Abstract
We present an extensive flow-level traffic analysis of the network worm Blaster.A and of the e-mail worm Sobig.F. Based on packet-level measurements with these worms in a testbed we defined flow-level filters. We then extracted the flows that carried malicious worm traffic from AS559 (SWITCH) border router backbone traffic that we had captured in the DDoSVax project. We discuss characteristics and anomalies detected during the outbreak phases, and present an in-depth analysis of partially and completely successful Blaster infections. Detailed flow-level traffic plots of the outbreaks are given. We found a short network test of a Blaster pre-release, significant changes of various traffic parameters, backscatter effects due to non-existent hosts, ineffectiveness of certain temporary port blocking countermeasures, and a surprisingly low frequency of successful worm code transmissions due to Blaster‘s multi-stage nature. Finally, we detected many TCP packet retransmissions due to Sobig.F‘s far too greedy spreading algorithm.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
CERT: Security Advisory: MS.Blaster (CA-2003-20) (2003), http://www.cert.org/advisories/CA-2003-20.html
CERT: Incident Report: Sobig.F (IN-2003-03) (2003), http://www.cert.org/incident_notes/IN-2003-03.html
Wagner, A., Dübendorfer, T., Plattner, B.: The DDoSVax project at ETH Zürich (2004), http://www.tik.ee.ethz.ch/~ddosvax/
ETH: Swiss Federal Institute of Technology (2004), http://www.ethz.ch/
Müller, O., Graf, D., Oppermann, A., Weibel, H.: Swiss Internet Analysis (2003), http://www.swiss-internet-analysis.org/
Cisco: White Paper: NetFlow Services and Applications (2002), http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)
Symantec Corporation: Symantec Security Response - W32.Blaster. Worm (2003), http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
TREND micro: Technical details of WORM MSBLAST.A (2003), http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=T
Nazario, J.: The Blaster Worm: The View From 10’000 Feet (2003), http://www.nanog.org/mtg-0310/pdf/nazario.pdf
SWITCH: FloMA: Pointers and Software (Netflow tools) (2004), http://www.switch.ch/tf-tant/floma/software.html
CERT/CC at SEI/CMU: SiLK GPL Netflow tools (2002), http://silktools.sourceforge.net/
CAIDA: Cooperative Association for Internet Data Analysis (2004), http://www.caida.org/
Shannon, C., Moore, D.: The Spread of the Witty Worm (2004), http://www.caida.org/analysis/security/witty/
Kim, J., Radhakrishnan, S., Dhall, S.K.: Measurement and Analysis of Worm Propagation on Internet Network Topology. In: Proceedings of ICCN (2004)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proc. USENIX Security Symposium (2002)
Wagner, A., Dübendorfer, T., Plattner, B.: Experiences with worm propagation simulations. In: ACM Workshop on Rapid Malcode, WORM (2003)
Zou, C.C., Gong, W., Towsley, D.: Code Red Worm Propagation Modeling and Analysis. In: Proceedings of the 9th ACM conference on Computer and communications security, Washington, DC, USA (2002)
Lemos, R.: MSBlast epidemic far larger than believed (2004), http://news.com.com/MSBlast+epidemic+far+larger+than+believed/2100-7349_3-5184439.html
The Last Stage Of Delirium: Buffer Overrun in Windows RPC Interface (2004), http://lsd-pl.net/special.html
Microsoft Corporation: Microsoft Security Bulletin MS03-026 (2003), http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
eEye Digital Security: Blaster Worm Analysis (2003), http://www.eeye.com/html/Research/Advisories/AL20030811.html
Dübendorfer, T., Plattner, B.: Host Behaviour Based Early Detection of Worm Outbreaks in Internet Backbones. In: Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE); STCA security workshop. IEEE, Los Alamitos (2005)
Wagner, A., Plattner, B.: Entropy Based Worm and Anomaly Detection in Fast IP Networks. In: Proceedings of 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE); STCA security workshop. IEEE, Los Alamitos (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B. (2005). Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_7
Download citation
DOI: https://doi.org/10.1007/11506881_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)