Very Fast Containment of Scanning Worms, Revisited

  • Nicholas Weaver
  • Stuart Staniford
  • Vern paxson
Conference paper

DOI: 10.1007/978-0-387-44599-1_6

Part of the Advances in Information Security book series (ADIS, volume 27)
Cite this paper as:
Weaver N., Staniford S., paxson V. (2007) Very Fast Containment of Scanning Worms, Revisited. In: Christodorescu M., Jha S., Maughan D., Song D., Wang C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA


Computer worms — malicious, self-propagating programs — represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm’s spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. In addition, we discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.

We then report on experiences subsequently implementing our algorithm in Click [13] and deploying it both on our own network and in the DETER testbed [6]. Doing so uncovered additional considerations, including the need to passively map the monitored LAN due to Ethernet switch behavior, and the problem of detecting ARP scanning as well as IP scanning. We finish with discussion of some deployment issues, including broadcast/multicast traffic and the use of NAT to realize sparser address spaces.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer Science+Business Media, LLC. 2007

Authors and Affiliations

  • Nicholas Weaver
    • 1
  • Stuart Staniford
    • 2
  • Vern paxson
    • 3
  1. 1.International Computer Science InstituteBerkeley
  2. 2.Nevis NetworksBerkeley
  3. 3.International Computer Science Institute Lawrence Berkeley National LaboratoryBerkeley

Personalised recommendations