Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Proceedings of the 2003 ACM workshop on Rapid malcode
IEEE Security and Privacy
On the performance of internet worm scanning strategies
Performance Evaluation
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Coupled kermack-mckendrick models for randomly scanning and bandwidth-saturating internet worms
QoS-IP'05 Proceedings of the Third international conference on Quality of Service in Multiservice IP Networks
Deriving a closed-form expression for worm-scanning strategies
International Journal of Security and Networks
An information-theoretic view of network-aware malware attacks
IEEE Transactions on Information Forensics and Security
ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
Characterizing and defending against divide-conquer-scanning worms
Computer Networks: The International Journal of Computer and Telecommunications Networking
Toward early warning against Internet worms based on critical-sized networks
Security and Communication Networks
| Hi-index | 0.01 |
Most well-known worms, such as Code Red, Slammer, Blaster, and Sasser, infected vulnerable computers by scanning the entire IPv4 address space. In this article, the authors present an advanced worm called the "routing worm," which implements two new attacking techniques. First, a routing worm uses Border Gateway Protocol (BGP) routing tables to only scan the Internet-routable address space, which allows it to propagate three times faster than a traditional worm. Second, and more important, the geographic information of BGP routing prefixes enables a routing worm to conduct pinpoint "selective attacks" by imposing heavy damage to vulnerable computers in a specific country, company, Internet Service Provider, or autonomous system, without collateral damage done to others. Because of the inherent publicity of BGP routing tables, attackers can easily deploy routing worms, which distinguishes the routing worm from other"worst-case" worms. Compared to a traditional worm, a routing worm could possibly cause more severe congestion to the Internet backbone since all scans sent out by it are Internet routable (and can be dropped only at the destination local networks). In addition, it is harder to quickly detect a routing worm-infected computer since we cannot distinguish illegal scans from regular connections sent out from it without waiting for traffic responses. For high-fidelity Internet-scale worm simulations, through this routing worm study, the authors emphasize the importance of simulating failed worm scans and distinguishing nonroutable worm scans from routable scans. In order to defend against routing worms and all scanning worms, an effective way is to upgrade the current Internet from IPv4 to IPv6, although such an upgrade will require a tremendous effort and is still a controversial issue.