Worm Meets Beehive

Internet worms continue to plague the Internet infrastructure with wider and deeper impact since the Morris Worm in early 1988. It has been further shown that better-engineered worms like Warhol worms and Flash worms could spread across the Internet in minutes or even tens of seconds rather than hours. Such virulent spreading invalidates any manual counter-measures and poses an extremely serious threat to the safety of the Internet. To address this challenge, this paper proposes a novel worm-curtailing scheme, i.e., beehive, which is able to fightback worm propagation by actively immunizing any encountered worm-infected node. More specifically, by owning a portion of the unused but routable IP space that is open to infection attempts of different worms, a beehive not only attracts and traps these attempts, but also defensively gives a security shot to each attempting worm-infected node. The security shot will immunize the infected node so that the node will not be able to infect others. Our formal analysis shows that even one beehive network with a reasonable IP address space can effectively mitigate active spreading of worms among a million nodes. This paper presents both analysis and simulation results of beehive evaluation. Particularly, our results show that for a random-probing worm, a /13 beehive network or 8 class B networks are able to reduce the maximum worm infection coverage to as low as 13%. To the best of our knowledge, no such worm fightback mechanism has been proposed and analyzed before. Finally, a beehive prototype is presented to demonstrate its practicality.

[1]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[2]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[3]  Yihong Du,et al.  The Logistic Equation , 2006 .

[4]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[5]  Yong Tang,et al.  Slowing down Internet worms , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[6]  H. Summerton Who cares? , 2000, Nursing times.

[7]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[8]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[9]  Matthew M. Williamson,et al.  Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[10]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[11]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[12]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[13]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[14]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[15]  Xuxian Jiang,et al.  Protection mechanisms for application service hosting platforms , 2004, IEEE International Symposium on Cluster Computing and the Grid, 2004. CCGrid 2004..

[16]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[17]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[18]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[19]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.