Observing global Internet activities based on monitored traffic on asmall fraction of IP space.
Should monitor as many as possible well distributed IP blocks.
Blaster worm simulation and monitoring
After low-pass filter
Directly monitored data
Worm propagation I(t) and
monitored data C(t)
18
Summary
Modeling basis:
Law of large number; mean value analysis;infinitesimal analysis.
Epidemic model:
Conclusions:
All about worm scanning space or density ofvulnerable population)
Flash worm, Hit-list worm, Routing worm
Local preference, divide-and-conquer, selective attack
Monitoring: sequential scan worm
