A First Look at Peer-to-Peer Worms: Threats and Defenses

  • Lidong Zhou
  • Lintao Zhang
  • Frank McSherry
  • Nicole Immorlica
  • Manuel Costa
  • Steve Chien
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3640)


Peer-to-peer (P2P) worms exploit common vulnerabilities in member hosts of a P2P network and spread topologically in the P2P network, a potentially more effective strategy than random scanning for locating victims. This paper describes the danger posed by P2P worms and initiates the study of possible mitigation mechanisms. In particular, the paper explores the feasibility of a self-defense infrastructure inside a P2P network, outlines the challenges, evaluates how well this defense mechanism contains P2P worms, and reveals correlations between containment and the overlay topology of a P2P network. Our experiments suggest a number of design directions to improve the resilience of P2P networks to worm attacks.


Infected Node Super Node Worm Propagation Overlay Topology Common Vulnerability 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Calvert, K., Doar, M., Zegura, E.: Modeling Internet topology. IEEE Communications Magazine (June 1997)Google Scholar
  2. 2.
    Castro, M., Druschel, P., Ganesh, A., Rowstron, A., Wallach, S.S.: Secure routing for structured peer-to-peer overlay networks. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), Boston, MA, USA, December 2002, pp. 299–314. USENIX (2002)Google Scholar
  3. 3.
    Chawathe, Y., Ratnasamy, S., Breslau, L., Lanham, N., Shenker, S.: Making Gnutella-like p2p systems scalable. In: Proceedings of SIGCOMM 2003, Karlsruhe, Germany, pp. 407–418. ACM, New York (2003)CrossRefGoogle Scholar
  4. 4.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Can we contain Internet worms? In: Proceedings of the 3rd Workshop on Hot Topics in Networks (HotNets-III) (November 2004)Google Scholar
  5. 5.
    Cox, L.P., Noble, B.D.: Honor among thieves in peer-to-peer storage. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles, Bolton Landing, NY, USA, pp. 120–132. ACM SIGOPS, ACM Press, New York (2003)CrossRefGoogle Scholar
  6. 6.
    Crandall, J.R., Chong, F.T.: Minos: Control data attack prevention orthogonal to memory model. In: Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture. IEEE/ACM (December 2004)Google Scholar
  7. 7.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proc. 25th Symposium on Security and Privacy. IEEE, Los Alamitos (2004)Google Scholar
  8. 8.
    Kim, H., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium (August 2004)Google Scholar
  9. 9.
    Kreibich, C., Crowcroft, J.: Honeycomb—creating intrusion detection signatures using Honeypots. In: Proc. of the 2nd Workshop on Hot Topics in Networks (HotNets-II) (November 2003)Google Scholar
  10. 10.
    Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of IEEE INFOCOM 2003. IEEE, Los Alamitos (2003)Google Scholar
  11. 11.
    Newsome, J., Song, D.: Dynamic taint analysis: Automatic detection and generation of software exploit attacks. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (February 2005) (to appear)Google Scholar
  12. 12.
    random nut. The PACKET 0’ DEATH FastTrack network vulnerability. NETSYS.COM Full Disclosure Mailing List Archives (May 2003),
  13. 13.
    Ratnasamy, S., Francis, P., Handley, M., Karp, R., Shenker, S.: A scalable content-addressable network. In: Proceedings of ACM SIGCOMM, San Diego, CA, USA, August 2001, pp. 161–172 (2001)Google Scholar
  14. 14.
    Rowstron, A., Druschel, P.: Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems. In: Guerraoui, R. (ed.) Middleware 2001. LNCS, vol. 2218, p. 329. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Saroiu, S., Gribble, S.D., Levy, H.M.: Measurement and analysis of spyware in a university environment. In: Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, CA (March 2004)Google Scholar
  16. 16.
    Singh, S., Estan, C., Varghese, G., Savage, S.: The EarlyBird system for real-time detection of unknown worms. Technical Report CS2003-0761, UC San Diego (August 2003)Google Scholar
  17. 17.
    Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium (August 2002)Google Scholar
  18. 18.
    Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: A scalable peer-to-peer lookup service for Internet applications. In: Proc. ACM SIGCOMM, pp. 149–160 (2001)Google Scholar
  19. 19.
    Suh, G.E., Lee, J., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of ASPLOS XI, Boston, MA, USA, October 2004, pp. 85–96 (2004)Google Scholar
  20. 20.
  21. 21.
    Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: The First ACM Workshop on Rapid Malcode (WORM) (2003)Google Scholar
  22. 22.
    Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium (August 2004)Google Scholar
  23. 23.
    Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proc. 18th Annual Computer Security Applications Conference, Las Vegas, NV (December 2002)Google Scholar
  24. 24.
    Zhao, B.Y., Huang, L., Rhea, S.C., Stribling, J., Joseph, A.D., Kubiatowicz, J.D.: Tapestry: A global-scale overlay for rapid service deployment. IEEE Journal on Selected Areas in Communications (J-SAC) 22(1), 41–53 (2004)CrossRefGoogle Scholar
  25. 25.
    Zhou, L., Schneider, F.B., van Renesse, R.: COCA: A secure distributed on-line certification authority. ACM Transactions on Computer Systems 20(4), 329–368 (2002)CrossRefGoogle Scholar
  26. 26.
    Zou, C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for Internet worms. In: Proc. of the 10th ACM Conference on Computer and Communication Security (October 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Lidong Zhou
    • 1
  • Lintao Zhang
    • 1
  • Frank McSherry
    • 1
  • Nicole Immorlica
    • 2
  • Manuel Costa
    • 3
  • Steve Chien
    • 1
  1. 1.Microsoft Research Silicon Valley 
  2. 2.Laboratory for Computer ScienceMIT 
  3. 3.Microsoft Research Cambridge and University of Cambridge 

Personalised recommendations