Internet Worm Defenses
From Computing and Software Wiki
(→''' Passive Defense ''') |
(→''' Passive Defense ''') |
||
Line 3: | Line 3: | ||
__TOC__ | __TOC__ | ||
== ''' Passive Defense ''' == | == ''' Passive Defense ''' == | ||
- | Passive defense strategies, also known as containment technologies aim at slowing down and eventually stopping the spread of a worm. The basic idea is to block all infectious communication between infected hosts and other susceptible hosts. Packets containing a signature that is known to belong to a particular warm can be dropped.For | + | Passive defense strategies, also known as containment technologies aim at slowing down and eventually stopping the spread of a worm. The basic idea is to block all infectious communication between infected hosts and other susceptible hosts. Packets containing a signature that is known to belong to a particular warm can be dropped. For such strategies to be effective, early detection of a worm epidemic is crucial. |
- | Firewalls, content filters and address blacklisting are all examples of such containment technologies. There is a large number of software products that | + | Firewalls, content filters and address blacklisting are all examples of such containment technologies. There is a large number of software products that offer such services. Content filtering requires analysis of every single packets, which is a real overhead. Moreover, aggressive worms that generate random permutations of content may be able to surpass packet filters. As for address blacklisting, it can be implemented in routers. Still, there are issues with identifying infected hosts and distributing blacklists. Simulations experiments have shown that content filtering works better than address blacklisting. In fact, it can contain worms an order of magnitude more aggressive. |
Those measures alone are not sufficient to counter the worm threat, since infected hosts are not recovered. However, they can be used until a security patch is available. In reality it is extremely challenging to build containment systems of large scope. Designing systems that are able to automatically detect worm epidemics and to activate filtering mechanisms within a reasonable time frame is not an easy task. | Those measures alone are not sufficient to counter the worm threat, since infected hosts are not recovered. However, they can be used until a security patch is available. In reality it is extremely challenging to build containment systems of large scope. Designing systems that are able to automatically detect worm epidemics and to activate filtering mechanisms within a reasonable time frame is not an easy task. |
Revision as of 22:11, 6 April 2008
Worms are considered a serious threat against information integrity and service availability. Internet worms have repeatedly exposed and exploited the vulnerabilities of network hosts and the underlying internet architecture. Understanding the principles and patterns of worm propogation is crucial to developing counter measures. Models have been develped to analyse network traffic and the effectiveness of various worm defense mechanisms. This information can be used to select an appropriate defense strategy for worms of different nature.
Contents |
Passive Defense
Passive defense strategies, also known as containment technologies aim at slowing down and eventually stopping the spread of a worm. The basic idea is to block all infectious communication between infected hosts and other susceptible hosts. Packets containing a signature that is known to belong to a particular warm can be dropped. For such strategies to be effective, early detection of a worm epidemic is crucial.
Firewalls, content filters and address blacklisting are all examples of such containment technologies. There is a large number of software products that offer such services. Content filtering requires analysis of every single packets, which is a real overhead. Moreover, aggressive worms that generate random permutations of content may be able to surpass packet filters. As for address blacklisting, it can be implemented in routers. Still, there are issues with identifying infected hosts and distributing blacklists. Simulations experiments have shown that content filtering works better than address blacklisting. In fact, it can contain worms an order of magnitude more aggressive.
Those measures alone are not sufficient to counter the worm threat, since infected hosts are not recovered. However, they can be used until a security patch is available. In reality it is extremely challenging to build containment systems of large scope. Designing systems that are able to automatically detect worm epidemics and to activate filtering mechanisms within a reasonable time frame is not an easy task.
Active Defense
aaa
Empty Defense
Simple Patch
Spreading Patch
Nullifying Defense
Sniper Defense
References
1. Models of Active Worm Defenses
2. Defense and Detection Strategies against Internet Worms, Jose Nazario
3. An Improved Worm Mitigation Model for Evaluating the Spread of Aggressive Network Worms
4. The Effect of Infection Time on Internet Worm Propagation
See also
Exteral links
Comparing Passive and Active Worm Defenses
A Network Worm Modeling Package