Internet Worm Defenses

From Computing and Software Wiki

Jump to: navigation, search

Worms are considered a serious threat against information integrity and service availability. Internet worms have repeatedly exposed and exploited the vulnerabilities of network hosts and the underlying internet architecture. Understanding the principles and patterns of worm prorogation is crucial to developing counter measures. Models have been develped to analyze network traffic and the effectiveness of various worm defense mechanisms. This information can be used to select an appropriate defense strategy for worms of different nature.


Passive Defense

Passive defense strategies, also known as containment technologies aim at slowing down and eventually stopping the spread of a worm. The basic idea is to block all infectious communication between infected hosts and other susceptible hosts. Packets containing a signature that is known to belong to a particular warm can be dropped. For such strategies to be effective, early detection of a worm epidemic is crucial.

Firewalls, content filters and address blacklisting are all examples of such containment technologies. There is a large number of software products that offer such services. Content filtering requires analysis of every single packets, which is a real overhead. Moreover, aggressive worms that generate random permutations of content may be able to surpass packet filters. As for address blacklisting, it can be implemented in routers. Still, there are issues with identifying infected hosts and distributing blacklists. Simulations experiments have shown that content filtering works better than address blacklisting. In fact, it can contain worms an order of magnitude more aggressive.

Those measures alone are not sufficient to counter the worm threat, since infected hosts are not recovered. However, they can be used until a security patch is available. In reality it is extremely challenging to build containment systems of large scope. Designing systems that are able to automatically detect worm epidemics and to activate filtering mechanisms within a reasonable time frame is not an easy task.

Active Defense

Active defenses aim at patching uninfected hosts and/or suppressing infected hosts. Those mechanisms pose ethical and legal issues. Patches modify hosts and restrict their network communication activities. They are more mostly beneficial to network administrators that have the rights to choose their security posture.

Defense mechanisms mentioned in the following sections work under the assumption that a patch was prepared before the worm was launched. This is a reasonable assumptions since most worms exploit known vulnerabilities. Normally, when a security vulnerability is announced, a patch is also made available.

One case where a counter-worm was used is Welchia against Blaster. Blaster created a distributed denial of service attack against Welchia was a worm that installed security patches from Microsoft.

Simple Patch

In a simple patch defense, a set of hosts start scanning the network looking for susceptible but not yet infected hosts. As soon, as one is found it is instantly patched. Scanning strategies may be similar or different than those used by the worm.

Spreading Patch

A spreading patch defense builds on the idea of a simple patch. It improves the rate of patching by increasing the number of hosts that implement the simple patch logic. When a susceptible and uninfected host is found, not only is it patched, but it is also supplied with a counter-worm that implements the scanning method of a simple patch. So the number of patching hosts can grow rapidly in a spreading patch.

Nullifying Defense

The premise of a nullifying defense is to stop already infected hosts from infecting more hosts on the network. When a patching host identifies an infected host, it can cause the infectious packets to be filtered out by a nearby router. Scans use up a lot of bandwidth, so this method is also extremely useful in terms of limiting the impact of worms on a network. This method can be combined with other passive defenses discussed above.

Sniper Defense

A sniper defense has the same goal as a nullifying defense, to isolate infected hosts. The sniper defense accomplishes this isolation a lot faster. In addition to scanning for infected hosts, a patching host that receives a a scan from an infected host can nullify that host.

Worm Models

There are different scanning techniques that worms use to probe hosts. Worms such as Code Red II, Blaster, and Welchia utilized preferential scanning techniques. Addresses close in the address space to the infected host were more likely to be scanned for vulnerability. Another type of scanning is what is known as a partitioned permutation scan where worms coordinate in between themselves so that each instance scans a disjoint set of the address space. Most worms employ a simplified scanning mechanisms where probing is uniformly random.

When building models and analysing simulations results, some assumptions are made for the sake of simplicity. If we assume that the spreading patch uses the same propagation strategy as the worm, then both the worm and the counter-worm will spread at the same rate targeting the same set of susceptible hosts. The effectiveness of a spreading worm is dependant on response time, and the initial counter-worm population. The challenge is estimating the fraction of hosts that have already been infected in order to figure out how many patching hosts to start with. Again, having too many hosts can clog up the newtwork. As for the nullifying worm, simulations have demonstrated that it has less of an impact on the network load. In fact, because the nullifying worm decreases the number of scanning worms, starting with a smaller populater of counter-worms, it is able to achieve comparable results to a patch spreading worm. Some changes to the nullifying worm can significantly improve its importance. For instance, nullifying defenses can have the ability to stop the good worm scanning after a critical period of time, reducing the impact on the network. If a sniper defense is used, then any communication between infected and patching hosts would nullify the infected hosts. As a result, sniper defense mechanisms can stop scanning at earlier stages than nullifying defenses and still achieve similar results.


1. Models of Active Worm Defenses

2. Defense and Detection Strategies against Internet Worms, Jose Nazario

3. An Improved Worm Mitigation Model for Evaluating the Spread of Aggressive Network Worms

4. The Effect of Infection Time on Internet Worm Propagation

See also

Systems for Detecting Network Intrusion

Computer Worms

Exteral links

Comparing Passive and Active Worm Defenses

A Network Worm Modeling Package

Internet Worm Propagation Simulators

Worm Blog

--Muslehj 21:44, 7 April 2008 (EDT)

Personal tools