« Strategies of Computer Worms | Main | The Threat of Internet Worms »
Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior
I like this paper a lot, not simply because I know the authors, but because it's an interesting finding that goes a long way towards showing us some of the inherent limitations in our measurement methodologies. It also challenges some of the assumptions we've worked with for a few years and shows the aggregate power of lots of packets flying around.
Long after the Blaster, Slammer/Sapphire, and CodeRedII worms caused significant worldwide disruptions, a huge number of infected hosts from these worms continue to probe the Internet today. This paper investigates hotspots (non-uniformities) in the targeting behavior of these important Internet worms. Recent data collected over the period of a month and a half using a distributed blackhole data collection infrastructure covering 18 networks including ISPs, enterprises, and academic networks show 75K Blaster infected hosts, 180K slammer infected hosts, and 55K CodeRedII hosts. We discover through detailed analysis how critical flaws and side effects in the targeting behavior lead to a significant bias for certain destination address blocks. In particular, we demonstrate three previously unexplored biases: a severely restricted initial random seed forcing infection attempts to certain blocks; flaws in the parameters of a random number generator making certain hosts cycle through limited target addresses; and the widespread use of private address space dramatically changing the targeting distribution of certain worms. A direct consequence of these biases is that certain blocks are subjected to far more infection attempts than others. We discuss the implication of these hotspots on worm simulation and modeling, placement of blackhole sensors, worm detection and quarantine.
Source: Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior, Evan Cooke, Z. Morley Mao, Farnam Jahanian.
April 21, 2005 in papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
The comments to this entry are closed.
