Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior
作者: Farnam Jahanian , Z. Morley Mao , Evan Cooke
DOI:
关键词:
摘要: Long after the Blaster, Slammer/Sapphire, and CodeRedII worms caused significant worldwide disruptions, a huge number of infected hosts from these continue to probe Internet today. This paper investigates hotspots (non-uniformities) in targeting behavior important worms. Recent data collected over period month half using distributed blackhole collection infrastructure covering 18 networks including ISPs, enterprises, academic show 75K Blaster hosts, 180K slammer 55K hosts. We discover through detailed analysis how critical flaws side effects lead bias for certain destination address blocks. In particular, we demonstrate three previously unexplored biases: severely restricted initial random seed forcing infection attempts blocks; parameters generator making cycle limited target addresses; widespread use private space dramatically changing distribution A direct consequence biases is that blocks are subjected far more than others. discuss implication on worm simulation modeling, placement sensors, detection quarantine. A. Total Packets B. Unique Source IPs Figure 1: Observations Witty, Slammer, Nimda, all monitored
参考文章(18)
Robert Stone, Dug Song, Rob Malan, A Snapshot of Global Internet Worm Activity ,(2001)
Paul B. Garrett, Making, Breaking Codes: Introduction to Cryptology ,(2001)
Vern Paxson, Stuart Staniford, Nicholas Weaver, Stefan Savage, Colleen Shannon, David Moore, The Spread of the Sapphire/Slammer Worm ,(2003)
N. Weaver, D. Ellis, S. Staniford, V. Paxson, Worms vs. perimeters: the case for hard-LANs high performance interconnects. pp. 70- 76 ,(2004) , 10.1109/CONECT.2004.1375206
Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, David Watson, None, The Internet Motion Sensor - A Distributed Blackhole Monitoring System. network and distributed system security symposium. ,(2005)
Y. Rekhter, Address Allocation for Private Internets RFC. ,vol. 1597, pp. 1- 8 ,(1994)
rd D. Eastlake, S. Crocker, J. Schiller, Randomness Recommendations for Security RFC. ,vol. 1750, pp. 1- 30 ,(1994)
P. Francis, K. Egevang, The IP Network Address Translator (NAT) RFC. ,vol. 1631, pp. 1- 10 ,(1994)
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, Inside the Slammer worm ieee symposium on security and privacy. ,vol. 1, pp. 33- 39 ,(2003) , 10.1109/MSECP.2003.1219056
Cliff Changchun Zou, Weibo Gong, Don Towsley, Worm propagation modeling and analysis under dynamic quarantine defense workshop on rapid malcode. pp. 51- 60 ,(2003) , 10.1145/948187.948197