worm blog: Detecting Worms using DIB:S and ICMP Unreachable Messages

« Detecting Worms with the Willow Architecture | Main | De-Worming Tools for MS Windows »

Detecting Worms using DIB:S and ICMP Unreachable Messages

Berk, Gray, and Bakos present a system called DIB:S which can monitor for worms over large networks. Thier system is described as such:

Identification of an Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identied until it already has spread to most of the Internet, eliminating many defensive options. In this paper, we present an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of a worm, rather than simply cleaning up afterward. Our implemented system collects ICMP Unreachable messages from instrumented network routers, identies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we examine the problem of active worms, describe our ICMP-based detection system, and present simulation results that illustrate the speed with which it can detect a worm.

Source: Using Sensor Networks and Data Fusion for Early Detection, Vincent H. Berk, Robert S. Gray, and George Bakos.

While this is an interesting and low-hanging fruit approach, their system only looks for ICMP unreachable messages (forwarded to a centralized collection system). If these are filtered or otherwise not found (ie the worm uses a hitlist to scan), it will fail to detect the worm. While such worms may seem to be uncommon, consider this: any application layer worm essentially has a hitlist granted to it from every infected node, either an IM buddy list or a list of email addresses that the client has contacted. Windows file sharing networks, too, have centralized information about hosts online, allowing a worm to make connection attempts on the local network without hitting hosts that don't exist. Finally, under load many IP stacks will throttle the rate of ICMP message generation, which may dampen the effectiveness of the system. However, using such information allows the detectors to be relatively stateless, allowing them to monitor large numbers of subnets or networks. If the worm generates enough ICMP messages in a short enough time frame, the rate of collection of these messages at the TRAFEN analsysi subsystem may trigger an alert.

November 26, 2004 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit