Internet Worm Defenses - Revision history

Muslehj: /* Simple Patch */

2008-04-18T02:12:19Z

Simple Patch

← Older revision		Revision as of 02:12, 18 April 2008
Line 21:		Line 21:
	=== Simple Patch ===		=== Simple Patch ===
	In a simple patch defense, a set of hosts start scanning the network looking for		In a simple patch defense, a set of hosts start scanning the network looking for
-	susceptible but not yet infected hosts. As soon, as one is found it is ~~instantlypatched~~. Scanning strategies may be similar or different ~~that~~ those used by the worm.	+	susceptible but not yet infected hosts. As soon, as one is found it is instantly patched. Scanning strategies may be similar or different than those used by the worm.

	=== Spreading Patch ===		=== Spreading Patch ===

Muslehj: /* See also */

2008-04-11T00:21:00Z

Muslehj: /* See also */

2008-04-08T01:45:21Z

Muslehj at 01:44, 8 April 2008

2008-04-08T01:44:03Z

← Older revision		Revision as of 01:44, 8 April 2008
Line 57:		Line 57:
	[http://www.wormblog.com/ Worm Blog]		[http://www.wormblog.com/ Worm Blog]

-	--[[User:Muslehj\|Muslehj]] 21:41, 7 April 2008 (EDT)	+	--[[User:Muslehj\|Muslehj]] 21:44, 7 April 2008 (EDT)

Muslehj at 01:41, 8 April 2008

2008-04-08T01:41:24Z

← Older revision		Revision as of 01:41, 8 April 2008
Line 56:		Line 56:

	[http://www.wormblog.com/ Worm Blog]		[http://www.wormblog.com/ Worm Blog]
		+
		+	--[[User:Muslehj\|Muslehj]] 21:41, 7 April 2008 (EDT)

Muslehj: /* Worm Models */

2008-04-08T01:40:00Z

Worm Models

← Older revision		Revision as of 01:40, 8 April 2008
Line 34:		Line 34:
	== Worm Models ==		== Worm Models ==
	There are different scanning techniques that worms use to probe hosts. Worms such as Code Red II, Blaster, and Welchia utilized preferential scanning techniques. Addresses close in the address space to the infected host were more likely to be scanned for vulnerability. Another type of scanning is what is known as a partitioned permutation scan where worms coordinate in between themselves so that each instance scans a disjoint set of the address space. Most worms employ a simplified scanning mechanisms where probing is uniformly random.		There are different scanning techniques that worms use to probe hosts. Worms such as Code Red II, Blaster, and Welchia utilized preferential scanning techniques. Addresses close in the address space to the infected host were more likely to be scanned for vulnerability. Another type of scanning is what is known as a partitioned permutation scan where worms coordinate in between themselves so that each instance scans a disjoint set of the address space. Most worms employ a simplified scanning mechanisms where probing is uniformly random.
		+

	When building models and analysing simulations results, some assumptions are made for the sake of simplicity. If we assume that the spreading patch uses the same propagation strategy as the worm, then both the worm and the counter-worm will spread at the same rate targeting the same set of susceptible hosts. The effectiveness of a spreading worm is dependant on response time, and the initial counter-worm population. The challenge is estimating the fraction of hosts that have already been infected in order to figure out how many patching hosts to start with. Again, having too many hosts can clog up the newtwork. As for the nullifying worm, simulations have demonstrated that it has less of an impact on the network load. In fact, because the nullifying worm decreases the number of scanning worms, starting with a smaller populater of counter-worms, it is able to achieve comparable results to a patch spreading worm. Some changes to the nullifying worm can significantly improve its importance. For instance, nullifying defenses can have the ability to stop the good worm scanning after a critical period of time, reducing the impact on the network. If a sniper defense is used, then any communication between infected and patching hosts would nullify the infected hosts. As a result, sniper defense mechanisms can stop scanning at earlier stages than nullifying defenses and still achieve similar results.		When building models and analysing simulations results, some assumptions are made for the sake of simplicity. If we assume that the spreading patch uses the same propagation strategy as the worm, then both the worm and the counter-worm will spread at the same rate targeting the same set of susceptible hosts. The effectiveness of a spreading worm is dependant on response time, and the initial counter-worm population. The challenge is estimating the fraction of hosts that have already been infected in order to figure out how many patching hosts to start with. Again, having too many hosts can clog up the newtwork. As for the nullifying worm, simulations have demonstrated that it has less of an impact on the network load. In fact, because the nullifying worm decreases the number of scanning worms, starting with a smaller populater of counter-worms, it is able to achieve comparable results to a patch spreading worm. Some changes to the nullifying worm can significantly improve its importance. For instance, nullifying defenses can have the ability to stop the good worm scanning after a critical period of time, reducing the impact on the network. If a sniper defense is used, then any communication between infected and patching hosts would nullify the infected hosts. As a result, sniper defense mechanisms can stop scanning at earlier stages than nullifying defenses and still achieve similar results.

