TAO: Protecting Against Hitlist Worms Using Transparent Address Obfuscation

Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion. Recent work has examined a proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. However, the originally proposed DHCP-based implementation may induce passive failures on hosts that change their addresses when connections are still in progress. The risk of such collateral damage also makes it harder to perform address changes at the timescales necessary for containing fast hitlist generators. In this paper we examine an alternative approach to NASR that allows both more aggressive address changes and also eliminates the problem of connection failures, at the expense of increased implementation and deployment cost. Rather than controlling address changes through a DHCP server, we explore the design and performance of transparent address obfuscation (TAO). In TAO, network elements transparently change the external address of internal hosts, while ensuring that existing connections on previously used addresses are preserved without any adverse consequences. In this paper we present the TAO approach in more detail and examine its performance.

[1]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[2]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[3]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[4]  Erik Lee,et al.  Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project , 2002 .

[5]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[6]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[7]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[8]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[9]  Angelos D. Keromytis,et al.  A cooperative immunization system for an untrusting Internet , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..

[10]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[11]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[12]  Michael Atighetchi,et al.  Adaptive use of network-centric mechanisms in cyber-defense , 2003, Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, 2003..

[13]  Angelos D. Keromytis,et al.  A network worm vaccine architecture , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[14]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[16]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[17]  Vern Paxson,et al.  A Worst-Case Worm , 2004 .

[18]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[19]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[20]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[21]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[22]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[23]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[24]  Karl N. Levitt,et al.  Cooperative response strategies for large scale attack mitigation , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[25]  Salim Hariri,et al.  Randomized Instruction Set Emulation To Disrupt Binary Code Injection Attacks , 2003 .