Containing large-scale worm spreading in the Internet by cooperative distribution of traffic filtering policies

The Internet is crucial to business, government, education and many other facets of society, but the easy access and wide usage of the most common network services make it a primary target for the propagation of viral infections or worms. It has been widely experienced that the massive worldwide spreading of very fast and aggressive worms may easily disrupt or damage the connectivity of large sections of the Internet, affecting millions of users. Classical containment strategies, based on manual application of traffic filters will be almost totally ineffective in the wide area. Consequently, developing an automated self-distributing containment strategy is the most viable way to defeat the worm propagation in an acceptable time The objective of our work is to develop a distributed and cooperative containment strategy based on having traffic filtering information dynamically disseminate throughout the network at a speed that is faster than (or at least comparable with) the propagation of worms. Our framework based on BGP extensions to distribute traffic filtering information has the advantage of using the existing infrastructure and inter-as communication channels. We envision that the above solution will be one of the most effective and challenging lines of defense against next-generation more aggressive worms.

[1]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[2]  J.H. Cowie,et al.  Modeling the global Internet , 1999, Comput. Sci. Eng..

[3]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[4]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[5]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[6]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[7]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[8]  Vern Paxson,et al.  Very Fast Containment of Scanning Worms , 2004, USENIX Security Symposium.

[9]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[10]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[11]  J. Frauenthal Mathematical Modeling in Epidemiology , 1980 .

[12]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[13]  John F. Shoch,et al.  The “worm” programs—early experience with a distributed computation , 1982, CACM.

[14]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[15]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[16]  Jon A. Rochlis,et al.  With microscope and tweezers: the worm from MIT's perspective , 1989, Commun. ACM.

[17]  Enke Chen,et al.  Route Refresh Capability for BGP-4 , 2000, RFC.

[18]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[19]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[20]  Steve R. White,et al.  Computers and epidemiology , 1993, IEEE Spectrum.

[21]  John G. Scudder,et al.  Capabilities Advertisement with BGP-4 , 2002, RFC.

[22]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[23]  Boleslaw K. Szymanski,et al.  On the development of an internetwork-centric defense for scanning worms , 2009, Comput. Secur..