Description of Research and Goals
In the last year, we've seen continued growth in the number of DoS attacks, and a number of highly publicized Internet worms. While some work has been done on methods of mitigating the effects of Denial-of-Service attacks, there is a little operationally relevant of research into how to control the spread of Internet worms.
In July of 2002, the CodeRed worm was able to infect 360,000 hosts in less than one day. Clearly, manual intervention is unable to counter an attack of this scale - 24 hours is insufficient time to propagate basic information about the attack, let alone begin actual prevention. In fact, CAIDA research has shown that the majority of machines were still vulnerable to the attack more than a week after the initial CodeRed outbreak. Therefore, any mechanism to control the spread of Internet worms must be automated if it is to have any chance of success. To design such a mechanism, we first must understand the basic relationship between the rate of worm spread and the reaction time of the system to contain the outbreak. CAIDA, in collaboration with faculty in the UCSD Computer Science and Engineering Department, has performed some preliminary analysis of the reaction times necessary to stop the spread of a worm under optimal conditions. We'd like to expand this research to include realistic simulations of worm spread and containment. Specifically, we would like to explore the utility of firewall and router based methods of filtering to control the spread of the worm based on blackholing infected hosts or content signature blocking. Our preliminary results suggest that while deploying appropriate blocking technologies may be unable to contain the global spread of a worm, they may allow institutions using blocking technologies to protect themselves to a significant degree.
Key questions to be answered:
- Are there fundamental limits on controlling the spread of Internet worms (or other self-propagating code)?
- How effective are optimal reactive blocking strategies at controlling the spread?
- How well can we succeed if only a portion of ISPs participate? How protected are the participating ISPs versus the non-participating ISPs?
- Can we extend the use of backscatter techniques to more quickly detect attacks?
CAIDA has pioneered the use of large address space monitoring to track and understand global network security events such as global Denial-of-Service attacks and Internet worms. As part of this proposal, we wish to increase our ability to archive and analyze these forms of data. During the first two weeks of August, our monitoring of the spread of the CodeRed worm resulted in collection of half a gigabyte of compressed data per hour. We plan to develop more realtime techniques for detecting the onset of universal security threats and explore the extent to which distributed early detection systems could be globally deployed.
This project considers not just Internet worm detection, but also attempts to identify countermeasures to stop their spread. In particular, we hope to quantify the time in which a countermeasure must be deployed in order to effectively stop or slow DoS attacks.
We plan to:
- Institute worm data collection independent of denial-of-service attack tracking efforts.
- Develop automated means of data migration from monitor boxes to long-term storage, while preserving the accessibility and integrity of the data.
- Incorporate aggregation and pre-analysis of worm activity and other host probing.
- Extend backscatter techniques to improve their functionality.
- Simulate how filtering in the network can control the spread of worms.
- Investigate the effectiveness of prefix blocking and content blocking via access control lists at minimizing worm spread.
As a measurement focused research group, CAIDA is uniquely situated to monitor global security threats. We have a widely deployed monitoring infrastructure that is not tied to the development of security-related products and thus can be used to do independent operationally relevant research.
While several companies are developing products or services for preventing or blocking Denial-of-Service attacks (e.g. Asta, Arbor, Mazu, Reactive) and one has done a single study of CodeRed and Nimda propagation, commercial efforts have neither the resources nor the motivation to study the fundamental aspects of the feasibility of controlling Internet worm spread with any currently viable techniques.
Timelines for Funding and Research Completion
Funding begins 15 June 2002.
15 Aug 2002 Equipment Purchase and Deployment
15 Dec 2003 Development of automatic data collection for monitors
14 June 2003 Provide data to simulators for evaluating effectiveness of countermeasures
Any Required/Expected Research Cooperation with CiscoOnly as requested by Cisco personnel.
An undergraduate or graduate Computer Science student will be recruited to work on this project.
Other Current or Anticipated Matching Funds
This project will leverage research funded by DARPA NMS and CAIDA members.
Short Biographies of the Researchers
David Moore is a PI and Assistant Director of CAIDA (the Cooperative Association for Internet Data Analysis). His responsibilities include general management of a staff of 25 employees, including administrative and office staff, programmers, researchers, PhD's, and technical managers, as well as management and oversight of 3 NSF grants, a 2.4 million dollar DARPA grant, membership funds, and gift accounts.
David is also the lead technical manager at CAIDA. In this capacity, he has directed research efforts for passive management, including the CoralReef software suite , traffic workload characterization , Internet topology and performance , fragmented IP traffic , denial-of-service attack characterization , and DNS characterization. He also led the development of NetGeo , an automated tool that maps IP addresses, domain names, and Autonomous Systems (AS) numbers to geographic locations. He is a project collaborator for Walrus, a hyperbolic 3-D visualization tool for viewing large (on the order of one million nodes) directed graphs .
