wormStrategy-techreport - 1 On the Performance of Internet...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
1 On the Performance of Internet Worm Scanning Strategies Cliff Changchun Zou , Don Towsley , Weibo Gong Department of Electrical & Computer Engineering Department of Computer Science Univ. Massachusetts, Amherst Technical Report: TR-03-CSE-07 Abstract — In recent years, fast spreading worms have become one of the major threats to the security of the Internet. In order to defend against future worms, it is important to understand how worms propagate and how different scanning strategies affect their propagation. In this paper, we model and analyze worm propagation under various scanning strategies, such as idealized scan, uniform scan, divide-and- conquer scan, local preference scan, sequential scan, target scan, etc. We also analyze and discuss how attackers could optimize their scanning strategies, and provide some guidelines for building up a monitoring infrastructure to defend against future worms. I. INTRODUCTION Since the Morris worm in 1988 [6], the secu- rity threat posed by worms has steadily increased, especially in the last several years. In 2001, the Code Red and Nimda worms infected hundreds of thousands of computers [7][21], causing millions of dollars loss to our society [24]. The Slammer worm appeared on January 25th, 2003, and quickly spread throughout the Internet. Because of its super fast scan rate, Slammer infected more than 90% of vul- nerable computers in the Internet within 10 minutes [8] and generated severe denial of service attacks on many networks across Asia, Europe, and America [25]. Just seven months later, the Blaster worm appeared and spread out quickly in the Internet on August 11th. In the following days, Blaster and its many variants repeatedly attacked the Internet. Attackers have tried many scanning strategies in recent worms. Code Red and Slammer uniformly scan the entire IPv4 space [8][22]. Blaster sequen- tially scans the Internet. Code Red II also use a local preference scan in its propagation: Code Red II has a higher probability of scanning an IP address within the same Class B or Class A network than a random address [7]. In its sequential scan, Blaster chooses to sequentially scan from a local IP address with probability 0.4 [26]. We believe that in the future, attackers will con- tinue to implement a variety of scanning strategies to increase their worms’ spreading speed and de- feat our defenses. In this paper, we mathematically model and analyze various scanning strategies that attackers have already used or may use in the future. Mathematical analysis provides a deep un- derstanding of how different factors affect a worm’s propagation. The scanning strategies we analyze include idealized scan, uniform scan, divide-and- conquer scan, local preference scan, sequential scan, target scan, etc. We also combine numerical analysis and simulation experiments in our modelling and analysis.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 08/25/2011 for the course EEL 5937 taught by Professor Staff during the Spring '08 term at University of Central Florida.

Page1 / 16

wormStrategy-techreport - 1 On the Performance of Internet...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online