Very Fast Containment of Scanning Worms, Revisited

  • Nicholas Weaver
  • Stuart Staniford
  • Vern paxson
Part of the Advances in Information Security book series (ADIS, volume 27)


Computer worms — malicious, self-propagating programs — represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm’s spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. In addition, we discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.

We then report on experiences subsequently implementing our algorithm in Click [13] and deploying it both on our own network and in the DETER testbed [6]. Doing so uncovered additional considerations, including the need to passively map the monitored LAN due to Ethernet switch behavior, and the problem of detecting ARP scanning as well as IP scanning. We finish with discussion of some deployment issues, including broadcast/multicast traffic and the use of NAT to realize sparser address spaces.


Block Cipher Address Space Cache Size Epidemic Threshold Multicast Packet 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    R. Anderson, E. Biham, and L. Knudsen. Serpent: A Proposal for the Advanced Encryption Standard.Google Scholar
  2. 2.
    B. Bloom. Space_Time Trade-offs in Hash Coding with Allowable Errors. CACM, July 1970.Google Scholar
  3. 3.
    CERT. CERT Advisory CA-2001-26 Nimda Worm, Scholar
  4. 4.
    CERT. Code Red 11: Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL, Scholar
  5. 5.
    S. Crosby and D. Wallach. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium. USENIX, August 2003.Google Scholar
  6. 6.
    Deter: A laboratory for security research, Scholar
  7. 7.
    eEye Digital Security..ida “Code Red” Worm, http://www.eeye.corn/htmVResearch/ Advisories/AL20010717.htrnl.Google Scholar
  8. 8.
    K. Egevang and P. Francis. Rfc 1631-the ip network address translator (nat).Google Scholar
  9. 10.
    L. T. Heberlein, G. Dias, K. Levitt, B. Mukerjee, J. Wood, and D. Wolber. A Network Security Monitor. In Proceedings of the IEEE Symopisum on Research in Security and Privacy, 1990.Google Scholar
  10. 11.
    J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In 2004 IEEE Symposium on Security and Privacy, to appear, 2004.Google Scholar
  11. 12.
    J. Jung, S. Schechter, and A. Berger. Fast Detection of Scanning Worm Infections, in submission.Google Scholar
  12. 13.
    E. KoNer, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The click modular router. ACM Transactions on Computer Systems, 18(3):264–297, August 2000.Google Scholar
  13. 14.
    C. Leckie and R. Kotagiri. A Probabilistic Approach to Detecting Network Scans. In Proceedings of the Eighth IEEE Network Operations and Management Symposium (NOMS 2002), 2002.Google Scholar
  14. 15.
    D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Magazine of Security and Privacy, pages 33–39, July/August 2003 2003.Google Scholar
  15. 16.
    D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-propagating Code, 2003.Google Scholar
  16. 17.
    M. Networks. Scholar
  17. 18.
    D. Nojiri, J. Rowe, and K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. In Proc. DARPA DISCEXIII Conference, 2003.Google Scholar
  18. 19.
    H. Packard. Connection-rate filtering based on virus-trottling tecnology, Scholar
  19. 20.
    V. Paxson. Bro: a System for Detecting Network iItruders in Real-Time. Computer Networks, 31(23-24):2435–2463,1999.CrossRefGoogle Scholar
  20. 21.
    D. Plummer. Rfc 826-ethemet address resolution protocol.Google Scholar
  21. 22.
    G. Project. Gnutella, A Protocol for Revolution, Scholar
  22. 23.
    S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo. Surveillance Detection in High Bandwidth Environments. In Proc. DARPA DISCEX III Conference, 2003.Google Scholar
  23. 24.
    S. E. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID 2004), Sept. 15-17,2004.Google Scholar
  24. 25.
    Silicon Defense. Countermalice Worm Containment, products/countermalice/.Google Scholar
  25. 26. Snort, the Open Source Network Intrusion Detection System, Scholar
  26. 27.
    S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.Google Scholar
  27. 28.
    S. Staniford, J. Hoagland, and J. McAlemey. Practical Automated Detection of Stealthy Portscans. Journal of Computer Security, 10: 105–136,2002.Google Scholar
  28. 29.
    S. Staniford and C. Kahn. Worm Containment in the Internal Network. Technical report, Silicon Defense, 2003.Google Scholar
  29. 30.
    S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENlX Security Symposium. USENIX, August 2002.Google Scholar
  30. 31.
    Symantec. W32.blaster.worm, Scholar
  31. 32.
    J. Vwycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In Proceedings of the 12th USENIXSecurity Symposium. USENIX, August 2003.Google Scholar
  32. 33.
    N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A Taxonomy of Computer Worms. In The First ACM Workshop on Rapid Malcode (WORM), 2003.Google Scholar
  33. 34.
    B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Proc. of the Fzfth Symposium on Operating Systems Design and Implementation,pages 255–270, Boston, MA, Dec. 2002. USENIX Association.Google Scholar
  34. 35.
    D. Whyte, P. vas Oorschot, and E. Kranakis. Arp-based detection of scanning worms within an enterprise network. In In proceedings of Annual Computer Security Applications Conference (ACSAC 2005),Tucson, AZ, December 2005.Google Scholar
  35. 36.
    M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In ACSAC, 2002.Google Scholar
  36. 37.
    Xilinx Inc. Xilinx ML300 Development Platform, Scholar
  37. 38.
    C. C. Zou, W. Gong, and D. Towsley. Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. In The First ACM Workshop on Rapid Malcode (WORM), 2003.Google Scholar

Copyright information

© Springer Science+Business Media, LLC. 2007

Authors and Affiliations

  • Nicholas Weaver
    • 1
  • Stuart Staniford
    • 2
  • Vern paxson
    • 3
  1. 1.International Computer Science InstituteBerkeley
  2. 2.Nevis NetworksBerkeley
  3. 3.International Computer Science Institute Lawrence Berkeley National LaboratoryBerkeley

Personalised recommendations