Early detection of Internet worm activity by metering ICMP destination unreachable messages
暂无分享,去创建一个
Early warning of active worm propagation over the Internet is of vital importance to first responders. Knowing an active worms characteristics very early in its propagation can significantly reduce the damage it may cause. In this paper we propose an early warning system that uses ICMP Destination Unreachable (ICMP-T3) messages to identify the random scanning behavior of worms. Participating routers across the Internet send Blind Carbon Copies of all their locally generated ICMP-T3 messages to a central collection point. There all the incoming messages are compared for similarities. Incoming messages are abstracted and patterns identified. Using the methods discussed in this paper we identify 'blooms' of activity that are a clear signature of worm propagation. Preliminary test results have shown that actively spreading worms can be identified in the first few minutes after they are launched. By using the characteristics gathered in those early stages, action can be taken and widespread damage might be avoided.
[1] Alan Boulanger. Catapults and Grappling Hooks: The Tools and Techniques of Information Warfare , 1998, IBM Syst. J..
[2] Nicholas Weaver,et al. Potential Strategies for High Speed Active Worms : A Worst Case Analysis , 2002 .