Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou†, Don Towsley‡, Weibo Gong†, Songlin Cai† †Department of Electrical & Computer Engineering ‡Department of Computer Science University of Massachusetts, Amherst MA 01003 {czou,gong,scai}@ecs.umass.edu, [email protected] Abstract icy flaws in widely-used services [26]. Most previ- ously wide-spreading worms, such as Code Red, Slam- Most well-known worms, such as Code Red, Slammer, mer, Blaster, and Sasser [7], are scanning worms that Blaster, and Sasser, infected vulnerable computers by scan- find and infect vulnerable machines by probing IP ad- ning the entire IPv4 address space. In this paper, we present dresses in the entire IPv4 Internet address space. How an advanced worm called “routing worm”, which imple- fast a worm can propagate is determined by many fac- ments two advanced attacking techniques. First, a routing tors. Among them, three major factors could be improved worm uses BGP routing tables to only scan the Internet by attackers: routable address space, which allows it propagate three (1). The number of initially infected hosts; times faster than a traditional worm. Second, and more (2). A worm’s scan rate η, defined as the number of scans importantly, the geographic information of BGP routing an infected computer sends out per unit time; prefixes enables a routing worm to conduct pinpoint “se- (3). A worm’s hitting probability p, defined as the proba- lective attacks” by imposing heavy damage to vulnerable bility that a worm’s scan hits any computer that is ei- computers in a specific country, company, Internet Service ther vulnerable or already infected. Provider, or Autonomous System, without collateral dam- age done to others. “Hit-list worm” presented by [23] exploits the first fac- Because of the inherent publicity of BGP routing tables, tor above to improve a worm’s propagation speed by con- attackers can easily deploy routing worms, which distin- taining a large number of IP addresses of vulnerable hosts guishes the routing worm from other “worst-case” worms. in the worm code. The second factor, worm scan rate, is de- Compared to a traditional worm, a routing worm could pos- termined by the efficiency of a worm’s code and also the sibly cause more severe congestion to the Internet back- network bandwidth. If attackers want to improve a worm’s bone since all scans sent out by a routing worm are In- propagation speed, another effort is to increase the worm’s ternet routable (and can only be dropped at the destina- hitting probability p, i.e., to waste fewer scans on obviously tions). In addition, it is harder to quickly detect a routing- empty IP space. worm infected computer since we cannot distinguish illegal In order to defend against Internet worm attacks, we scans from regular connections without waiting for traffic need to anticipate and study how attackers will improve responses. In order to defend against routing worms and all their attacking techniques. In this paper, we present an ad- scanning worms, an effective way is to upgrade the current vanced scanning worm called “routing worm”, which in- Internet from IPv4 to IPv6, although such an upgrade will creases its propagation speed by removing many empty IP require a tremendous effort and is still a controversial is- addresses from its scanning space based on information of sue. BGP routable addresses. We define two types of routing worms — one based on “/8” prefix (x.0.0.0/8) address al- location, another based on BGP routing prefixes. We call them “/8 routing worm” and “BGP routing worm”, respec- 1. Introduction tively. Without missing any potential target in the Internet, a /8 routing worm and a BGP routing worm can reduce their Computer worms are malicious programs that self- scanning space to 45.3% and 28.6% of the entire IPv4 ad- propagate across a network exploiting security or pol- dress space, respectively. In this way, attackers can increase the spreading speed of their worms by a factor of two to several possible fast spreading worms such as “Warhol” more than three without adding much complexity to the worm and “hit-list” worm right after the 2001 Code Red in- worm codes. cident. [23][30][29][8][22][18][14] provided the major re- The IP address information of BGP routing prefixes pro- search work on how to model and analyze a worm’s propa- vides geographic information about which IP addresses be- gation under various situations. long to which country, company, Internet Service Provider Many people have studied how to derive the geographic (ISP), or Autonomous System (AS). With such information, information of ASes, ISPs, IP addresses, or domain names attackers could deploy a routing worm to selectively impose from public