Article

The top speed of flash worms

Authors:
Stuart Staniford

Nevis Networks

Nevis Networks
View Profile

,
David Moore

CAIDA

CAIDA
View Profile

,
Vern Paxson

ICSI

ICSI
View Profile

,
Nicholas Weaver

ICSI

ICSI
View Profile

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcodeOctober 2004Pages 33–42https://doi.org/10.1145/1029618.1029624

Published:29 October 2004Publication History

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Pages 33–42

ABSTRACT

Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm's exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds[18]. We grossly over-estimated.

In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds.

The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques [12, 16, 25]. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.

References

CAIDA. Skitter Datasets. http://www.caida.org/tools/measurement/skitter/.Google Scholar
Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms. In IEEE INFOCOM, 2003.Google ScholarCross Ref
C. Dovrolis, R. Prasad, N. Brownlee, and k. claffy. Bandwidth Estimation: Metrics, Measurement Techniques, and Tools. IEEE Network, 2004. Google ScholarDigital Library
Forescout. Wormscout, http://www.forescout.com/wormscout.html.Google Scholar
N. Hindocha and E. Chien. Malicious Threats and Vulnerabilities in Instant Messaging. Technical report, Symantec, 2003.Google Scholar
J. Jung, V. Paxson, A. W. Berger, and H. B. Nan. Fast Portscan Detection Using Sequential Hypothesis Testing. In 2004 IEEE Symposium on Security and Privacy, to appear, 2004.Google Scholar
J. Jung and S. Schechter. Fast Detection of Scanning Worms Using Reverse Sequential Hypothesis Testing and Credit-Based Connection Rate Limiting. Submitted to Usenix Security 2004, 2004.Google Scholar
H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the 14th USENIX Security Symposium. USENIX, August 2004. Google ScholarDigital Library
Mirage Networks. http://www.miragenetworks.com/.Google Scholar
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Magazine of Security and Privacy, pages 33--39, July/August 2003 2003. Google ScholarDigital Library
D. Moore, C. Shannon, and J. Brown. Code-Red: a Case Study on the Spread and Victims of an Internet Worm. In Proceedings of the Second Internet Measurement Workshop, pages 273--284, November 2002. Google ScholarDigital Library
D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code, 2003.Google Scholar
D. Nojiri, J. Rowe, and K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. In Proc. DARPA DISCEX III Conference, 2003.Google ScholarCross Ref
C. Shannon and D. Moore. The Spread of the Witty Worm. To appear in IEEE Security and Privacy, 2004. Google ScholarDigital Library
S. Sing, C. Estan, G. Varghese, and S. Savage. The EarlyBird System for Realtime Detection of Unknown Worms: UCSD Tech Report CS2003-0761.Google Scholar
S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.Google Scholar
S. Staniford and C. Kahn. Worm Containment in the Internal Network. Technical report, Silicon Defense, 2003.Google Scholar
S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium. USENIX, August 2002. Google ScholarDigital Library
The Honeynet Project. http://lwww.honeynet.org/l.Google Scholar
J. Twycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In Proceedings of the 12th USENIX Security Symposium. USENIX, August 2003. Google ScholarDigital Library
S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New Streaming Algorithms for Fast Detection of Superspreaders.Google Scholar
A. Wagner, T. Dubendorfer, B. Plattner, and R. Hiestand. Experiences with Worm Propagation Simulations. In Proceedings of the 2003 ACM workshop on Rapid Malcode, pages 34--41, October 2003. Google ScholarDigital Library
N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A Taxonomy of Computer Worms. In The First ACM Workshop on Rapid Malcode (WORM), 2003. Google ScholarDigital Library
N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. Submitted to Usenix Security 2004, 2004. Google ScholarDigital Library
M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In ACSAC, 2002. Google ScholarDigital Library
Y. Zhang, N. Duffield, V. Paxson, and S. Shenker. On the Constancy of Internet Path Properties. In Proc. ACM SIGCOMM Internet Measurement Workshop, November 2001. Google ScholarDigital Library

Index Terms

The top speed of flash worms
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Self-stopping worms
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

Modern network worms spread with tremendous speed-potentially covering the planet in mere seconds. However, for most worms, this prodigious pace continues unabated long after the outbreak's incidence has peaked. Indeed, it is this ongoing infection ...
Read More
Modeling and Automated Containment of Worms

Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms ...
Read More
Profiling self-propagating worms via behavioral footprinting
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

This paper proposes behavioral footprinting, a new dimension of worm profiling based on worm infection sessions. A worm's infection session contains a number of steps (e.g., for probing, exploitation, and replication) that are exhibited in certain order ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode
October 2004
100 pages
ISBN:1581139705
DOI:10.1145/1029618
Program Chair:
Vern Paxson
International Computer Science Institute & Lawrence Berkeley National Laboratory
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 29 October 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
flash worm
modeling
simulation
worms
Qualifiers
- Article
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 141
  Total Citations
  View Citations
- 980
  Total Downloads
- Downloads (Last 12 months)14
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

The top speed of flash worms

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

ABSTRACT

References

Cited By

Index Terms

Recommendations

Self-stopping worms

Modeling and Automated Containment of Worms

Profiling self-propagating worms via behavioral footprinting

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

The top speed of flash worms

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

ABSTRACT

References

Cited By

Index Terms

Recommendations

Self-stopping worms

Modeling and Automated Containment of Worms

Profiling self-propagating worms via behavioral footprinting

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media