Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University say they can and they have the method to prove it.
The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans -- a sign that it has been infected -- administrators should take it off line and check it for viruses. A scan is just a search for Internet addresses -- what we do every time we use search engines such as Google. The difference is, a virus sends out many scans to many different destinations in a very short period of time, as it searches for machines to infect.
Seems pretty straightforward. In a nutshell, the researchers developed National Science Foundation funded a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.
"The difficulty was figuring out how many scans were too many," said Ness Shroff, Ohio Eminent Scholar in Networking and Communications at Ohio State. "How many could you allow before an infection would spread wildly? You want to make sure the number is small to contain the infection. But if you make it too small, you'll interfere with normal network traffic. It turns out that you can allow quite a large number of scans, and you'll still catch the worm."
In simulations, Shroff and his cohorts pitted their model against the Code Red worm, as well as the SQL Slammer worm of 2003. Code Red was a random scanning worm while the SQL slammer caused denial of service attacks. They simulated how far the virus would spread, depending on how many networks on the Internet were using the same containment strategy: quarantine any machine that sends out more than 10,000 scans. They chose 10,000 because it is well above the number of scans that a typical computer network would send out in a month.
"An infected machine would reach this value very quickly, while a regular machine would not," Shroff explained. "A worm has to hit so many IP addresses so quickly in order to survive."
In the simulations pitted against the Code Red worm, the researchers said they were able to prevent the spread of the infection to less than 150 hosts on the whole Internet, 95% of the time. A variant of Code Red worm (Code Red II) scans the local network more efficiently, and finds vulnerable targets much faster. Their method was effective in containing such worms.
In the simulations, they were able to trap the worm in its original network -- the one that would have started the outbreak – 77% of the time, researchers said. Anywhere from 10 to 20% of the time, it spread to one other network, but no further. The remaining 3 to 13% of the time, it escaped to more networks, but the infection was slowed, researchers said.
To use this strategy, network administrators would have to install software to monitor the number of scans on their networks, and would have to allow for some downtime among computers when they initiate quarantine, researchers said. Shroff added that their method wouldn't be a problem for most large organizations but that small businesses with only a few servers would have more difficulty taking their machines off line.
"Unfortunately there is no complete foolproof solution," Shroff said. "You just keep trying to come up with techniques that limit a virus's ability to do harm."Other worm weapons are in the development process.
Penn State University researchers have their Proactive Worm Containment (PWC) system which uses no signatures to identify an attack. Instead it relies on the frequency of connections at a packet level, and analyses the number of connections this traffic is making to other networks.
Layer 8 in a box
Check out these other hot stories:
Commercial space travel: The next Mt. Everest
Fill 'er up? That'll be $68,948 please
Dancing microrobots waltz on a pin’s head
Argonne algorithm boosts accuracy of air-pollution forecasts
Network security issues dog FDIC
Advertisement: |
The Leader in Network Knowledge
Old News
This has been standard practice since Nimda hit a couple of years back
It's not the corporate
It's not the corporate network where this will be problematic. It is TimeWarner and Comcast. Remember the recent story about MediaDefender? Assumptions about scans are just that. As soon as this methodology is implemented, worms will scan much slower. After all, a virus/worm author normally has some time to build the botnet before they want to activate it. Nothing really depends on quick proliferation except damaging worms.
IMO, it is the botnets that do the most damage as a collective thing. Stopping a worm that bricks your machine is not hard LOL, stopping one that bricks other machines is good. Stopping DDoS attacks is even MORE important. It is the attack for hire model of hacking that really sucks bad.
If the botnet owner takes a few months to build the botnet, it is still a botnet. Even better if s/he hides data in video packets or VoIP or IM packets.
The only real way that I can see to stop the damage is to have 99.9999%+ computers in the world running in a sandbox where the perimeter monitors everything that the user software is doing. So, even if the corporate network is functioning like a sandbox (as it already should be) the danger from worms forming botnets is still a threat, this merely lessens the threat of a quickly spreading/created botnet/worm.
____________________
Submited by : Bebe
This isnt new
While automation and finding an optimal threshold is great, this has been done for years. Although done by hand this is how we contained the blaster worm and its derivatives. The network team looks out for excessive ARPs, block the ports. The helpdesk gets a call when someone's internet stops working and they go fix the worm and tell the network team to unblock them. Additionally defining a threshold is a bad idea because if the idea catches on worms will simply make sure to stay below that threshold.
A transparent automated solution is already available
A low-cost, fast traffic anomaly detection system which addresses this issue, and others, without the need to examine packet headers or contents was developed by us in 2003--and we detect these anomalies within seconds of onset. OrcaFlow traffic anomaly detectors also scale to individually monitor 1,000s of gigabit Ethernet connections in real time ( www.orcaflow.ca ).
Already included in ProCurve network hardware
This seems less effective than the connection rate limiting technology that is already included in ProCurve switches and routers. They call it a "Virus Throttle" and it limits scans of a worm like Code Red to around 100 instead of 10,000.
Flow Setup Throttling
The Enterasys Approach to NBA:
Enterasys has developed at technology called Flow Setup Throttling (FST) where by the switch tracks flow setup and provides mechanisms to respond to excessive flow buildup, typically a suspicious behavior. FST can notify administrators, define maximum flowcount and control flow buildup rates. Often, it can stop the problem without completely shutting off the users port.
FST can detect worm attacks, slow them down or stop them regardless of whether or not the defined signature is well-known or a brand new zero-day threat. The Enterasys N1 series switch also supports NetFlow v9.
Watered down version of Arxceo Ally ip100?
Arxceo won an SMB Best Buy recommendation for a tiny IPS appliance that took this basic concept much further. That product was shipping several years ago. As far as I'm aware, it's still the toughest 'anti-reconnaissance' network defense out there.