Muslehj: /* Worm Models */

2008-04-08T01:39:42Z

Worm Models

← Older revision		Revision as of 01:39, 8 April 2008
Line 33:		Line 33:

	== Worm Models ==		== Worm Models ==
-	There are different scanning techniques that worms use to probe hosts. Worms such as Code Red II, Blaster, and Welchia utilized preferential scanning techniques. Addresses close in the address space to the infected host were more likely to be scanned for vulnerability. Another type of scanning is what is known as a partitioned permutation scan where worms coordinate in between themselves so that each instance scans a disjoint set of the address space. Most worms employ a simplified scanning mechanisms where probing is uniformly random. ~~Epidemic~~ models have been ~~used~~ to ~~analyze random~~ scanning worms.	+	There are different scanning techniques that worms use to probe hosts. Worms such as Code Red II, Blaster, and Welchia utilized preferential scanning techniques. Addresses close in the address space to the infected host were more likely to be scanned for vulnerability. Another type of scanning is what is known as a partitioned permutation scan where worms coordinate in between themselves so that each instance scans a disjoint set of the address space. Most worms employ a simplified scanning mechanisms where probing is uniformly random.
		+
		+	When building models and analysing simulations results, some assumptions are made for the sake of simplicity. If we assume that the spreading patch uses the same propagation strategy as the worm, then both the worm and the counter-worm will spread at the same rate targeting the same set of susceptible hosts. The effectiveness of a spreading worm is dependant on response time, and the initial counter-worm population. The challenge is estimating the fraction of hosts that have already been infected in order to figure out how many patching hosts to start with. Again, having too many hosts can clog up the newtwork. As for the nullifying worm, simulations have demonstrated that it has less of an impact on the network load. In fact, because the nullifying worm decreases the number of scanning worms, starting with a smaller populater of counter-worms, it is able to achieve comparable results to a patch spreading worm. Some changes to the nullifying worm can significantly improve its importance. For instance, nullifying defenses can have the ability to stop the good worm scanning after a critical period of time, reducing the impact on the network. If a sniper defense is used, then any communication between infected and patching hosts would nullify the infected hosts. As a result, sniper defense mechanisms can stop scanning at earlier stages than nullifying defenses and still achieve similar results.

	== References ==		== References ==

Muslehj at 00:49, 8 April 2008

2008-04-08T00:49:30Z

← Older revision		Revision as of 00:49, 8 April 2008
Line 10:		Line 10:

	== ''' Active Defense ''' ==		== ''' Active Defense ''' ==
-	[[Image:good_bad.jpg \| 'right']]	+
		+	[[Image:good_bad.jpg\|right\|300px\|]]
	Active defenses aim at patching uninfected hosts and/or suppressing infected hosts.		Active defenses aim at patching uninfected hosts and/or suppressing infected hosts.
	Those mechanisms pose ethical and legal issues. Patches modify hosts and restrict their network communication activities. They are more mostly beneficial to network administrators that have the rights to choose their security posture.		Those mechanisms pose ethical and legal issues. Patches modify hosts and restrict their network communication activities. They are more mostly beneficial to network administrators that have the rights to choose their security posture.

Muslehj at 19:37, 7 April 2008

2008-04-07T19:37:58Z

← Older revision		Revision as of 19:37, 7 April 2008
Line 10:		Line 10:

	== ''' Active Defense ''' ==		== ''' Active Defense ''' ==
-	Active defenses aim at patching uninfected hosts and/or suppressing infected hosts. Those mechanisms pose ethical and legal issues. Patches modify hosts and restrict their network communication activities. They are more mostly beneficial to network administrators that	+	[[Image:good_bad.jpg \| 'right']]
-	have the rights to choose their security posture.	+	Active defenses aim at patching uninfected hosts and/or suppressing infected hosts.
		+	Those mechanisms pose ethical and legal issues. Patches modify hosts and restrict their network communication activities. They are more mostly beneficial to network administrators that have the rights to choose their security posture.

	Defense mechanisms mentioned in the following sections work under the assumption that a patch was prepared before the worm was launched. This is a reasonable assumptions since most worms exploit known vulnerabilities. Normally, when a security vulnerability is announced, a patch is also made available.		Defense mechanisms mentioned in the following sections work under the assumption that a patch was prepared before the worm was launched. This is a reasonable assumptions since most worms exploit known vulnerabilities. Normally, when a security vulnerability is announced, a patch is also made available.

Muslehj: /* Nullifying Defense */

2008-04-07T19:11:41Z

Nullifying Defense

← Older revision		Revision as of 19:11, 7 April 2008
Line 25:		Line 25:

	=== Nullifying Defense ===		=== Nullifying Defense ===
-	The premise of a nullifying defense is to stop already infected hosts from infecting more hosts on the network. When a patching host identifies an infected host, it can cause the infectious packets to be filtered out by a nearby router. ~~This~~ method is ~~most~~ useful ~~when~~ combined with passive defenses discussed above.	+	The premise of a nullifying defense is to stop already infected hosts from infecting more hosts on the network. When a patching host identifies an infected host, it can cause the infectious packets to be filtered out by a nearby router. Scans use up a lot of bandwidth, so this method is also extremely useful in terms of limiting the impact of worms on a network. This method can be combined with other passive defenses discussed above.

	=== Sniper Defense ===		=== Sniper Defense ===

← Older revision		Revision as of 00:21, 11 April 2008
Line 49:		Line 49:
	== See also ==		== See also ==
	[http://www.cas.mcmaster.ca/wiki/index.php/Systems_for_Detecting_Network_Intrusion Systems for Detecting Network Intrusion]		[http://www.cas.mcmaster.ca/wiki/index.php/Systems_for_Detecting_Network_Intrusion Systems for Detecting Network Intrusion]
		+
		+	[http://www.cas.mcmaster.ca/wiki/index.php/Computer_worms Computer Worms]

	== Exteral links ==		== Exteral links ==

← Older revision		Revision as of 01:45, 8 April 2008
Line 48:		Line 48:

	== See also ==		== See also ==
		+	[http://www.cas.mcmaster.ca/wiki/index.php/Systems_for_Detecting_Network_Intrusion Systems for Detecting Network Intrusion]
		+
	== Exteral links ==		== Exteral links ==
	[http://portal.acm.org/citation.cfm?id=1025129.1026071 Comparing Passive and Active Worm Defenses]		[http://portal.acm.org/citation.cfm?id=1025129.1026071 Comparing Passive and Active Worm Defenses]