Abstract
Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote company sites can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking anomalous TCP, UDP and ICMP traffic. Our tool is not sensitive to most P2P software and was successfully tested on real production traffic as well as with traces of captured real and simulated worm traffic. Our various tests demonstrated a low false positive rate and a high detection rate. Our open source tool is an extension to the free intrusion detection system Bro. It was developed jointly by ETH Zurich and Open Systems, a company offering managed security services, one of which is based on the presented worm scan detection tool.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Danyliw, R., Householder, A.: CERT Advisory CA-2001-19 Code Red Worm Exploiting Buffer verflow (2001), http://www.cert.org/advisories/CA-2001-19.html
US-CERT: Vulnerability Note: Witty (VU#947254) (2004), http://www.kb.cert.org/vuls/id/947254
Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of the IEEE Computer Society Symposium, Research in Security and Privacy, pp. 296–303 (1990)
Paxson, V.: Bro: A system for detecting network intruders in real-time (1998), http://www.ece.cmu.edu/~adrian/731-sp04/readings/paxson99-bro.pdf
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)
Wagner, A., Plattner, B.: Entropy Based Worm and Anomaly Detection in Fast IP Networks. In: Proceedings of 14th IEEE WET ICE / STCA security workshop. IEEE, Los Alamitos (2005)
Bro intrusion detection system (2005), http://www.bro-ids.org/
Schoenwaelder, J.: syslog - write messages to the system logger (2001), http://www.infodrom.org/projects/sysklogd/
Sommers, J., Vinod Yegneswaran, P.B.: A framework for malicious workload generation (2004), http://www.cs.wisc.edu/~jsommers/pubs/p82-sommers.pdf
The freenet project - index - beginner (2005), http://www.freenetproject.org
K++ / kazaa lite 2.6.1 deutsch - mp3 download software - [mpex.net] (2005), http://www.mpex.net/software/details/kazaalite.html
Dc++ your files, your ways, no limits (2005), http://dcplusplus.sourceforge.net
Limewire.org - open source p2p file sharing (2005), http://www.limewire.org
emule-project.net - official emule site. downloads, help, docu, news (2005), http://www.emule-project.net
CERT: Security Advisory: MS.Blaster (CA-2003-20) (2004), http://www.cert.org/advisories/CA-2003-20.html
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy 4(1), 33–39 (2003)
Wagner, A., Dübendorfer, T., Plattner, B.: The DDoSVax project at ETH Zürich (2005), http://www.tik.ee.ethz.ch/~ddosvax/
Hiestand, R., Göldi, C.: Scan detection based identification of worm-infected hosts. Master’s thesis, ETH Zurich (2005)
ETHZ: Fritz-Kutter Preis (2005), http://www.kutter-fonds.ethz.ch/preistr.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wagner, A., Dübendorfer, T., Hiestand, R., Göldi, C., Plattner, B. (2006). A Fast Worm Scan Detection Tool for VPN Congestion Avoidance. In: Büschkes, R., Laskov, P. (eds) Detection of Intrusions and Malware & Vulnerability Assessment. DIMVA 2006. Lecture Notes in Computer Science, vol 4064. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11790754_11
Download citation
DOI: https://doi.org/10.1007/11790754_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36014-8
Online ISBN: 978-3-540-36017-9
eBook Packages: Computer ScienceComputer Science (R0)