ABSTRACT
Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm's exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds[18]. We grossly over-estimated.
In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds.
The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques [12, 16, 25]. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.
- CAIDA. Skitter Datasets. http://www.caida.org/tools/measurement/skitter/.Google Scholar
- Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms. In IEEE INFOCOM, 2003.Google ScholarCross Ref
- C. Dovrolis, R. Prasad, N. Brownlee, and k. claffy. Bandwidth Estimation: Metrics, Measurement Techniques, and Tools. IEEE Network, 2004. Google ScholarDigital Library
- Forescout. Wormscout, http://www.forescout.com/wormscout.html.Google Scholar
- N. Hindocha and E. Chien. Malicious Threats and Vulnerabilities in Instant Messaging. Technical report, Symantec, 2003.Google Scholar
- J. Jung, V. Paxson, A. W. Berger, and H. B. Nan. Fast Portscan Detection Using Sequential Hypothesis Testing. In 2004 IEEE Symposium on Security and Privacy, to appear, 2004.Google Scholar
- J. Jung and S. Schechter. Fast Detection of Scanning Worms Using Reverse Sequential Hypothesis Testing and Credit-Based Connection Rate Limiting. Submitted to Usenix Security 2004, 2004.Google Scholar
- H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the 14th USENIX Security Symposium. USENIX, August 2004. Google ScholarDigital Library
- Mirage Networks. http://www.miragenetworks.com/.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Magazine of Security and Privacy, pages 33--39, July/August 2003 2003. Google ScholarDigital Library
- D. Moore, C. Shannon, and J. Brown. Code-Red: a Case Study on the Spread and Victims of an Internet Worm. In Proceedings of the Second Internet Measurement Workshop, pages 273--284, November 2002. Google ScholarDigital Library
- D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code, 2003.Google Scholar
- D. Nojiri, J. Rowe, and K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. In Proc. DARPA DISCEX III Conference, 2003.Google ScholarCross Ref
- C. Shannon and D. Moore. The Spread of the Witty Worm. To appear in IEEE Security and Privacy, 2004. Google ScholarDigital Library
- S. Sing, C. Estan, G. Varghese, and S. Savage. The EarlyBird System for Realtime Detection of Unknown Worms: UCSD Tech Report CS2003-0761.Google Scholar
- S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.Google Scholar
- S. Staniford and C. Kahn. Worm Containment in the Internal Network. Technical report, Silicon Defense, 2003.Google Scholar
- S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium. USENIX, August 2002. Google ScholarDigital Library
- The Honeynet Project. http://lwww.honeynet.org/l.Google Scholar
- J. Twycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In Proceedings of the 12th USENIX Security Symposium. USENIX, August 2003. Google ScholarDigital Library
- S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New Streaming Algorithms for Fast Detection of Superspreaders.Google Scholar
- A. Wagner, T. Dubendorfer, B. Plattner, and R. Hiestand. Experiences with Worm Propagation Simulations. In Proceedings of the 2003 ACM workshop on Rapid Malcode, pages 34--41, October 2003. Google ScholarDigital Library
- N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A Taxonomy of Computer Worms. In The First ACM Workshop on Rapid Malcode (WORM), 2003. Google ScholarDigital Library
- N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. Submitted to Usenix Security 2004, 2004. Google ScholarDigital Library
- M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In ACSAC, 2002. Google ScholarDigital Library
- Y. Zhang, N. Duffield, V. Paxson, and S. Shenker. On the Constancy of Internet Path Properties. In Proc. ACM SIGCOMM Internet Measurement Workshop, November 2001. Google ScholarDigital Library
Index Terms
- The top speed of flash worms
Recommendations
Self-stopping worms
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcodeModern network worms spread with tremendous speed-potentially covering the planet in mere seconds. However, for most worms, this prodigious pace continues unabated long after the outbreak's incidence has peaked. Indeed, it is this ongoing infection ...
Modeling and Automated Containment of Worms
Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms ...
Profiling self-propagating worms via behavioral footprinting
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcodeThis paper proposes behavioral footprinting, a new dimension of worm profiling based on worm infection sessions. A worm's infection session contains a number of steps (e.g., for probing, exploitation, and replication) that are exhibited in certain order ...
Comments