ABSTRACT
Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion.This paper examines a new proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. NASR limits or slows down hitlist worms and forces them to exhibit features that make them easier to contain at the perimeter. We explore the design space for NASR and present a prototype implementation as well as preliminary experiments examining the effectiveness and limitations of the approach.
- D Shield: Distributed Intrusion Detection System. http://www.dshield.org.]]Google Scholar
- CERT Advisory CA-2001-19: 'CodeRed' Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-200119.html, July 2001.]]Google Scholar
- NLANR-PMAT traffic Archive: BellLabs-Itrace. http://pma.nlanr.net/Traces/Traces/long/bell/1, 2002.]]Google Scholar
- NLANR-PMAT taffic archive: Leipzig-Itrace. http://pma.nlanr.net/Traces/Traces/long/leip/1, 2002.]]Google Scholar
- DISCO: The Passive IP Discovery Tool. http://www.altmode.com/disco/, 2004.]]Google Scholar
- Fingerprinting: The complete documentation. http://www.l0t3k.org/security/docs/fingerprinting/, 2004.]]Google Scholar
- Fingerprinting: The complete tools box. http://www.l0t3k.org/security/tools/fingerprinting/, 2004.]]Google Scholar
- Net Worm Uses Google to Spread. http://it.slashdot.org/it/04/12/21/2135235.shtml, Dec. 2004.]]Google Scholar
- THC-Amap. http://thc.org/releases.php, 2004.]]Google Scholar
- K. G. Anagnostakis, M. B. Greenwald, S. Ioannidis, A. D. Keromytis, and D. Li. A Cooperative Immunization System for an Untrusting Internet. In Proceedings of the 11th IEEE International Conference on Networking(ICON), pages 403--408, Sept./Oct. 2003.]]Google ScholarCross Ref
- M. Arlitt and C. Williamson. An Analysis of TCP Reset Behaviour on the Internet. ACM SIGCOMM Computer Communication Review, 35(1):37--44,2005.]] Google ScholarDigital Library
- M. Atighetchi, P. Pal, F. Webber, R. Schantz, and C. Jones. Adaptive use of network-centric mechanisms in cyber-defense.In Proceedings of the 6th IEEE International Symposiumon Object-oriented Real-time Distributed Computing, May 2003.]] Google ScholarDigital Library
- R. A. Baratto, S. Potter, G. Su, and J. Nieh. Mobidesk: mobile virtual desktop computing. In Proceedings of the 10th Annual International Conference on Mobile Computing and Networking (MOBICOM), pages 1--15. ACM Press, 2004.]] Google ScholarDigital Library
- E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM onference on Computer and Communications Security, Oct. 2003.]] Google ScholarDigital Library
- S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat abroad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, pages 105--120, Aug. 2003.]] Google ScholarDigital Library
- J. S. Chase, H. M. Levy, M. J. Feeley, and E. D. Lazowska. Sharing and protection in a single-address space operating system. ACM Transactions on Computer Systems, 12(4): 271--307, 1994.]] Google ScholarDigital Library
- W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. deSouzae Silva, J. Kurose, and D. Towsley. Exploiting the IPID field to infernet work path and end-system characteristics. In Proceedings of the 6th Passive and Active Measurement Workshop(PAM2005), Mar. 2005.]] Google ScholarDigital Library
- B. Croft and J. Gilmore. Bootstrap Protocol(BOOTP). RFC951, http://www.rfc-editor.org/, Sept. 1985.]] Google ScholarDigital Library
- R. Droms. Dynamic Host Configuration Protocol. RFC2131, http://www.rfc-editor.org/, Mar. 1997.]]Google Scholar
- Internet Systems Consortium Inc. Dynamic host configuration protocol(DHCP)reference implementation .http://www.isc.org/sw/dhcp/.]]Google Scholar
- J. Ioannidis and G. Q. Maguire Jr. The design and implementation of amobile internet working architecture. In USENIX Winter, pages 489--502, 1993.]]Google Scholar
- J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy, May 2004.]]Google ScholarCross Ref
- J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and thee effectiveness of caching. In Proceedings of the 1st ACM SIGCOMM Internet Measurement Workshop(IMW), Nov. 2001.]] Google ScholarDigital Library
- M. Kaminsky, E. Peterson, D. B. Giffin, K. Fu, D. Mazires, and M. F. Kaashoek. REX: Secure, extensible remote execution. In In Proceedings of the 2004 USENIX Technical Conference, pages 199--212, June-July 2004.]] Google ScholarDigital Library
- T. Karagiannis, A. Broido, M. Faloutsos, and K. claffy. Transport layer identification of P2P traffic. In IMC'04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 121--134, New York, NY, USA, 2004. ACM Press.]] Google ScholarDigital Library
- G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In Proceedings of the ACM Computer and Communications Security Conference (CCS), pages 272--280, Oct. 2003.]] Google ScholarDigital Library
- D. Kewley, J. Lowry, R. Fink, and M. Dean. Dynamic approaches to thwart adversary intelligence gathering. In Proceedings of the DARPA Information Survivability Conference and Exposition(DISCEX), 2001.]]Google ScholarCross Ref
- T. Kohno, A. Broido, and kcClaffy. Remote physical device fingerprinting. In IEEE Symposiumon Security and Privacy, May 2005.]] Google ScholarDigital Library
