Skip to main content

A Fast Worm Scan Detection Tool for VPN Congestion Avoidance

  • Conference paper
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2006)

Abstract

Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote company sites can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking anomalous TCP, UDP and ICMP traffic. Our tool is not sensitive to most P2P software and was successfully tested on real production traffic as well as with traces of captured real and simulated worm traffic. Our various tests demonstrated a low false positive rate and a high detection rate. Our open source tool is an extension to the free intrusion detection system Bro. It was developed jointly by ETH Zurich and Open Systems, a company offering managed security services, one of which is based on the presented worm scan detection tool.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Danyliw, R., Householder, A.: CERT Advisory CA-2001-19 Code Red Worm Exploiting Buffer verflow (2001), http://www.cert.org/advisories/CA-2001-19.html

  2. US-CERT: Vulnerability Note: Witty (VU#947254) (2004), http://www.kb.cert.org/vuls/id/947254

  3. Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of the IEEE Computer Society Symposium, Research in Security and Privacy, pp. 296–303 (1990)

    Google Scholar 

  4. Paxson, V.: Bro: A system for detecting network intruders in real-time (1998), http://www.ece.cmu.edu/~adrian/731-sp04/readings/paxson99-bro.pdf

  5. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  6. Wagner, A., Plattner, B.: Entropy Based Worm and Anomaly Detection in Fast IP Networks. In: Proceedings of 14th IEEE WET ICE / STCA security workshop. IEEE, Los Alamitos (2005)

    Google Scholar 

  7. Bro intrusion detection system (2005), http://www.bro-ids.org/

  8. Schoenwaelder, J.: syslog - write messages to the system logger (2001), http://www.infodrom.org/projects/sysklogd/

  9. Sommers, J., Vinod Yegneswaran, P.B.: A framework for malicious workload generation (2004), http://www.cs.wisc.edu/~jsommers/pubs/p82-sommers.pdf

  10. The freenet project - index - beginner (2005), http://www.freenetproject.org

  11. K++ / kazaa lite 2.6.1 deutsch - mp3 download software - [mpex.net] (2005), http://www.mpex.net/software/details/kazaalite.html

  12. Dc++ your files, your ways, no limits (2005), http://dcplusplus.sourceforge.net

  13. Limewire.org - open source p2p file sharing (2005), http://www.limewire.org

  14. emule-project.net - official emule site. downloads, help, docu, news (2005), http://www.emule-project.net

  15. CERT: Security Advisory: MS.Blaster (CA-2003-20) (2004), http://www.cert.org/advisories/CA-2003-20.html

  16. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy 4(1), 33–39 (2003)

    Google Scholar 

  17. Wagner, A., Dübendorfer, T., Plattner, B.: The DDoSVax project at ETH Zürich (2005), http://www.tik.ee.ethz.ch/~ddosvax/

  18. Hiestand, R., Göldi, C.: Scan detection based identification of worm-infected hosts. Master’s thesis, ETH Zurich (2005)

    Google Scholar 

  19. ETHZ: Fritz-Kutter Preis (2005), http://www.kutter-fonds.ethz.ch/preistr.html

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wagner, A., Dübendorfer, T., Hiestand, R., Göldi, C., Plattner, B. (2006). A Fast Worm Scan Detection Tool for VPN Congestion Avoidance. In: Büschkes, R., Laskov, P. (eds) Detection of Intrusions and Malware & Vulnerability Assessment. DIMVA 2006. Lecture Notes in Computer Science, vol 4064. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11790754_11

Download citation

  • DOI: https://doi.org/10.1007/11790754_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-36014-8

  • Online ISBN: 978-3-540-36017-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics