A new worm exploiting IPv4-IPv6 dual-stack networks

  • Authors:

  • Qinhua Zheng;Ting Liu;Xiaohong Guan;Yu Qu;Na Wang

  • Affiliations:

  • Xi'an Jiaotong University, Xi'an, China;Xi'an Jiaotong University, Xi'an, China;Xi'an Jiaotong University, Xi'an, China;Xi'an Jiaotong University, Xi'an, China;Xi'an Jiaotong University, Xi'an, China

  • Venue:
  • Proceedings of the 2007 ACM workshop on Recurring malcode
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

It is commonly believed that the IPv6 protocol can provide good protection against network worms due to its huge address space. However, it is proved to be incorrect by our study on the new "dual-stack worm" which can spread in IPv4-IPv6 dual-stack networks. It is found in this paper that the dual-stack worm can collect the IPv6 addresses of all running hosts on the link-local quickly and effectively, which may result in accelerated worm spreading on the IPv6 link-locals. This worm applies a two-level scanning mechanism to find its targets in dual-stack networks, which is investigated by exploring its similarity to the self-replicating behaviors of biological viruses. Based on the ideas of classifying the population into different species or patches, we categorized all vulnerable hosts into two species and separated all dual-stack hosts into several patches to model the propagation of this worm by differential equations. Simulation is performed to validate the worm propagation model and to study the propagation of the worm in various dual-stack networks with different patch parameters. The simulation results show that the worm is able to spread much faster in IPv4-IPv6 dual-stack network than that in the pure IPv4 Internet. It is also noted that the dual-stack links may influence the propagation of the worm in the Internet