=================================================== From amsaha@cs.rice.edu Wed Apr 14 21:26:51 2004 =================================================== The basic question addressed here is "How can we best control a worm epidemic in the internet" ? The design space to address this question is analysed along - 'reaction time', 'identification and containment', and 'deployment'. The paper uses logs from the Code-Red virus attack and uses that in simulations to find out how the attack would perform against different kinds of defenses. A summary of the main results is as follows: 1. Reaction time has to be in order of minutes, thus meaning that automated reaction is required as opposed to human intervention. 2. Content filtering is a much better containment strategy than blacklisting already infected machines. However, for content filtering provisions must be made for the application layer to mark packets and then for switches to filter them. 3. Filtering should be done at most major ASes in order to cover most internet paths and hence ASes need to cooperate amongst them. While such a work is interesting to the extent that it can post process information logs to find out what went wrong and what we could have done differently, the work might not be relevant with respect to future, more powerful worms. Amit ---------------------------------------------------------------------- http://www.cs.rice.edu/~amsaha ---------------------------------------------------------------------- Anyone who uses the phrase "easy as taking candy from a baby" has never tried taking candy from a baby. -- Robin Hood ---------------------------------------------------------------------- =================================================== From muhammed@ece.rice.edu Thu Apr 15 13:01:53 2004 =================================================== There are few strategies which are general enough to be relied on to prevent and cope up with the ever evolving virus attacks. One such is the containment strategy which is the subject matter of this paper. This paper examines the strategy and concludes, after simulation experiments, that wide deployment of intrusion detection systems is a very important requirement for effective worm containment. The paper shows that content filtering performs better than address blacklisting to implement infection containment in terms of more reaction time allowed. But content filtering incurs a lot of processing overhead at the firewalls since application layer information has to be examined in each packet and attack code is distributed over multiple packets. Content filtering systems are defeated by encryption also. They also exhibit high false alarm probability for a low detection probability. The paper does not address distributed infection in sufficient detail. The infection rate is amplified by multiple "seed" nodes requiring very small reaction times. The paper seems to concern mostly with code red type virus attacks. =================================================== From gulati@is.rice.edu Thu Apr 15 14:58:14 2004 =================================================== Internet Quarantine: Requirements for containing self-propagating code This paper discusses the problem of containing self propagating code before it causes substantial harm to the hosts and network. It doesn't really propose a solution o the problems but it talks about some guidelines for a solution. The authors did an extensive study of code-red worm and its progress over the first few hours when it was spreading and came up with some metric based on which any containment strategy can be evaluated. They focused on 3 parameters and came up with their effectiveness metric as follows- Reaction time - The time taken by any containment system to detect a worm and react to it. Authors claim that it needs to be so small to be able to stop any worm effectively that only an automated system can achieve that small value. Containment strategy - Content filtering and address blacklisting are 2 ways proposed by authors to stop the code from propagating to uninfected hosts. Authors claim that content filtering is more effective and it reacts faster that address blacklisting. Blocking location - This defines the location where the blocking strategy is deployed. Measurements suggest that only a wide deployment of such services make them effective against worm propagation attacks and ASes need to cooperate to make it work. Overall the paper suggests limitations and guidelines for strategies against worm propagation, but it doesn't really propose a solution. Also it talks about certain kinds of solution whereas in future, there may be other approaches to deal with the problem such as some mechanism in OS to detect and stop such codes, or a programming language technique to stop buffer overflow and other possible attacks on executables. -Ajay =================================================== From santa@cs.rice.edu Thu Apr 15 15:46:12 2004 =================================================== This is a multi-part message in MIME format. --------------070709010409000204080909 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Internet Quarantine: Requirements for Containing Self-Propagating Code Provide a nice connection between the well-studied field of pathology, and adapt it's models into modelling worms. They find that content-filtering is a more effective way of dealing with the threat than address blacklisting. They mentioned that prevention will prove to be extremely difficult. But, that seems to be the only good and proper way to stop these viruses. Won't stopping arbitrary deamons running in computers listening to various ports be helpful in solving the problem? There is a Thin line of separation between containment and treatment. It just seems like a form of treatment. In particular, the conclusion that detection (which is necessary for containment) of a new virus is extremely difficult, seems very obvious. Specially with the sophistication of viruses, the detection of its signatures will prove to be even more difficult. A key thing seems to be to identify a worm packet. If that is solved, then a configurable firewall can quickly adapt to the worm and contain it. I did'nt find any mention of a system where the administrators/robots of a sub-networks (owner of a network) can strive to contain the virus within itself when new worm is detected. Then the worm cannot spread out of this domain or inside this domain. --------------070709010409000204080909 Content-Type: text/x-vcard; charset=utf8; name="santa.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="santa.vcf" begin:vcard fn:Santashil PalChaudhuri n:PalChaudhuri;Santashil org:Rice University;Computer Science adr:;;6100 Main St, MS-132;Houston;TX;77005;USA email;internet:santa@cs.rice.edu title:PhD Student tel;work:+1.713.348.2852 tel;fax:+1.713.348.5930 tel;cell:+1.281.788.8286 x-mozilla-html:FALSE url:http://www.cs.rice.edu/~santa version:2.1 end:vcard --------------070709010409000204080909--