cse 535 : lecture 9 containment of internet worms and ...€¦ · – need better software...
TRANSCRIPT
CSE 535 : Lockwood 1
CSE 535 : Lecture 9
Containment of Internet Worms and Computer Viruses
with Content Filters
Washington UniversityFall 2003
http://www.arl.wustl.edu/arl/projects/fpx/cse535/
Copyright 2003, John W [email protected]
CSE 535 : Lockwood 2
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Spread in Unprotected Networks
CSE 535 : Lockwood 3
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Spread in Unprotected Networks
CSE 535 : Lockwood 4
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Spread in Unprotected Networks
CSE 535 : Lockwood 5
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Spread in Unprotected Networks
CSE 535 : Lockwood 6
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Spread in Unprotected Networks
CSE 535 : Lockwood 7
Mitigation of Worm Threat
• Prevention– Need better software engineering practices– Socio-economic conditions currently ensure
homogeneous set of software
• Treatment– Disinfection tools (Norton, McAfee)– System Update in Windows– Security update can take DAYS to code
• Containment– Approach of this system..
From: Internet Quarantine: Requirements for Containing Self-Propagating Code.By: David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, IEEE INFOCOM 2003
CSE 535 : Lockwood 8
Possible Technologies for Containment
• Possible Technologies– Firewalls– Content filters– Blacklist
• Ad-hoc Containment methods used manually to contain Code Red– Block inbound access to port 80– Blacklisting of infected computers– Content filtering of data with Code Red
signaturesFrom: Internet Quarantine: Requirements for Containing Self-Propagating Code.
By: David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, IEEE INFOCOM 2003
CSE 535 : Lockwood 9
Containment can Work
• Detection is easier than Prevention– Containment system does not need to
understand how the worm itself works
• Containment can be deployed incrementally– Does not require universal deployment
• Effectiveness Depends on– Time to Detect and React– Strategy used to ID and contain pathogen– Breadth and placement of system deployment
From: Internet Quarantine: Requirements for Containing Self-Propagating Code.By: David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, IEEE INFOCOM 2003
CSE 535 : Lockwood 10
Idealized Deployment
From: Internet Quarantine: Requirements for Containing Self-Propagating Code.By: David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, IEEE INFOCOM 2003
CSE 535 : Lockwood 11
Required Reaction Time for Address Blacklisting and Content Filtering
From: Internet Quarantine: Requirements for Containing Self-Propagating Code.By: David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, IEEE INFOCOM 2003
CSE 535 : Lockwood 12
Containment System
InternetInternet… Network Intrusion
Prevention
CSE 535 : Lockwood 13
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Containment in Protected Networks
ContentScanning
andProtection
Device
CSE 535 : Lockwood 14
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Containment in Protected Networks
ContentScanning
andProtection
Device
CSE 535 : Lockwood 15
Dept
B
University X
Location
A
Location
CLocation
B
Dept
A
Dept
B
Dept
C
Carrier NAP
Los Angeles
NAP
St. Louis
NAP
Dept
A
Carrier NAP
Carrier NAPCarrier NAP
Carrier NAP
Carrier NAP
Small Town U.S.A.
