On the constancy of internet path properties
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
IEEE Security and Privacy
Proceedings of the 2003 ACM workshop on Rapid malcode
Experiences with worm propagation simulations
Proceedings of the 2003 ACM workshop on Rapid malcode
IEEE Security and Privacy
Implementing and testing a virus throttle
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Bandwidth estimation: metrics, measurement techniques, and tools
IEEE Network: The Magazine of Global Internetworking
Collaborative Internet Worm Containment
IEEE Security and Privacy
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Proceedings of the 2005 ACM workshop on Rapid malcode
A self-learning worm using importance scanning
Proceedings of the 2005 ACM workshop on Rapid malcode
Defending against hitlist worms using network address space randomization
Proceedings of the 2005 ACM workshop on Rapid malcode
Host-based detection of worms through peer-to-peer cooperation
Proceedings of the 2005 ACM workshop on Rapid malcode
Towards scalable and robust distributed intrusion alert fusion with good load balancing
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
Proceedings of the 4th ACM workshop on Recurring malcode
Puppetnets: misusing web browsers as a distributed attack infrastructure
Proceedings of the 13th ACM conference on Computer and communications security
SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots
Computer Networks: The International Journal of Computer and Telecommunications Networking
WitMeMo '06 Proceedings of the second international workshop on Wireless traffic measurements and modeling
Detecting targeted attacks using shadow honeypots
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
On the effectiveness of distributed worm monitoring
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Defending against hitlist worms using network address space randomization
Computer Networks: The International Journal of Computer and Telecommunications Networking
An Automated Signature-Based Approach against Polymorphic Internet Worms
IEEE Transactions on Parallel and Distributed Systems
A new worm exploiting IPv4-IPv6 dual-stack networks
Proceedings of the 2007 ACM workshop on Recurring malcode
On the trade-off between speed and resiliency of flashworms and similar malcodes
Proceedings of the 2007 ACM workshop on Recurring malcode
Honey@home: a new approach to large-scale threat monitoring
Proceedings of the 2007 ACM workshop on Recurring malcode
Optimal worm-scanning method using vulnerable-host distributions
International Journal of Security and Networks
Proximity breeds danger: emerging threats in metro-area wireless networks
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Proceedings of the 2008 ACM symposium on Applied computing
Network externalities and the deployment of security features and protocols in the internet
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Malware Models for Network and Service Management
AIMS '07 Proceedings of the 1st international conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Proceedings of the 15th ACM conference on Computer and communications security
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
ACM Transactions on Information and System Security (TISSEC)
A Novel Worm Detection Model Based on Host Packet Behavior Ranking
OTM '08 Proceedings of the OTM 2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE 2008. Part II on On the Move to Meaningful Internet Systems
A hardware platform for efficient worm outbreak detection
ACM Transactions on Design Automation of Electronic Systems (TODAES)
Defending against the propagation of active worms
The Journal of Supercomputing
Creation of the importance scanning worm using information collected by Botnets
Computer Communications
Investigating the impact of real-world factors on internet worm propagation
ICISS'07 Proceedings of the 3rd international conference on Information systems security
HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency
Computer Networks: The International Journal of Computer and Telecommunications Networking
A behavioral analysis engine for network traffic
CCNC'10 Proceedings of the 7th IEEE conference on Consumer communications and networking conference
Ethical proactive threat research
FC'10 Proceedings of the 14th international conference on Financial cryptograpy and data security
Web server protection by customized instruction set encoding
IPDPS'06 Proceedings of the 20th international conference on Parallel and distributed processing
Enhancing Intrusion Detection System with proximity information
International Journal of Security and Networks
On the impacts of join and leave on the propagation ratio of topology-aware active worms
Proceedings of the 4th international conference on Security of information and networks
An anti-worm with balanced tree based spreading strategy
ICMLC'05 Proceedings of the 4th international conference on Advances in Machine Learning and Cybernetics
Mitigating network denial-of-service through diversity-based traffic management
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Paragraph: thwarting signature learning by training maliciously
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
The nepenthes platform: an efficient approach to collect malware
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Fast and evasive attacks: highlighting the challenges ahead
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
TAO: protecting against hitlist worms using transparent address obfuscation
CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
ICISS'05 Proceedings of the First international conference on Information Systems Security
Spatio-temporal mining of software adoption & penetration
Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining
| Hi-index | 0.00 |
Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm's exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds[18]. We grossly over-estimated. In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques [12, 16, 25]. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.