Abstract
Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion. Recent work has examined a proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. However, the originally proposed DHCP-based implementation may induce passive failures on hosts that change their addresses when connections are still in progress. The risk of such collateral damage also makes it harder to perform address changes at the timescales necessary for containing fast hitlist generators.
In this paper we examine an alternative approach to NASR that allows both more aggressive address changes and also eliminates the problem of connection failures, at the expense of increased implementation and deployment cost. Rather than controlling address changes through a DHCP server, we explore the design and performance of transparent address obfuscation (TAO). In TAO, network elements transparently change the external address of internal hosts, while ensuring that existing connections on previously used addresses are preserved without any adverse consequences. In this paper we present the TAO approach in more detail and examine its performance.
Chapter PDF
Similar content being viewed by others
References
CERT Advisory CA-2001-19: Code Red Worm Exploiting Buffer Overflow in IIS Indexing Service DLL (July 2001), http://www.cert.org/advisories/CA-2001-19.html
NLANR-PMA Traffic Archive: Bell Labs-I trace (2002), http://pma.nlanr.net/Traces/Traces/long/bell/1
NLANR-PMA Traffic Archive: Leipzig-I trace (2002), http://pma.nlanr.net/Traces/Traces/long/leip/1
The Spread of the Sapphire/Slammer Worm (February 2003), http://www.silicondefense.com/research/worms/slammer.php
Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: Proceedings of the 11th IEEE Internation Conference on Networking (ICON), September/October 2003, pp. 403–408 (2003)
Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against Hitlist Worms using Network Address Space Randomization. In: Proceedings of the 3rd ACM Workshop on Rapid Malcode (WORM) (November 2005)
Atighetchi, M., Pal, P., Webber, F., Schantz, R., Jones, C.: Adaptive use of network-centric mechanisms in cyber-defense. In: Proceedings of the 6th IEEE International Symposium on Object-oriented Real-time Distributed Computing (May 2003)
Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (October 2003)
Bhatkar, S., DuVarney, D., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, pp. 105–120 (August 2003)
Chase, J.S., Levy, H.M., Feeley, M.J., Lazowska, E.D.: Sharing and protection in a single-address-space operating system. ACM Transactions on Computer Systems 12(4), 271–307 (1994)
Droms, R.: Dynamic Host Configuration Protocol. RFC 2131 (March 1997), http://www.rfc-editor.org/
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the ACM Computer and Communications Security Conference (CCS), pp. 272–280 (October 2003)
Kewley, D., Lowry, J., Fink, R., Dean, M.: Dynamic approaches to thwart adversary intelligence gathering. In: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX) (2001)
Michalski, J., Price, C., Stanton, E., Chua, E.L., Seah, K., Heng, W.Y., Pheng, T.C.: Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project. Technical Report SAND2002-3613, Sandia National Laboratories (November 2002)
Moore, D., Shannon, C., Brown, J.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd Internet Measurement Workshop (IMW), pp. 273–284 (November 2002)
Nojiri, D., Rowe, J., Levitt, K.: Cooperative response strategies for large scale attack mitigation. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX) (April 2003)
Schechter, S.E., Jung, J., Berger, A.W.: Fast detection of scanning worm infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM Press, New York (2004)
Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp. 220–225 (June 2003)
Staniford, S.: Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security (2004)
Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: Proc. ACM CCS WORM (October 2004)
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium, pp. 149–167 (August 2002)
Weaver, N., Paxson, V.: A worst-case worm. In: Proc. Third Annual Workshop on Economics and Information Security (WEIS 2004) (May 2004)
Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Proceedings of the 13th USENIX Security Symposium, pp. 29–44 (August 2004)
Williamson, M.: Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. Technical Report HPL-2002-172, HP Laboratories Bristol (2002)
Wu, J., Vangala, S., Gao, L., Kwiat, K.: An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), pp. 143–156 (February 2004)
Xu, J., Kalbarczyk, Z., Iyer, R.: Transparent runtime randomization for security. In: Fantechi, A. (ed.) Proc. 22nd Symp. on Reliable Distributed Systems –SRDS 2003, pp. 260–269 (October 2003)
Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (February 2004)
Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and Early Warning for Internet Worms. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), pp. 190–199 (October 2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Antonatos, S., Anagnostakis, K.G. (2006). TAO: Protecting Against Hitlist Worms Using Transparent Address Obfuscation. In: Leitold, H., Markatos, E.P. (eds) Communications and Multimedia Security. CMS 2006. Lecture Notes in Computer Science, vol 4237. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11909033_2
Download citation
DOI: https://doi.org/10.1007/11909033_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-47820-1
Online ISBN: 978-3-540-47823-2
eBook Packages: Computer ScienceComputer Science (R0)