Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
A technique for counting natted hosts
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
A blueprint for introducing disruptive technology into the Internet
ACM SIGCOMM Computer Communication Review
IEEE Security and Privacy
Defending against hitlist worms using network address space randomization
Proceedings of the 2005 ACM workshop on Rapid malcode
Worm evolution tracking via timing analysis
Proceedings of the 2005 ACM workshop on Rapid malcode
Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware
DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Exploiting underlying structure for detailed reconstruction of an internet-scale event
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
On the effectiveness of distributed worm monitoring
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Worms vs. perimeters: the case for hard-LANs
HOTI '04 Proceedings of the High Performance Interconnects, 2004. on Proceedings. 12th Annual IEEE Symposium
The nepenthes platform: an efficient approach to collect malware
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Correcting congestion-based error in network telescope's observations of worm dynamics
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Defending against the propagation of active worms
The Journal of Supercomputing
| Hi-index | 0.00 |
While malware models have become increasingly accurate over the past few years, none of the existing proposals accounts for the use of Network Address Translation (NAT). This oversight is problematic since many network customers use NAT in their local networks. In fact, measurements we collected from a distributed honeynet show that approximately 19% of the infected hosts reside in NATted domains. To account for this fact, we present a model that can be used to understand the impact of varying levels of NAT deployment on malware that spread by preferentially scanning the IP space. Using this model, we show that NATting impedes malware propagation in several ways and can have a significant impact on non-uniform scanning worms as it invalidates the implicit assumption that vulnerable hosts reside in densely populated subnets.