available information. The Skitter project pro- heavy damage to compromised hosts if they belong to a spe- vides detailed information of the AS number, name, longi- cific entity (country, company, ISP, or AS) and leave the tude and latitude for every AS in the Internet [6]. In [5], compromised hosts belonging to others intact. Such a “se- CAIDA provides the mapping between AS number and the lective attack” property makes a routing worm tremendous country it belongs to. Furthermore, there are location map- dangerous considering the potential attacks initiated by ter- ping commercial services, such as EdgeScape from Akamai rorists, revengers, or business rivals. [9] and the free IP-to-location service from Geobytes [17]. Because of the inherent publicity of BGP routing tables, The Route Views project [20] and the Routing Informa- attackers can easily deploy a routing worm without much tion Service from RIPE NCC [19] provide detailed BGP extra effort — this distinguishes the routing worm from routing information of the Internet. In 1997, Braun [3] first other theoretical “worst-case” worms. In addition, com- used BGP routing tables to determine the fraction of IP pared to a traditional worm that scans the entire IPv4 space, space that has been allocated. CAIDA also studied this is- a routing worm could possibly cause more congestion trou- sue in 1998 [4]. ble to the Internet backbone, and also makes it harder to Some people have proposed upgrading IPv4 to IPv6 as a quickly detect infected computers. We will explain these defense against scanning worms [25][24][29], but have not challenges in detail later in this paper. explained this issue in detail. Thus most people have not To defend against the threat of routing worms and all paid attention to the inherent capability of IPv6 in prevent- scanning worms, we show that upgrading the current IPv4 ing attacks from scanning worms. Internet to IPv6 is an effective way, although such an up- grade will require a tremendous effort and is still a contro- versial issue. 3. Routing Worm: A Fast Spreading Worm The rest of this paper is organized as follows. Section 2 surveys related work. In Section 3, we discuss how rout- The central idea of the spreading speed improvement of a ing worms can use various types of IPv4 address informa- routing worm is to make the worm’s target-finding more ef- tion to improve their spreading speed. In Section 4, we point ficient without ignoring any potential vulnerable computer out that attackers can use routing worms to conduct selec- in the Internet. tive attack based on geographic information of IP addresses or BGP prefixes. Then in Section 5, we point out two ad- 3.1. BGP routing worm ditional challenges brought up by routing worms. In Sec- tion 6, we present modeling and analysis of routing worms One simple way to reduce the scanning space is to based on uniform-scan worm model [31]. Then we propose use the information provided by Border Gateway Protocol to upgrade IPv4 to IPv6 to defend against scanning worms (BGP) routing tables. Both the Route Views project [20] and in Section 7. In the end, Section 8 concludes this paper. RIPE NCC [19] provide complete snapshots of BGP rout- ing tables several times per day. BGP routing tables contain 2. Related work all Internet routable IP addresses. A “BGP routing worm” is an advanced worm that contains BGP routing prefix in- At the same time when we proposed the “routing worm” formation to only scans BGP routable IP addresses. In this in this paper, Wu et al. [28] independently presented a way, the worm effectively reduces its scanning space with- “routable scan” strategy that is similar to the reducing out missing any target. scanning space idea of the routing worm. However, the A BGP routing prefix is a chunk of IP addresses that have routing worm presented in this paper is not only a sim- the same n most-significant bits in their addresses where ple “routable scan” worm, but also a worm that could be n is called prefix length for this prefix. Because of multi- used by attackers to conduct selective attack to a specific homing, many prefixes in a BGP routing table overlap with country or company (ISP, AS, etc), which is more dan- each other — one prefix of shorter length contains all of the gerous and important to attackers than simply improving a IP addresses in another prefix of longer length. To deter- worm’s propagation speed. Staniford et al. [23] presented mine the percentage of IPv4 space that is BGP routable, we download BGP routing tables from Route Views [20], ex- point of view, a worm does not need to waste its scans on IP tract routing prefixes, and remove all overlapping prefixes addresses belonging to the other 140 “/8” prefixes.