This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Advanced Routing Worm and Its Security Challenges Cliff C. Zou School of Electrical Engineering & Computer Science University of Central Florida Orlando, FL [email protected] Don Towsley Department of Computer Science University of Massachusetts Amherst, MA Weibo Gong Department of Electrical & Computer Engineering University of Massachusetts Amherst, MA Songlin Cai Parallogic Corporation Sterling, VA Most well-known worms, such as Code Red, Slammer, Blaster, and Sasser, infected vulnerable computers by scanning the entire IPv4 address space.In this article, the authors present an advanced worm called the “routing worm,” which implements two new attacking techniques. First, a routing worm uses Border Gateway Protocol (BGP) routing tables to only scan the Internet-routable address space, which allows it to propagate three times faster than a traditional worm. Second, and more important, the geographic information of BGP routing prefixes enables a routing worm to conduct pinpoint “selective attacks” by imposing heavy damage to vulnerable computers in a specific country, company, Internet Service Provider, or autonomous system, without collateral damage done to others. Because of the inherent publicity of BGP routing tables, attackers can easily deploy routing worms, which distinguishes the routing worm from other“worst-case” worms.Compared to a traditional worm, a routing worm could possibly cause more severe congestion to the Internet backbone since all scans sent out by it are Internet routable (and can be dropped only at the destination local networks). In addition, it is harder to quickly detect a routing worm–infected computer since we cannot distinguish illegal scans from regular connections sent out from it without waiting for traffic responses. For high- fidelity Internet-scale worm simulations, through this routing worm study, the authors emphasize the importance of simulating failed worm scans and distinguishing nonroutable worm scans from routable scans.In order to defend against routing worms and all scanning worms, an effective way is to upgrade the current Internet from IPv4 to IPv6, although such an upgrade will require a tremendous effort and is still a controversial issue. Keywords: Network security, routing worm, modeling 1. Introduction Computer worms are malicious programs that self- propagate across a network, exploiting security or policy flaws in widely used services . Most previous wide- spreading worms, such as Code Red, Slammer, Blaster, | | | | | SIMULATION, Vol. 82, Issue 1, January 2006 75-85 ©2006 The Society for Modeling and Simulation International DOI: 10.1177/0037549706065344 and Sasser , are scanning worms that find and infect vulnerable machines by probing IP addresses in the entire IPv4 Internet address space. How fast a worm can prop- agate is determined by many factors. Among them, three major factors could be improved by attackers: • the number of initially infected hosts • a worm’s scan rate...
View Full Document
- Spring '08
- Electrical Engineering, IP address