Abstract
Passive network monitors, known as telescopes or darknets, have been invaluable in detecting and characterizing malware outbreaks. However, as the use of such monitors becomes commonplace, it is likely that malware will evolve to actively detect and evade them. This paper highlights the threat of simple, yet effective, evasive attacks that undermine the usefulness of passive monitors. Our results raise an alarm to the research and operational communities to take proactive countermeasures before we are forced to defend against similar attacks appearing in the wild. Specifically, we show how lightweight, coordinated sampling of the IP address space can be used to successfully detect and evade passive network monitors. Equally troubling is the fact that in doing so attackers can locate the “live” IP space clusters and divert malware scanning solely toward active networks. We show that evasive attacks exploiting this knowledge are also extremely fast, overtaking the entire vulnerable population within seconds.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: Internet motion sensor: A distributed blackhole monitoring system. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2005)
Barford, P., Nowak, R., Willet, R., Yagneswaran, V.: Toward a Model for Source Address of Internet Background Radiation. In: Proceedings of Passive and Active Measurement Conference (PAM 2006) (March 2006)
Bethencourt, J., Franklin, J., Vernon, M.: Mapping Internet Sensors with Probe Response Attacks. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 193–212 (2005)
Chen, Z., Gao, L., Kwiat, K.: Modeling the Spread of Active Worms. In: Proceedings of IEEE INFOCOMM, vol. 3, pp. 1890–1900 (2003)
Chen, Z., Ji, C.: A Self-Learning Worm Using Importance Scanning. In: Proceedings of ACM Workshop On Rapid Malcode (WORM) (November 2005)
The Distributed Intrusion Detection System (DShield), http://www.dshield.org/
Fu, X., Graham, B., Cheng, D., Bettati, R., Zhao, W.: Camouflaging Virtual Honeypots. Texas A&M University technical report #2005-7-3 (2005)
Holz, T., Raynal, F.: Defeating Honeypots. Online article, http://www.securityfocus.com/infocus/1826#ref3
Internet Assigned Numbers Authority (IANA), http://www.iana.org/
Internet Systems Consortium (ISC), http://www.isc.org
Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semantic-aware signatures. In: Proceedings of the 14th USENIX Security Symposium (August 2005)
Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium (2004)
Kohler, E., Li, J., Paxson, V., Shenker, S.: Observed Structure of Addresses in IP Traffic. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop (November 2002)
Kreibich, C., Crowcroft, J.: Honeycomb—creating intrusion detection signatures using honeypots. In: Proceedings of 2nd Workshop on Hot Topics in Networks (Hotnets-II) (2003)
Liston, T.: LaBrea Tarpit Project, http://labrea.sourceforge.net/
Ma, J., Voelker, G., Savage, S.: Self-stopping worms. In: Proceedings of ACM Workshop On Rapid Malcode (WORM), pp. 12–21 (November 2005)
Moore, D.: Network Telescopes: Observing Small or Distant Security Events. In: 11th USENIX Security Symposium, Invited Talk (August 2002)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Magazine of Security and Privacy Magazine, 33–39 (July 2003)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of IEEE INFOCOM (2003)
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Proceedings of ACM IMC (October 2004)
Peterson, L., Anderson, T., Culler, D.: A blueprint for introducing disruptive technology into the internet. In: First ACM Workshop on Hot Topics in Networks (HotNets-I) (October 2002)
Porras, P., Briesemeister, L., Skinner, K., Levitt, K., Rowe, J., Yu-Cheng, A.,T.: A hybrid quarantine defense. In: Proceedings of the Second ACM Workshop on Rapid Malcode (WORM) (November 2004)
Pouget, F., Dacier, M., Pham, V.H.: Lurre.com: On the Advantages of Deploying a Large Scale Distributed Honeypot Platform. In: Proceeding of the E-Crime and Computer Conference ECCE (March 2005)
Pouget, F., Dacier, M., Pham, V.H., Deber, H.: Honeynets: Foundations for the development of early warning systems. In: NATO Advanced Research Workshop (2004)
Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (August 2004)
Rajab, M.A., Monrose, F., Terzis, A.: Fast and Evasive Attacks: Highlighting the challenges ahead. In: JHU Computer Science Technical Report HiNRG-RMT-112205 (November 2005)
Rajab, M.A., Monrose, F., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 225–237 (2005)
Rajab, M.A., Monrose, F., Terzis, A.: Worm Evolution Tracking via Timing Analysis. In: Proceedings of ACM Workshop on Rapid Malware (WORM), pp. 52–59 (November 2005)
Meyer, D.: University of Oregon RouteViews Project, http://www.routeviews.org/
Shannon, C., Moore, D.: The Spread of the Witty Worm. IEEE Security and Privacy Magazine 2(4), 46–50 (2004)
Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of Passive Internet Threat Monitors. In: Proceedings of the 14th USENIX Security Symposium, pp. 209–224 (August 2005)
Staniford, S., Moore, D., Paxson, V., Weaver, N.: The Top Speed of Flash Worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), October 2004, pp. 33–42 (2004)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium (August 2002)
Singh, G.V.S., Estan, C., Savage, S.: Automated worm fingerprinting. In: Proceedings of 6th Symposium on Operating System Design and Implmentation (OSDI) (2004)
Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm. Proceedings of ACM SIGOPS Operating System Review 39(5), 148–162 (2005)
Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system. In: Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS) (2004)
Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)
Zeitoun, A., Jamin, S.: Rapid Exploration of Internet Live Address Space Using Optimal Discovery Path. In: Proceedings of Globecomm (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rajab, M.A., Monrose, F., Terzis, A. (2006). Fast and Evasive Attacks: Highlighting the Challenges Ahead. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_11
Download citation
DOI: https://doi.org/10.1007/11856214_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-39723-6
Online ISBN: 978-3-540-39725-0
eBook Packages: Computer ScienceComputer Science (R0)