David's research interests are high speed network monitoring, denial-of-service attacks and infrastructure security, and Internet traffic characterization. His current research includes tracking and quantifying global DoS attacks using the backscatter analysis technique, developed with Geoff Voelker and Stefan Savage of UCSD. Most recently, David has been applying some of the same measurement techniques using large address spaces to monitor several of this summer's large worms: CodeRed v1 and v2 , CodeRed-II , and Nimda. He presented preliminary results on the control of Internet worms at the Ïnternet Under Crisis Conditions Workshop"  held by the Computer Science and Telecommunications Board of the National Academies of Science in March 2002.
David's work has also been featured with a cover photograph and story in Information Security Magazine (for work with Geoff Voelker and Stefan Savage), in Scientific American, and in numerous newspaper articles and television news programs. An animation of the spread of the CodeRed worm, developed by Jeff Brown and David Moore, appeared on CNN.
Dan Andersen has been a systems administrator for nine years. He currently remotely maintains and operates all of CAIDA's remote skitter monitor boxes and he is responsible for the collection of 1.5GB of data from 25 monitors every day. Dan was also responsible for collecting and archiving over 500GB of CodeRed data during August 2001. He studied computer science at the University of California, San Diego from 1989 until 1995. His experience includes support of 200 people and 50 unix machines in a development environment. He has extensive experience with FreeBSD, Linux, Solaris, SGI, DEC, Ultrix, and Windows operating systems. He has a strong network administration background, including configuration and support of routers and switches.
An undergraduate or graduate Computer Science student at the University of California, San Diego with requisite experience in computer networking and security will assist in the implementation of the monitoring infrastructure.
Names of Cisco Champions
Barry Raveendran Greene
Names and Address of the Relevant University Administrative Contact
SDSC Business Office 0505
La Jolla, CA 92093-0505
- David Moore, Geoffrey M. Voelker and Stefan Savage, CAIDA/UCSD, ``Inferring Internet Denial-of-Service Activity'', USENIX Security Symposium. Washington, D.C. Aug, 2001. http://www.caida.org/publications/papers/backscatter/index.xml
- David Moore, Colleen Shannon, Geoffrey M. Voelker and Stefan Savage, CAIDA/UCSD, ``Fundamental Limits on Blocking Self-Propagating Code'', Presentation at Internet Under Crisis Conditions Workshop, CSTB. Washington, D.C. Mar, 2002. http://www.caida.org/publications/presentations/crisis2002/
- Ken Keys, David Moore, Ryan Koga, Edouard Lagache, Michael Tesch, k claffy, CAIDA, ``The Architecture of the CoralReef Internet Traffic Monitoring Suite'', PAM 2001. Amsterdam, Netherlands. Apr, 2001. http://www.caida.org/publications/papers/pam2001/coralreef.xml
- C. Dovorolis, P. Ramanathan, D Moore, ``What do packet dispersion techniques measure?'', InfoCom 2001. Alaska. Jan, 2001. http://www.caida.org/publications/papers/consti.pdf
- B. Huffaker, M. Fomenkova, D. Moore, k claffy, CAIDA, ``Macroscopic analyses of the infrastructure: measurement and visualization of Internet connectivity and performance'', PAM 2001. Amsterdam, Netherlands. Apr, 2001. http://www.caida.org/publications/papers/pam2001/skitter.xml
- B. Huffaker, M. Fomenkova, D. Moore, E. Nemeth, k claffy, CAIDA, ``Measurements of the Internet topology in the Asia-Pacific Region'', Inet '00. Yokohama, Japan. Jul, 2000. http://www.caida.org/publications/papers/asia_paper/
- C. Shannon, D. Moore, k claffy, CAIDA, ``Characteristics of fragmented IP traffic on Internet links'', ACM SIGCOMM Internet Measurement Workshop. San Francisco. Nov, 2001.
- D. Moore, R. Periakaruppan, J. Donohoe, k claffy, CAIDA, ``Where in the world is netgeo.caida.org?, Inet '00. Yokohama, Japan. Jul, 2000. http://www.caida.org/publications/papers/inet_netgeo/
- David Moore, CAIDA, ``The Spread of the Code-Red Worm (CRv2)''. Jul, 2001. http://www.caida.org/research/security/code-red/coderedv2_analysis.xml
- David Moore, Colleen Shannon, CAIDA, ``CAIDA Analysis of Code-Red''. Aug, 2001. http://www.caida.org/research/security/code-red/
- Colleen Shannon, David Moore, CAIDA, ``Code Red, the second coming - from whence diurnal cycles'', USENIX Security Symposium Work-In-Progress Session, Washington, D.C. Aug, 2001. http://www.caida.org/publications/presentations/usenix0108/wips/
File translated from TEX by TTH, version 2.92.
On 13 Sep 2002, 12:01.