|   HOME   |   RESEARCH   |   DATA   |   TOOLS   |   PUBLICATIONS   |   WORKSHOPS   |   PROJECTS   |   FUNDING   |
CAIDA Home
 Current Research | Historical Research  
 www.caida.org > research : : security
    visit     contact     search:
CAIDA: Cooperative Association for Internet Data Analysis
Research - Security

-----summary of contents-----
Security research at CAIDA includes analysis of network-based attacks e.g. denial-of-service attacks, data hosting and provision, and measurement and statistical analysis of the trends and impact that certain Internet worms and viruses have on the global network infrastructure. We hope to develop meaningful and up-to-date quantitative characterizations of attack activity and to produce fundamental insights into the nature of malicious behavior on the Internet and consequently the best directions for mitigating that behavior.
-----end summary of contents-----
|  Ongoing Research    Datasets    Publications    Collaboration    Funding  |

Ongoing Research

|  Malicious Activity Analysis    Infrastructure  |

Malicious Activity Analysis

Type Title Date Author(s)
Virus
The Nyxem Email Virus:
Analysis and Inferences
February 11, 2006
Moore, David
Shannon, Colleen
We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem/Blackworm virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software.
Worm
Spread of the Witty Worm
March 25, 2004
Shannon, Colleen
Moore, David
A joint effort of CAIDA and UC San Diego CSE

At 8:45:18pm PST on March 19, 2004, the UCSD network telescope received its first Witty worm packet. In contrast to previous worms, we observed 110 hosts infected in the first ten seconds, and 160 at the end of 30 seconds. Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. Witty was also the first widely propagated Internet worm to carry a destructive payload, represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.
DoS Attack
SCO Offline from
Denial-of-Service Attack
December 11, 2003
Moore, David
Shannon, Colleen
Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. In spite of rumors that SCO has faked the denial-of-service attack to implicate Linux users and garner sympathy from its critics, UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours.
Worm
Analysis of the Sapphire Worm
January 31, 2003
Moore, David
Paxson, Vern
Savage, Stefan
Shannon, Colleen
Staniford, Stuart
Weaver, Nicholas
A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE

The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. The worm (also called Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures
Worm
CAIDA Analysis of Code-Red
July 25, 2001
Moore, David
Shannon, Colleen
Brown, Jeffery
On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. 43% of all infected hosts were in the United States, while 11% originated in Korea followed by 5% in China and 4% in Taiwan. The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%. We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm. An animation of the geographic expansion of the worm is available.

Infrastructure

Datasets

CAIDA makes available a number of datasets for researchers who wish to study data collected at the UCSD Network Telescope.

Publications

Collaboration

Much of this work was done in collaboration with Geoff Voelker and Stefan Savage in the UCSD Department of Computer Science and Engineering. Feedback provided by members of Team Cymru has been invaluable to our security research program. CAIDA is a part of the San Diego Supercomputer Center on the campus of the University of California, San Diego.

UCSD Computer Science Department logo Team Cymru logo San Diego Supercomputer Center logo University of California at San Diego logo

Funding

NSF logo DHS logo Cisco Systems logo Limelight Networks logo Digital Envoy logo DARPA logo CAIDA (members) logo

Cooperative Association for Internet Data Analysis (CAIDA)
  Last Modified: Mon Sep-24-2007 15:24:9 PDT
  Maintained by: Alex Ma
  Page URL: http://www.caida.org/research/security/index.xml