NAP
Virus/Worm/Data Containment in Protected Networks
ContentScanning
andProtection
Device
CSE 535 : Lockwood 16
PCPC
PCPC
Network Configuration
PCPC
InternetData Enabling Device (DED)
with FPX Processing Modules
PCPC
Ethernet switch withATM uplink
InternetData Enabling Device (DED)
with FPX Processing Modules
PC
CSE 535 : Lockwood 17
Content Scanning Technology
• Fiber optic Line Cards– Gigabit Ethernet– ATM (IP over AAL5)
• Reconfigurable Hardware – Uses Field Programmable
Port Extender (FPX) Platform – Protocols processed in hardware– Custom Finite State Machine
(FSMs) scan packets– Reconfigurable over the network
• Chassis / Motherboard– Allows Modules to Stack
CSE 535 : Lockwood 18
Complete Protection System
Router/Switch
Network Aggregation Point
Switch/Concentrator
Data
TransactionProcessor
Content Scanner
Data
Content MatchingServer
CSE 535 : Lockwood 19
Hardware Generation Interface
Add expression to
database
Expressions that are programmed into the
hardware
Applications for the circuit
Specify where to send log/alert messages
Specify which device to reprogramOne-step process
to run CAD tools that build circuit
and program FPGA
CSE 535 : Lockwood 20
Edit Search strings
CSE 535 : Lockwood 21
Programming the DED
CSE 535 : Lockwood 22
Configuration of Content Scanning Module
UDP/TCP Wrapper
IP Wrapper
Cell Wrapper
Frame Wrapper
RE1 RE2 RE3 RE4 RE5 RE6
RE1 RE2 RE3 RE4 RE5 RE6
RE1 RE2 RE3 RE4 RE5 RE6
RE1 RE2 RE3 RE4 RE5 RE6
CSE 535 : Lockwood 23
Implementation of Content Scanner on Field programmable Port Extender (FPX)
PROM
SRAM
D[64]
Addr
D[36]
D[64]
D[36]
Addr
Addr Addr
SelectMAPReconfiguration
Interface
Subnet A
NetworkInterfaceDevice(NID)FPGA
2.4 Gigabit/secNetwork
Interfaces
SDRAM
SRAM
PC100
ZBT
SDRAM
SRAM
PC100
ZBT
ProgramNID
ProgramRAD
Subnet B
ReconfigurableApplication
Device(RAD) FPGA
Pro
cess
ing
Fun
ctio
n
Pro
cess
ing
Fun
ctio
n
Off-chipMemories
Off-chipMemories
PROM
SRAM
D[64]
Addr
D[36]
D[64]
D[36]
Addr
Addr Addr
SelectMAPReconfiguration
Interface
Subnet A
NetworkInterfaceDevice(NID)FPGA
2.4 Gigabit/secNetwork
Interfaces
SDRAM
SRAM
PC100
ZBT
SDRAM
SRAM
PC100
ZBT
ProgramNID
ProgramRAD
Subnet B
ReconfigurableApplication
Device(RAD) FPGA
Pro
cess
ing
Fun
ctio
nP
roce
ssin
gF
unct
ion
Pro
cess
ing
Fun
ctio
nP
roce
ssin
gF
unct
ion
Off-chipMemories
Off-chipMemories
CSE 535 : Lockwood 24
Internet
Remotely reprogram hardware over network
IPPIPPIPPIPPIPPIPPIPP
OPPOPPOPPOPPOPPOPPOPPOPPIPP
Content MatchingServer generates New module in programmable
Logic
New module
developedModuleBitfile
transmittedover network
New moduledeployed into FPX hardware
CSE 535 : Lockwood 25
Active Virus Protection
ContentScanningModule
Internet User
(1) Data requested from public Internet
Content returns from infected host
Content is processed in the FPX
Alert packet is sent to user to let them know of the virus
Content containing virus is dropped at FPX
CSE 535 : Lockwood 26
Active Virus Example
CSE 535 : Lockwood 27
Modular Design Flow
Place and Route with constraints
(Xilinx)
SynthesizeLogic to gates
& flops(Synplicity Pro)
Front End: Specify Regular
Expression(Web, PHP)
Install and deploy modules over Internet
to remote scanners(NCHARGE)
Set BoundryI/O &
Routing Constraints
(DHP)
Back End (2):Generate
Finite StateMachines in
VHDL
Generatebitstream
(Xilinx)
In-System, Data Scanning
on FPX Platform
Back End (1): Extract Search terms from SQL
database
New, 2 Million-gatePacket Scanner:
(9 Minutes)
CSE 535 : Lockwood 28
Content Filter Containment=F( Reaction Time, Probe Rate)
Graph From: Internet Quarantine: Requirements for Containing Self-Propagating Code. By: David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, IEEE INFOCOM 2003