Cooperative Containment of Fast Scanning Worms

Jayanth Kumar Kannan, Lakshminarayanan Subramanian, Ion Stoica, Scott Shenker and Randy Katz

EECS Department
University of California, Berkeley
Technical Report No. UCB/CSD-04-1359
2004

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/CSD-04-1359.pdf

Scanning worms, that spread by probing the IP address space to find vulnerable hosts, are among the most serious threats to Internet security today, as evident by the time-scales of some recent large-scale worm attacks. Only an automatic defense can hope to contain a carefully designed worm that uses an unknown or a recently-divulged vulnerability. In this paper, we propose a cooperation-based worm containment approach that enables potentially distrusting firewalls in different access networks to exchange information in order to contain the spread of a fast scanning worm. Based on modeling the propagation of scanning worms, we identify and analytically quantify the effectiveness of two forms of cooperation between firewalls, namely, implicit signaling and explicit signaling. Specifically, we highlight the regimes under which implicit and explicit signaling provide effective containment. In this paper, we also address some of the deployment challenges associated with cooperation-based worm containment. Specifically, in a partial deployment scenario where only a small fraction of access networks (1%) are protected behind firewalls, we demonstrate a rerouting mechanism that can provide effective containment (97%) for these protected networks. One limitation of our work is that our analysis does not apply to worms based on pre-generated target lists, stealthy worms that slowly infect their vulnerable population, and rapidly mutating polymorphic worms.


BibTeX citation:

@techreport{Kannan:CSD-04-1359,
    Author = {Kannan, Jayanth Kumar and Subramanian, Lakshminarayanan and Stoica, Ion and Shenker, Scott and Katz, Randy},
    Title = {Cooperative Containment of Fast Scanning Worms},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2004},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/5726.html},
    Number = {UCB/CSD-04-1359},
    Abstract = {Scanning worms, that spread by probing the IP address space to find vulnerable hosts, are among the most serious threats to Internet security today, as evident by the time-scales of some recent large-scale worm attacks. Only an automatic defense can hope to contain a carefully designed worm that uses an unknown or a recently-divulged vulnerability. In this paper, we propose a cooperation-based worm containment approach that enables potentially distrusting firewalls in different access networks to exchange information in order to contain the spread of a fast scanning worm. Based on modeling the propagation of scanning worms, we identify and analytically quantify the effectiveness of two forms of cooperation between firewalls, namely, implicit signaling and explicit signaling. Specifically, we highlight the regimes under which implicit and explicit signaling provide effective containment. In this paper, we also address some of the deployment challenges associated with cooperation-based worm containment. Specifically, in a partial deployment scenario where only a small fraction of access networks (1%) are protected behind firewalls, we demonstrate a rerouting mechanism that can provide effective containment (97%) for these protected networks. One limitation of our work is that our analysis does not apply to worms based on pre-generated target lists, stealthy worms that slowly infect their vulnerable population, and rapidly mutating polymorphic worms.}
}

EndNote citation:

%0 Report
%A Kannan, Jayanth Kumar
%A Subramanian, Lakshminarayanan
%A Stoica, Ion
%A Shenker, Scott
%A Katz, Randy
%T Cooperative Containment of Fast Scanning Worms
%I EECS Department, University of California, Berkeley
%D 2004
%@ UCB/CSD-04-1359
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/5726.html
%F Kannan:CSD-04-1359