Fast and Evasive Attacks: Highlighting the Challenges Ahead

  • Moheeb Abu Rajab
  • Fabian Monrose
  • Andreas Terzis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)


Passive network monitors, known as telescopes or darknets, have been invaluable in detecting and characterizing malware outbreaks. However, as the use of such monitors becomes commonplace, it is likely that malware will evolve to actively detect and evade them. This paper highlights the threat of simple, yet effective, evasive attacks that undermine the usefulness of passive monitors. Our results raise an alarm to the research and operational communities to take proactive countermeasures before we are forced to defend against similar attacks appearing in the wild. Specifically, we show how lightweight, coordinated sampling of the IP address space can be used to successfully detect and evade passive network monitors. Equally troubling is the fact that in doing so attackers can locate the “live” IP space clusters and divert malware scanning solely toward active networks. We show that evasive attacks exploiting this knowledge are also extremely fast, overtaking the entire vulnerable population within seconds.


Network Monitoring Network Worms Invasive Software Network Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: Internet motion sensor: A distributed blackhole monitoring system. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2005)Google Scholar
  2. 2.
    Barford, P., Nowak, R., Willet, R., Yagneswaran, V.: Toward a Model for Source Address of Internet Background Radiation. In: Proceedings of Passive and Active Measurement Conference (PAM 2006) (March 2006)Google Scholar
  3. 3.
    Bethencourt, J., Franklin, J., Vernon, M.: Mapping Internet Sensors with Probe Response Attacks. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 193–212 (2005)Google Scholar
  4. 4.
    Chen, Z., Gao, L., Kwiat, K.: Modeling the Spread of Active Worms. In: Proceedings of IEEE INFOCOMM, vol. 3, pp. 1890–1900 (2003)Google Scholar
  5. 5.
    Chen, Z., Ji, C.: A Self-Learning Worm Using Importance Scanning. In: Proceedings of ACM Workshop On Rapid Malcode (WORM) (November 2005)Google Scholar
  6. 6.
    The Distributed Intrusion Detection System (DShield),
  7. 7.
    Fu, X., Graham, B., Cheng, D., Bettati, R., Zhao, W.: Camouflaging Virtual Honeypots. Texas A&M University technical report #2005-7-3 (2005)Google Scholar
  8. 8.
    Holz, T., Raynal, F.: Defeating Honeypots. Online article,
  9. 9.
    Internet Assigned Numbers Authority (IANA),
  10. 10.
    Internet Systems Consortium (ISC),
  11. 11.
    Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semantic-aware signatures. In: Proceedings of the 14th USENIX Security Symposium (August 2005)Google Scholar
  12. 12.
    Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium (2004)Google Scholar
  13. 13.
    Kohler, E., Li, J., Paxson, V., Shenker, S.: Observed Structure of Addresses in IP Traffic. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop (November 2002)Google Scholar
  14. 14.
    Kreibich, C., Crowcroft, J.: Honeycomb—creating intrusion detection signatures using honeypots. In: Proceedings of 2nd Workshop on Hot Topics in Networks (Hotnets-II) (2003)Google Scholar
  15. 15.
    Liston, T.: LaBrea Tarpit Project,
  16. 16.
    Ma, J., Voelker, G., Savage, S.: Self-stopping worms. In: Proceedings of ACM Workshop On Rapid Malcode (WORM), pp. 12–21 (November 2005)Google Scholar
  17. 17.
    Moore, D.: Network Telescopes: Observing Small or Distant Security Events. In: 11th USENIX Security Symposium, Invited Talk (August 2002)Google Scholar
  18. 18.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Magazine of Security and Privacy Magazine, 33–39 (July 2003)Google Scholar
  19. 19.
    Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of IEEE INFOCOM (2003)Google Scholar
  20. 20.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Proceedings of ACM IMC (October 2004)Google Scholar
  21. 21.
    Peterson, L., Anderson, T., Culler, D.: A blueprint for introducing disruptive technology into the internet. In: First ACM Workshop on Hot Topics in Networks (HotNets-I) (October 2002)Google Scholar
  22. 22.
    Porras, P., Briesemeister, L., Skinner, K., Levitt, K., Rowe, J., Yu-Cheng, A.,T.: A hybrid quarantine defense. In: Proceedings of the Second ACM Workshop on Rapid Malcode (WORM) (November 2004)Google Scholar
  23. 23.
    Pouget, F., Dacier, M., Pham, V.H.: On the Advantages of Deploying a Large Scale Distributed Honeypot Platform. In: Proceeding of the E-Crime and Computer Conference ECCE (March 2005)Google Scholar
  24. 24.
    Pouget, F., Dacier, M., Pham, V.H., Deber, H.: Honeynets: Foundations for the development of early warning systems. In: NATO Advanced Research Workshop (2004)Google Scholar
  25. 25.
    Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (August 2004)Google Scholar
  26. 26.
    Rajab, M.A., Monrose, F., Terzis, A.: Fast and Evasive Attacks: Highlighting the challenges ahead. In: JHU Computer Science Technical Report HiNRG-RMT-112205 (November 2005)Google Scholar
  27. 27.
    Rajab, M.A., Monrose, F., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 225–237 (2005)Google Scholar
  28. 28.
    Rajab, M.A., Monrose, F., Terzis, A.: Worm Evolution Tracking via Timing Analysis. In: Proceedings of ACM Workshop on Rapid Malware (WORM), pp. 52–59 (November 2005)Google Scholar
  29. 29.
    Meyer, D.: University of Oregon RouteViews Project,
  30. 30.
    Shannon, C., Moore, D.: The Spread of the Witty Worm. IEEE Security and Privacy Magazine 2(4), 46–50 (2004)CrossRefGoogle Scholar
  31. 31.
    Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of Passive Internet Threat Monitors. In: Proceedings of the 14th USENIX Security Symposium, pp. 209–224 (August 2005)Google Scholar
  32. 32.
    Staniford, S., Moore, D., Paxson, V., Weaver, N.: The Top Speed of Flash Worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), October 2004, pp. 33–42 (2004)Google Scholar
  33. 33.
    Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium (August 2002)Google Scholar
  34. 34.
    Singh, G.V.S., Estan, C., Savage, S.: Automated worm fingerprinting. In: Proceedings of 6th Symposium on Operating System Design and Implmentation (OSDI) (2004)Google Scholar
  35. 35.
    Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm. Proceedings of ACM SIGOPS Operating System Review 39(5), 148–162 (2005)CrossRefGoogle Scholar
  36. 36.
    Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system. In: Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS) (2004)Google Scholar
  37. 37.
    Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  38. 38.
    Zeitoun, A., Jamin, S.: Rapid Exploration of Internet Live Address Space Using Optimal Discovery Path. In: Proceedings of Globecomm (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Moheeb Abu Rajab
    • 1
  • Fabian Monrose
    • 1
  • Andreas Terzis
    • 1
  1. 1.Johns Hopkins UniversityBaltimoreUSA

Personalised recommendations