%include "header.mgp" %%%%%%%%% %% $Arbor: blaster.mgp,v 1.13 2003/10/08 20:46:12 jose Exp $ %page % size 9 The Blaster Worm % size 7 The view from 10,000 feet %size 6, font "standard", fore "#666600", prefix " " Jose Nazario %size 5, prefix " " %%%%%%%% %page Timeline Up to Blaster Wed Jul 16 2003 - LSD release advisory "Critical security vulnerability in Microsoft Operating Systems" No exploit code Mon Aug 11 2003 - Blaster worm appears Exploit from dcom.c, HD Moore Wed Aug 13 2003 - Worm variants SDBot most sinister %%%%%%%% %page How Blaster Scans Semi-random target Scans a /24 from 0-254, not random hosts "Island hopping" 40% of the time, /24 within local /16 60% of the time random /24 Scan network for 135/TCP, listen on 69/UDP (TFTP) Attempt exploit when connection is found 80% of the time use XP offset, 20% use Win2k offset Then connect to 4444/TCP, send commands Download msblast.exe via TFTP, start msblast.exe %%%%%%%% %page Detecting Blaster Detect 135/TCP scans Scans are against a /24 (255 hosts) No response sent to 135/TCP SYN traffic No active sampling cannot differentiate variants No 4444/TCP traffic never respond on 135/TCP Primitive but it works Measure traffic and unique IPs seen %%%%%%%% %page Blackhole Architecture %image "blackhole.eps" %%%%%%%% %page Blaster's Traffic Patterns %image "blaster-unique-ips-hour.jpg" 3 part graph: growth, decay, persistence %%%%%%%% %page Blaster's Demographics %image "blaster_tld.png" Over 280,000 unique IPs (10% dynamic) DNS: .net top in TLD queries %%%%%%%% %page Blaster's Arrival %image "blaster-onset.jpg" Strong upsurge in 135/TCP scans, unique sources Earlier spikes from auto-rooters (k-otik) %%%%%%%% %page Blaster's Growth Curve %image "blaster-growth.jpg" Fit to a constrained growth model (Boltzmann sigmoidal curve) Minimum doubling time of 2.3 hours (may be overestimated) %%%%%%%% %page Blaster's Effects on Routing %image "blaster-sapphire-bgp.jpg" Only a few thousand routes dropped out Similar effect as Sapphire or blackout %%%%%%%% %page Containing Blaster %image "blaster-decay.jpg" Exponential decay of Blaster observations, half-life 10.4 hours Pretty much all cleaned up in 5 days, started after about 4 hours %%%%%%%% %page Blaster's Tenuous Grip %image "blaster-lingering.jpg" Circadian pattern, peak near 00:00 EDT, suggests power on/off Global TLD distribution %%%%%%%% %page Conclusions Advanced warning didn't help We had HD's exploit for a few weeks Firewall rules, IDS signatures Patch was available for approximately 1 month High threat level Large scale worm + DDoS payload Blaster spread quickly, contained by week's end 6 hour spread time, 5 day containment time DDoS thwarted Potential for 1.3mil SYN pps Blaster could have been worse %%%%%%%% %page Acknowledgments %center Dug Song, Robert Stone, Rob Malan Michael Bailey, Dave Langhorst Danny McPherson, Craig Labovitz