routingWorm-PADS05 - Routing Worm: A Fast, Selective Attack...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou , Don Towsley , Weibo Gong , Songlin Cai Department of Computer Science University of Massachusetts, Amherst MA 01003 { czou,gong,scai } @ecs.umass.edu, towsley@cs.umass.edu Abstract Most well-known worms, such as Code Red, Slammer, Blaster, and Sasser, infected vulnerable computers by scan- ning the entire IPv4 address space. In this paper, we present an advanced worm called “routing worm”, which imple- ments two advanced attacking techniques. First, a routing worm uses BGP routing tables to only scan the Internet routable address space, which allows it propagate three times faster than a traditional worm. Second, and more importantly, the geographic information of BGP routing prefixes enables a routing worm to conduct pinpoint “se- lective attacks” by imposing heavy damage to vulnerable computers in a specific country, company, Internet Service Provider, or Autonomous System, without collateral dam- age done to others. Because of the inherent publicity of BGP routing tables, attackers can easily deploy routing worms, which distin- guishes the routing worm from other “worst-case” worms. Compared to a traditional worm, a routing worm could pos- sibly cause more severe congestion to the Internet back- bone since all scans sent out by a routing worm are In- ternet routable (and can only be dropped at the destina- tions). In addition, it is harder to quickly detect a routing- worm infected computer since we cannot distinguish illegal scans from regular connections without waiting for traffic responses. In order to defend against routing worms and all scanning worms, an effective way is to upgrade the current Internet from IPv4 to IPv6, although such an upgrade will require a tremendous effort and is still a controversial is- sue. 1. Introduction Computer worms are malicious programs that self- propagate across a network exploiting security or pol- icy flaws in widely-used services [26]. Most previ- ously wide-spreading worms, such as Code Red, Slam- mer, Blaster, and Sasser [7], are scanning worms that find and infect vulnerable machines by probing IP ad- dresses in the entire IPv4 Internet address space. How fast a worm can propagate is determined by many fac- tors. Among them, three major factors could be improved by attackers: (1). The number of initially infected hosts; (2). A worm’s scan rate η , defined as the number of scans an infected computer sends out per unit time; (3). A worm’s hitting probability p , defined as the proba- bility that a worm’s scan hits any computer that is ei- ther vulnerable or already infected. “Hit-list worm” presented by [23] exploits the first fac-
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 08/25/2011 for the course EEL 5937 taught by Professor Staff during the Spring '08 term at University of Central Florida.

Page1 / 8

routingWorm-PADS05 - Routing Worm: A Fast, Selective Attack...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online