« Impact of network design on worm propagation | Main | Could blogging spread computer worms? »
DDoSVax Worm Traffic Analysis
The Swiss research group hosted under the banner of 'DDoSVAX' has been known for many years for doing good work. They have used some of their measurement infrastructure to analyze worm traffic, as well. Several worms are studied and presented on their website:
13.8.2003: Traffic Analysis for the W32.Blaster Worm
19.8.2003: Traffic Analysis for the Sobig.F Worm
26.1.2004: Traffic Analysis for the Novarg/MyDoom Worm
9.5.2004: Traffic Analysis for the Sasser Worm
August 3, 2005 in Blaster, mass mailers, sasser, tools | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
Well, OK. What do those traffic analyses mean?
Great, you can see that Marching Windows Morons who click on "email worm" executables take a lunch break. I suppose this implies that most Marching Windows Morons who click on "email worm" executables do so from their work computers. Or do I miss a few points? Please enlighten me.
The rest of the DDosVax web site seems a lot more interesting, particularly the paper about using zlib compression to figure out the "entropy" of incoming TCP traffic, and seeing a decrease in entropy just as worm-population-generated traffic goes supercritical.
But that merely highlits the problem: on the whole, you can't detect a population of worms until and unless the traffic they generate gets past the initial linear-appearing growth trend and starts to increase exponentially. If the traffic doesn't increase exponentially, you basically don't care. The cause and the effect amount to exactly the same thing.
Posted by: Bruce Ediger | Aug 4, 2005 10:22:38 AM
The comments to this entry are closed.
