Skip to main content
SpringerLink
Log in

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3548))

Abstract

We present an extensive flow-level traffic analysis of the network worm Blaster.A and of the e-mail worm Sobig.F. Based on packet-level measurements with these worms in a testbed we defined flow-level filters. We then extracted the flows that carried malicious worm traffic from AS559 (SWITCH) border router backbone traffic that we had captured in the DDoSVax project. We discuss characteristics and anomalies detected during the outbreak phases, and present an in-depth analysis of partially and completely successful Blaster infections. Detailed flow-level traffic plots of the outbreaks are given. We found a short network test of a Blaster pre-release, significant changes of various traffic parameters, backscatter effects due to non-existent hosts, ineffectiveness of certain temporary port blocking countermeasures, and a surprisingly low frequency of successful worm code transmissions due to Blaster‘s multi-stage nature. Finally, we detected many TCP packet retransmissions due to Sobig.F‘s far too greedy spreading algorithm.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CERT: Security Advisory: MS.Blaster (CA-2003-20) (2003), http://www.cert.org/advisories/CA-2003-20.html

  2. CERT: Incident Report: Sobig.F (IN-2003-03) (2003), http://www.cert.org/incident_notes/IN-2003-03.html

  3. Wagner, A., Dübendorfer, T., Plattner, B.: The DDoSVax project at ETH Zürich (2004), http://www.tik.ee.ethz.ch/~ddosvax/

  4. ETH: Swiss Federal Institute of Technology (2004), http://www.ethz.ch/

  5. Müller, O., Graf, D., Oppermann, A., Weibel, H.: Swiss Internet Analysis (2003), http://www.swiss-internet-analysis.org/

  6. Cisco: White Paper: NetFlow Services and Applications (2002), http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm

  7. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)

    Article  MATH  Google Scholar 

  8. Symantec Corporation: Symantec Security Response - W32.Blaster. Worm (2003), http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

  9. TREND micro: Technical details of WORM MSBLAST.A (2003), http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=T

  10. Nazario, J.: The Blaster Worm: The View From 10’000 Feet (2003), http://www.nanog.org/mtg-0310/pdf/nazario.pdf

  11. SWITCH: FloMA: Pointers and Software (Netflow tools) (2004), http://www.switch.ch/tf-tant/floma/software.html

  12. CERT/CC at SEI/CMU: SiLK GPL Netflow tools (2002), http://silktools.sourceforge.net/

  13. CAIDA: Cooperative Association for Internet Data Analysis (2004), http://www.caida.org/

  14. Shannon, C., Moore, D.: The Spread of the Witty Worm (2004), http://www.caida.org/analysis/security/witty/

    Google Scholar 

  15. Kim, J., Radhakrishnan, S., Dhall, S.K.: Measurement and Analysis of Worm Propagation on Internet Network Topology. In: Proceedings of ICCN (2004)

    Google Scholar 

  16. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proc. USENIX Security Symposium (2002)

    Google Scholar 

  17. Wagner, A., Dübendorfer, T., Plattner, B.: Experiences with worm propagation simulations. In: ACM Workshop on Rapid Malcode, WORM (2003)

    Google Scholar 

  18. Zou, C.C., Gong, W., Towsley, D.: Code Red Worm Propagation Modeling and Analysis. In: Proceedings of the 9th ACM conference on Computer and communications security, Washington, DC, USA (2002)

    Google Scholar 

  19. Lemos, R.: MSBlast epidemic far larger than believed (2004), http://news.com.com/MSBlast+epidemic+far+larger+than+believed/2100-7349_3-5184439.html

  20. The Last Stage Of Delirium: Buffer Overrun in Windows RPC Interface (2004), http://lsd-pl.net/special.html

  21. Microsoft Corporation: Microsoft Security Bulletin MS03-026 (2003), http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

  22. eEye Digital Security: Blaster Worm Analysis (2003), http://www.eeye.com/html/Research/Advisories/AL20030811.html

  23. Dübendorfer, T., Plattner, B.: Host Behaviour Based Early Detection of Worm Outbreaks in Internet Backbones. In: Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE); STCA security workshop. IEEE, Los Alamitos (2005)

    Google Scholar 

  24. Wagner, A., Plattner, B.: Entropy Based Worm and Anomaly Detection in Fast IP Networks. In: Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE); STCA security workshop. IEEE, Los Alamitos (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology, ETH Zurich,  

    Thomas Dübendorfer, Arno Wagner, Theus Hossmann & Bernhard Plattner

Authors
  1. Thomas Dübendorfer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arno Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Theus Hossmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bernhard Plattner
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research GmbH, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Klaus Julisch

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B. (2005). Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_7

Download citation

  • DOI: https://doi.org/10.1007/11506881_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation