Download:
by Stuart Staniford, David Moore, Vern Paxson, Nicholas Weaver
http://www.icir.org/vern/worm04/topspeed-worm04.pdf
Add To MetaCart
Abstract:
Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm’s exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds [18]. We grossly over-estimated. In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95 % of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95 % saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques [12, 16, 25]. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.
Citations
|
350
|
How to 0wn the Internet in your spare time
– Staniford, Paxson, et al.
- 2002
|
|
197
|
Internet Quarantine: Requirements for Containing Self-Propagating Code
– Moore, Shannon, et al.
- 2003
|
|
178
|
Autograph: Toward automated, distributed worm signature detection
– Kim, Karp
- 2004
|
|
167
|
On the constancy of Internet path properties
– ZHANG, DUFFIELD, et al.
- 2001
|
|
164
|
Code-red: a case study on the spread and victims of an internet worm
– Moore, Shannon, et al.
- 2002
|
|
143
|
Throttling viruses: Restricting propagation to defeat malicious mobile code
– Williamson
- 2002
|
|
117
|
Fast portscan detection using sequential hypothesis testing
– Jung, Paxson, et al.
- 2004
|
|
102
|
Modeling the Spread of Active Worms
– Chen, Gao, et al.
- 2003
|
|
93
|
Very fast containment of scanning worms
– Weaver, Staniford, et al.
- 2004
|
|
91
|
A taxonomy of computer worms
– Weaver, Paxson, et al.
- 2003
|
|
62
|
The Spread of the Witty Worm
– Shannon, Moore
- 2004
|
|
61
|
Implementing and testing a virus throttle
– Twycross, Williamson
- 2003
|
|
52
|
Containment of scanning worms in enterprise networks
– Staniford
- 2004
|
|
43
|
The earlybird system for real-time detection of unknown worms
– Singh, Estan, et al.
- 2003
|
|
36
|
Cooperative response strategies for large scale attack mitigation
– Nojiri, Rowe, et al.
- 2003
|
|
16
|
New Streaming Algorithms for Fast Detection of Superspreaders
– Venkataraman, Song, et al.
- 2005
|
|
15
|
Experiences with Worm Propagation Simulations
– Wagner, Dubendorfer, et al.
- 2003
|
|
7
|
Malicious Threats and Vulnerabilities in Instant Messaging
– Hindocha, Chien
- 2003
|
|
1
|
Fast Detection of Scanning Worms Using Reverse Sequential Hypothesis Testing and Credit-Based Connection Rate Limiting. Submitted to Usenix Security
– Jung, Schechter
- 2004
|
