How to Own the Internet in Your Spare time Stuart Staniford* Ⅴ ern pa Nicholas Weaver t Silicon Defense ICS/ Center for internet research UC Berkeley stuartasilicondefense.com ernaicir org weaver acs. berkeley. edu Abstract Introduction If you can control a million hosts on the Internet, you can First. you can launch dis- bility of attackers to rapidly gain control of vast tributed denial of service(DDOS)attacks so immensely rs of Internet hosts poses an immense risk to the diffuse that mitigating them is well beyond the state-of- all security of the Internet. Once subverted, these the-art for dDos traceback and protection technologies hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities Such attacks could readily bring down e-commerce sites news outlets. command and coordination infrastructure of sensitive information, and confuse and disrupt use of the network in more subtle ways specific routers, or the root name servers Second, you can access any sensitive information We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from em- present on any of those million machines--passwords credit card numbers. address books. archived email pirical data of the spread of Code Red I in July, 2001.We patterns of user activity, illicit content--even blindly discuss techniques subsequently employed for achiev- searching for a"needle in a haystack, "i.e, information ing greater virulence by Code Red ll and Nimda. In this that might be on a computer somewhere in the Internet context,we develop and evaluate several new, highly vi ulent possible techniques: hit-list scanning(which cre- for which you trawl using a set of content keywor ates a Warhol worm), permutation scanning(which en- Third, not only can you access this information, but you ables self-coordinating scanning), and use of Internet- can sow confusion and disruption by corrupting the in- sized hit-lists(which creates a fiash worm) formation. or sending out false or confidential informa We then turn to the to the threat of surreptitious worms tion directly from a user's desktop that spread more slowly but in a much harder to detect In short, if you could control a million Internet hosts "contagion"fashion. We demonstrate that such a worm the potential damage is truly immense: on a scale where today could arguably subvert upwards of 10,000,000 In- such an attack could play a significant role in warfare tenet hosts. We also consider robust mechanisms by between nations or in the service of terrorism which attackers can control and update deployed worms Unfortunately it is reasonable for an attacker to gain con- In conclusion, we argue for the pressing need to de- trol of a million Internet hosts, or perhaps even ten mil- velop a"Center for Disease Controlanalog for virus- and worm-based threats to national cybersecurity, and lion. The highway to such control lies in the exploita sketch some of the components that would go into such Internet by exploiting security flaws in widely-used ser- a Center vices. Internet-scale w p89, ER89], but the severity of their threat has rapidly grown with(i) the increasing degree to which the In- We distinguish between the worms discus Research supported by DARPA via contract N66001-00-C-8045 t Also with the Lawrence Berkeley National Laborato niversity some sort of user action to abet their propagation hey tend to of California, Berkeley propagate more slowly. From an attacker's perspective, they also suf- al support from Xilinx, ST Microsystems, and the Cali- fer from the presence of a large anti-virus industry that actively seeks fornia MICRO program to identify and control their spreadHow to 0wn the Internet in Your Spare Time Stuart Staniford∗ Vern Paxson† Nicholas Weaver ‡ Silicon Defense ICSI Center for Internet Research UC Berkeley stuart@silicondefense.com vern@icir.org nweaver@cs.berkeley.edu Abstract The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways. We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from em￾pirical data of the spread of Code Red I in July, 2001. We discuss techniques subsequently employed for achiev￾ing greater virulence by Code Red II and Nimda. In this context, we develop and evaluate several new, highly vir￾ulent possible techniques: hit-list scanning (which cre￾ates a Warhol worm), permutation scanning (which en￾ables self-coordinating scanning), and use of Internet￾sized hit-lists (which creates a flash worm). We then turn to the to the threat of surreptitious worms that spread more slowly but in a much harder to detect “contagion” fashion. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 In￾ternet hosts. We also consider robust mechanisms by which attackers can control and update deployed worms. In conclusion, we argue for the pressing need to de￾velop a “Center for Disease Control” analog for virus￾and worm-based threats to national cybersecurity, and sketch some of the components that would go into such a Center. ∗Research supported by DARPA via contract N66001-00-C-8045 †Also with the Lawrence Berkeley National Laboratory, University of California, Berkeley. ‡Additional support from Xilinx, ST Microsystems, and the Cali￾fornia MICRO program 1 Introduction If you can control a million hosts on the Internet, you can do enormous damage. First, you can launch dis￾tributed denial of service (DDOS) attacks so immensely diffuse that mitigating them is well beyond the state-of￾the-art for DDOS traceback and protection technologies. Such attacks could readily bring down e-commerce sites, news outlets, command and coordination infrastructure, specific routers, or the root name servers. Second, you can access any sensitive information present on any of those million machines—passwords, credit card numbers, address books, archived email, patterns of user activity, illicit content—even blindly searching for a “needle in a haystack,” i.e., information that might be on a computer somewhere in the Internet, for which you trawl using a set of content keywords. Third, not only can you access this information, but you can sow confusion and disruption by corrupting the in￾formation, or sending out false or confidential informa￾tion directly from a user’s desktop. In short, if you could control a million Internet hosts, the potential damage is truly immense: on a scale where such an attack could play a significant role in warfare between nations or in the service of terrorism. Unfortunately it is reasonable for an attacker to gain con￾trol of a million Internet hosts, or perhaps even ten mil￾lion. The highway to such control lies in the exploita￾tion of worms: programs that self-propagate across the Internet by exploiting security flaws in widely-used ser￾vices.1 Internet-scale worms are not a new phenomenon [Sp89, ER89], but the severity of their threat has rapidly grown with (i) the increasing degree to which the In- 1 We distinguish between the worms discussed in this paper— active worms—and viruses (or email worms) in that the latter require some sort of user action to abet their propagation. As such, they tend to propagate more slowly. From an attacker’s perspective, they also suf￾fer from the presence of a large anti-virus industry that actively seeks to identify and control their spread