Researchers tout new-fangled network worm weapon

Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University say they can and they have the method to prove it.

The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans -- a sign that it has been infected -- administrators should take it off line and check it for viruses. A scan is just a search for Internet addresses -- what we do every time we use search engines such as Google. The difference is, a virus sends out many scans to many different destinations in a very short period of time, as it searches for machines to infect.  

Seems pretty straightforward. In a nutshell, the researchers developed National Science Foundation funded a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.

"The difficulty was figuring out how many scans were too many," said Ness Shroff, Ohio Eminent Scholar in Networking and Communications at Ohio State. "How many could you allow before an infection would spread wildly? You want to make sure the number is small to contain the infection. But if you make it too small, you'll interfere with normal network traffic. It turns out that you can allow quite a large number of scans, and you'll still catch the worm."

In simulations, Shroff and his cohorts pitted their model against the Code Red worm, as well as the SQL Slammer worm of 2003. Code Red was a random scanning worm while the SQL slammer caused denial of service attacks. They simulated how far the virus would spread, depending on how many networks on the Internet were using the same containment strategy: quarantine any machine that sends out more than 10,000 scans. They chose 10,000 because it is well above the number of scans that a typical computer network would send out in a month.

"An infected machine would reach this value very quickly, while a regular machine would not," Shroff explained. "A worm has to hit so many IP addresses so quickly in order to survive."

In the simulations pitted against the Code Red worm, the researchers said they were able to prevent the spread of the infection to less than 150 hosts on the whole Internet, 95% of the time. A variant of Code Red worm (Code Red II) scans the local network more efficiently, and finds vulnerable targets much faster. Their method was effective in containing such worms.

In the simulations, they were able to trap the worm in its original network -- the one that would have started the outbreak – 77% of the time, researchers said. Anywhere from 10 to 20% of the time, it spread to one other network, but no further. The remaining 3 to 13% of the time, it escaped to more networks, but the infection was slowed, researchers said.

To use this strategy, network administrators would have to install software to monitor the number of scans on their networks, and would have to allow for some downtime among computers when they initiate quarantine, researchers said. Shroff added that their method wouldn't be a problem for most large organizations but that small businesses with only a few servers would have more difficulty taking their machines off line.

 "Unfortunately there is no complete foolproof solution," Shroff said. "You just keep trying to come up with techniques that limit a virus's ability to do harm."Other worm weapons are in the development process. 

 Penn State University researchers have their Proactive Worm Containment (PWC) system which uses no signatures to identify an attack. Instead it relies on the frequency of connections at a packet level, and analyses the number of connections this traffic is making to other networks.  

Layer 8 in a box

Check out these other hot stories:

Commercial space travel: The next Mt. Everest

Fill 'er up? That'll be $68,948 please 

Dancing microrobots waltz on a pin’s head

Argonne algorithm boosts accuracy of air-pollution forecasts 

Network security issues dog FDIC

NASA picks “bargain basement” space technology candidates

Airborne laser weapons heating up  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)