Internet Worm Defenses

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
Line 16: Line 16:
One case where a counter-worm was used is [http://en.wikipedia.org/wiki/Welchia Welchia] against [http://en.wikipedia.org/wiki/Blaster Blaster]. Blaster created a distributed denial of service attack against windowsupdate.com. Welchia was a worm that installed security patches from Microsoft.
One case where a counter-worm was used is [http://en.wikipedia.org/wiki/Welchia Welchia] against [http://en.wikipedia.org/wiki/Blaster Blaster]. Blaster created a distributed denial of service attack against windowsupdate.com. Welchia was a worm that installed security patches from Microsoft.
-
 
=== Simple Patch ===
=== Simple Patch ===
 +
In a simple patch defense, a set of hosts start scanning the network looking for
 +
susceptible but not yet infected hosts. As soon, as one is found it is instantlypatched. Scanning strategies may be similar or different that those used by the worm.
 +
=== Spreading Patch  ===
=== Spreading Patch  ===
 +
A spreading patch defense builds on the idea of a simple patch. It improves the rate of patching by increasing the number of hosts that implement the simple patch logic. When a susceptible and uninfected host is found, not only is it patched, but it is  also supplied with a counter-worm that implements the scanning method of a simple patch. So the number of patching hosts can grow rapidly in a spreading patch.
 +
=== Nullifying Defense ===
=== Nullifying Defense ===
 +
The premise of a nullifying defense is to stop already infected hosts from infecting more hosts on the network. When a patching host identifies an infected host, it can cause the infectious packets to be filtered out by a nearby router. This method is most useful when combined with passive defenses discussed above.
 +
=== Sniper Defense ===
=== Sniper Defense ===
 +
Sniper defense has the same goal as a nullifying defense, to isolate infected hosts. The sniper defense accomplishes this isolation a lot faster. In addition to scanning for infected hosts, a patching host that receives a a scan from an infected host can nullify that host.
 +
== References ==
== References ==
[http://www.linklings.net/MOSES/papers/ipsi-236.pdf 1. Models of Active Worm Defenses]
[http://www.linklings.net/MOSES/papers/ipsi-236.pdf 1. Models of Active Worm Defenses]

Revision as of 18:33, 7 April 2008

Worms are considered a serious threat against information integrity and service availability. Internet worms have repeatedly exposed and exploited the vulnerabilities of network hosts and the underlying internet architecture. Understanding the principles and patterns of worm propogation is crucial to developing counter measures. Models have been develped to analyse network traffic and the effectiveness of various worm defense mechanisms. This information can be used to select an appropriate defense strategy for worms of different nature.

Contents

Passive Defense

Passive defense strategies, also known as containment technologies aim at slowing down and eventually stopping the spread of a worm. The basic idea is to block all infectious communication between infected hosts and other susceptible hosts. Packets containing a signature that is known to belong to a particular warm can be dropped. For such strategies to be effective, early detection of a worm epidemic is crucial.

Firewalls, content filters and address blacklisting are all examples of such containment technologies. There is a large number of software products that offer such services. Content filtering requires analysis of every single packets, which is a real overhead. Moreover, aggressive worms that generate random permutations of content may be able to surpass packet filters. As for address blacklisting, it can be implemented in routers. Still, there are issues with identifying infected hosts and distributing blacklists. Simulations experiments have shown that content filtering works better than address blacklisting. In fact, it can contain worms an order of magnitude more aggressive.

Those measures alone are not sufficient to counter the worm threat, since infected hosts are not recovered. However, they can be used until a security patch is available. In reality it is extremely challenging to build containment systems of large scope. Designing systems that are able to automatically detect worm epidemics and to activate filtering mechanisms within a reasonable time frame is not an easy task.

Active Defense

Active defenses aim at patching uninfected hosts and/or suppressing infected hosts. Those mechanisms pose ethical and legal issues. Patches modify hosts and restrict their network communication activities. They are more mostly beneficial to network administrators that have the rights to choose their security posture.

Defense mechanisms mentioned in the following sections work under the assumption that a patch was prepared before the worm was launched. This is a reasonable assumptions since most worms exploit known vulnerabilities. Normally, when a security vulnerability is announced, a patch is also made available.

One case where a counter-worm was used is Welchia against Blaster. Blaster created a distributed denial of service attack against windowsupdate.com. Welchia was a worm that installed security patches from Microsoft.

Simple Patch

In a simple patch defense, a set of hosts start scanning the network looking for susceptible but not yet infected hosts. As soon, as one is found it is instantlypatched. Scanning strategies may be similar or different that those used by the worm.

Spreading Patch

A spreading patch defense builds on the idea of a simple patch. It improves the rate of patching by increasing the number of hosts that implement the simple patch logic. When a susceptible and uninfected host is found, not only is it patched, but it is also supplied with a counter-worm that implements the scanning method of a simple patch. So the number of patching hosts can grow rapidly in a spreading patch.

Nullifying Defense

The premise of a nullifying defense is to stop already infected hosts from infecting more hosts on the network. When a patching host identifies an infected host, it can cause the infectious packets to be filtered out by a nearby router. This method is most useful when combined with passive defenses discussed above.

Sniper Defense

Sniper defense has the same goal as a nullifying defense, to isolate infected hosts. The sniper defense accomplishes this isolation a lot faster. In addition to scanning for infected hosts, a patching host that receives a a scan from an infected host can nullify that host.

References

1. Models of Active Worm Defenses

2. Defense and Detection Strategies against Internet Worms, Jose Nazario

3. An Improved Worm Mitigation Model for Evaluating the Spread of Aggressive Network Worms

4. The Effect of Infection Time on Internet Worm Propagation

See also

Exteral links

Comparing Passive and Active Worm Defenses

A Network Worm Modeling Package

Internet Worm Propagation Simulators

Worm Blog

Personal tools