- J. Michalski, C. Price, E. Stanton, E. L. Chua, K. Seah, W. Y. Heng, and T. C. Pheng. Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project. Technical Report SAND 2002-3613, Sandia Nationa lLaboratories, November 2002.]]Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security & Privacy, pages 33--39, July/Aug. 2003.]] Google ScholarDigital Library
- D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an Internet worm. In Proceedings of the 2nd Internet Measurement Workshop (IMW), pages 273--284, Nov. 2002.]] Google ScholarDigital Library
- D. Nojiri, J. Rowe, and K. Levitt. Cooperative response strategies for large scale attack mitigation. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX), Apr. 2003.]]Google ScholarCross Ref
- A. Pasupulati, J. Coit, K. Levitt, S. F. Wu, S. H. Li, J. C. Kuo, and K. P. Fan. Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities. In Proceedings of the Network Operations and Management Symposium (NOMS), pages 235--248, vol. 1, Apr. 2004.]]Google ScholarCross Ref
- S. E. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 59--81, Oct. 2004.]]Google ScholarCross Ref
- S. Sen, O. Spatscheck, and D. Wang. Accurate, scalablein-network identification of P2P traffic using application signatures. In WWW'04: Proceedings of the 13th international conference on World Wide Web, pages 512--521, New York, NY, USA, 2004. ACM Press.]] Google ScholarDigital Library
- H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS'04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298--307, New York, NY, USA, 2004. ACM Press.]] Google ScholarDigital Library
- S. Sidiroglouand A. D. Keromytis. Anetwork worm vaccine architecture. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, June 2003.]] Google ScholarDigital Library
- S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm finger printing. In Proceedings of the 6th Symposiumon Operating Systems Design & Implementation (OSDI), Dec. 2004.]] Google ScholarDigital Library
- A. C. Snoerenand H. Balakrishnan. Anend-to-end approach to host mobility. In MobiCom'00: Proceedings of the 6th annual international conference on Mobile computing and networking, pages 155--166, New York, NY, USA, 2000. ACM Press.]] Google ScholarDigital Library
- S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, 2004.]]Google Scholar
- S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In Proc. ACMCCSWORM, Oct. 2004.]] Google ScholarDigital Library
- S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium , pages 149--167, Aug. 2002.]] Google ScholarDigital Library
- T. Tothand C. Krügel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection(RAID), Oct. 2002.]]Google Scholar
- H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM'04, pages 193--204, 2004.]] Google ScholarDigital Library
- K. Wangand S. J. Stolfo. Anomalous Payload-based Network Intrusion Detection. In Proceedings of the 7th International Symposiumon Recent Advanced in Intrusion Detection (RAID), pages 201--222, Sept. 2004.]]Google Scholar
- N. Weaver and V. Paxson. A worst-caseworm. In Proc. Third Annual Workshop on Economics and Information Security (WEIS'04), May 2004.]]Google Scholar
- N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In Proceedings of the 13th USENIX Security Symposium, pages 29--44, Aug. 2004.]] Google ScholarDigital Library
- M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. Technical Report HPL-2002-172, HP Laboratories Bristol, 2002.]]Google ScholarDigital Library
- J. Wu, S. Vangala, L. Gao, and K. Kwiat. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the Network and Distributed System Security Symposium(NDSS), pages 143--156, Feb. 2004.]]Google Scholar
- J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In A. Fantechi, editor, Proc. 22nd Symp. on Reliable Distributed Systems-SRDS2003, pages 260--269, Oct. 2003.]]Google Scholar
- C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In In Proc. USENIX Summer 1993 Technical Conference, pages 175--186, June 1993.]]Google Scholar
- V. Yegneswaran, P. Barford, and S. Jha. Global Intrusion Detection in the DOMINO Overlay System. In Proceedings of the Network and Distributed System Security Symposium(NDSS), Feb. 2004.]]Google Scholar
- C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and Early Warning for Internet Worms. In Proceedings of the 10th ACM International Conference on Computer and Communications Security(CCS), pages 190--199, Oct. 2003.]] Google ScholarDigital Library
Index Terms
- Defending against hitlist worms using network address space randomization
Recommendations
Defending against hitlist worms using network address space randomization
Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
A study of mass-mailing worms
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcodeMass-mailing worms have made a significant impact on the Internet. These worms consume valuable network resources and can also be used as a vehicle for DDoS attacks. In this paper, we analyze network traffic traces collected from a college campus and ...
On the detection and origin identification of mobile worms
WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcodeMobility can be exploited to spread malware among wireless nodes moving across network domains. Because such mobile worms spread across domains by exploiting the physical movement of mobile nodes, they cannot be contained by existing defenses. In this ...
Comments