Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone

Authors:
Thomas Dübendorfer;Arno Wagner;Theus Hossmann;Bernhard Plattner
Affiliations:
Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology, ETH Zurich;Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology, ETH Zurich;Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology, ETH Zurich;Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology, ETH Zurich
Venue:
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2005

Citing 6
Cited 4

Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Code red worm propagation modeling and analysis

Proceedings of the 9th ACM conference on Computer and communications security
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Experiences with worm propagation simulations

Proceedings of the 2003 ACM workshop on Rapid malcode
Host Behaviour Based Early Detection of Worm Outbreaks in Internet Backbones

WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Entropy Based Worm and Anomaly Detection in Fast IP Networks

WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise

The Contact Surface: A Technique for Exploring Internet Scale Emergent Behaviors

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Behavioural Characterization for Network Anomaly Detection

Transactions on Computational Science IV
Design of a Stream-Based IP Flow Record Query Language

DSOM '09 Proceedings of the 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management: Integrated Management of Systems, Services, Processes and People in IT
Accurate network anomaly classification with generalized entropy metrics

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.01

Visualization

Abstract

We present an extensive flow-level traffic analysis of the network worm Blaster.A and of the e-mail worm Sobig.F. Based on packet-level measurements with these worms in a testbed we defined flow-level filters. We then extracted the flows that carried malicious worm traffic from AS559 (SWITCH) border router backbone traffic that we had captured in the DDoSVax project. We discuss characteristics and anomalies detected during the outbreak phases, and present an in-depth analysis of partially and completely successful Blaster infections. Detailed flow-level traffic plots of the outbreaks are given. We found a short network test of a Blaster pre-release, significant changes of various traffic parameters, backscatter effects due to non-existent hosts, ineffectiveness of certain temporary port blocking countermeasures, and a surprisingly low frequency of successful worm code transmissions due to Blaster‘s multi-stage nature. Finally, we detected many TCP packet retransmissions due to Sobig.F‘s far too greedy spreading algorithm.