04-07-2012, 02:19 PM
Addressing The Threat of Internet Worms
Addressing The Threat .ppt (Size: 333.5 KB / Downloads: 25)
What is a Worm?
Self-replicating/self-propagating code.
Spreads across a network by exploiting flaws in open services.
As opposed to viruses, which require user action to quicken/spread
Enabled by Internet’s open communication model plus lack of implementation diversity
Measuring Internet-Scale Activity: Network Telescopes
Idea: monitor a cross-section of Internet address space to measure network traffic involving wide range of addresses
“Backscatter” from DOS floods
Attackers probing blindly
Random scanning from worms
LBNL’s cross-section: 1/32,768 of Internet
Small enough for appreciable telescope lag
UCSD, UWisc’s cross-section: 1/256.
Spread of Code Red
Network telescopes give lower bound on # infected hosts: 360K. (Beware DHCP & NAT)
Course of infection fits classic logistic.
Note: larger the vulnerable population, faster the worm spreads.
That night ( 20th), worm dies …
… except for hosts with inaccurate clocks!
It just takes one of these to restart the worm on August 1st …
Striving for Greater Virulence: Nimda
Released September 18, 2001.
Multi-mode spreading:
attack IIS servers via infected clients
email itself to address book as a virus
copy itself across open network shares
modifying Web pages on infected servers w/ client exploit
scanning for Code Red II backdoors (!)
worms form an ecosystem!
Leaped across firewalls.