Skip to main content
SpringerLink
Log in

Empirical Analysis of Rate Limiting Mechanisms

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

One class of worm defense techniques that received attention of late is to “rate limit” outbound traffic to contain fast spreading worms. Several proposals of rate limiting techniques have appeared in the literature, each with a different take on the impetus behind rate limiting. This paper presents an empirical analysis on different rate limiting schemes using real traffic and attack traces from a sizable network. In the analysis we isolate and investigate the impact of the critical parameters for each scheme and seek to understand how these parameters might be set in realistic network settings. Analysis shows that using DNS-based rate limiting has substantially lower error rates than schemes based on other traffic statistics. The analysis additionally brings to light a number of issues with respect to rate limiting at large. We explore the impact of these issues in the context of general worm containment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Chen, S., Tang, Y.: Slowing down internet worms. In: Proceedings of 24th International Conference on Distributed Computing Systems, Tokyo, Japan (March 2004)

    Google Scholar 

  2. Collins, M., Reiter, M.: An empirical analysis of target-resident DoS filters. In: Proceedings of 2004 IEEE Symposium of Security and Privacy (2004)

    Google Scholar 

  3. Ellis, D.R., Aiken, J.G., Attwood, K.S., Tenaglia, S.D.: A behavioral approach to worm detection. In: Proceedings of the 2004 ACM workshop on Rapid Malcode. ACM Press, New York (2004)

    Google Scholar 

  4. Ganger, G.R., Economou, G., Bielski, S.: Self-securing network interfaces: What, why and how, Carnegie Mellon University Technical Report CMU-CS-02-144 (August 2002)

    Google Scholar 

  5. Hogwash. Inline packet scrubber, http://sourceforge.net/projects/hogwah

  6. Balakrishnan, H., Jung, J., Sit, E., Morris, R.: DNS performance and the effectiveness of caching. In: Proceedings of the ACM SIGCOMM Internet Measurement Workshop, San Francisco, California (November 2001)

    Google Scholar 

  7. Jung, J., Paxon, V., Berger, A.W., Balakrishman, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of 2004 IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  8. Kephart, J.O., White, S.: Directed-graph epidemiological models of computer viruses. In: Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, May 1991, pp. 343–359 (1991)

    Google Scholar 

  9. Kim, H., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, San Diego, California, USA (August 2004)

    Google Scholar 

  10. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of IEEE INFOCOM 2003, San Francisco, CA (April 2003)

    Google Scholar 

  11. Network-Associates (2003), http://vil.nai.com/vil/content/v_100561.htm

  12. Schechter, S.E., Jung, J., Berger, A.W.: Fast detection of scanning worm infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  13. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (December 2004)

    Google Scholar 

  14. Staniford, S.: Containment of scanning worms in enterprise networks. Journal of Computer Science (2004)

    Google Scholar 

  15. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium (August 2002)

    Google Scholar 

  16. Symantec. W32.Blaster. Worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

  17. Symantec. W32. Welchia. Worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

  18. Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, pp. 193–204. ACM Press, New York (2004)

    Chapter  Google Scholar 

  19. Wang, Y., Chakrabarti, D., Wang, C., Faloutsos, C.: Epidemic spreading in real networks: An eigenvalue viewpoint. In: Proceedings of the 22nd International Symposium on Reliable Distributed Systems (2003)

    Google Scholar 

  20. Wang, Y., Wang, C.: Modeling the effects of timing parameters on virus propagation. In: Proceedings of the 2003 ACM workshop on Rapid Malcode, pp. 61–66. ACM Press, New York (2003)

    Chapter  Google Scholar 

  21. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium (2004)

    Google Scholar 

  22. Whyte, D., Kranakis, E., van Oorschot, P.C.: DNS-based detection of scanning worms in an enterprise network. In: Proceedings of Network and Distributed System Security (2005)

    Google Scholar 

  23. Williamson, M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Nevada (December 2002)

    Google Scholar 

  24. Wong, C., Bielski, S., McCune, J., Wang, C.: A study of mass-mailing worms. In: Proceedings of the 2004 ACM workshop on Rapid Malcode. ACM Press, New York (2004)

    Google Scholar 

  25. Wong, C., Wang, C., Song, D., Bielski, S., Ganger, G.R.: Dynamic quarantine of internet worms. In: Proceedings of DSN 2004, Florence, Italy (June 2004)

    Google Scholar 

  26. Zou, C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communication Security (November 2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University,  

    Cynthia Wong, Stan Bielski, Ahren Studer & Chenxi Wang

Authors
  1. Cynthia Wong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stan Bielski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ahren Studer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chenxi Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wong, C., Bielski, S., Studer, A., Wang, C. (2006). Empirical Analysis of Rate Limiting Mechanisms. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_2

Download citation

  • DOI: https://doi.org/10.1007/11663812_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation