Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > funding : cisco02security
(CiscoURB 2002) Advanced Techniques to Detect and Control Global Security Threats
Based on the success of last years URB project we would like to continue and extend our research and analysis of connectivity among autonomous systems. For 2003-2004 our research agenda would involve both analysis and visualization components. First, we would like to evaluate inter-AS connectivity based on prefixlevel granularity as well as AS granularity. We also want to develop a publically available set of tools for analyzing peering, transit, and customer relationships based on Cisco BGP output. Finally, our analysis groundwork renders us in a strong position to develop much more powerful visualization tools customized for BGP tables. Results of this research will offer not only novel and innovative visualization and mapping techniques, but also key data for any infrastructure protection center involved in warning, analysis, and coordinating emergency response to infrastructure threats. Both the PSIRT and CIAG groups within Cisco have expressed strong interest in continuation of this work and recommended the URB program as the most appropriate vehicle at this time.

Description of Research and Goals

In the last year, we've seen continued growth in the number of DoS attacks, and a number of highly publicized Internet worms. While some work has been done on methods of mitigating the effects of Denial-of-Service attacks, there is a little operationally relevant of research into how to control the spread of Internet worms.

In July of 2002, the CodeRed worm was able to infect 360,000 hosts in less than one day. Clearly, manual intervention is unable to counter an attack of this scale - 24 hours is insufficient time to propagate basic information about the attack, let alone begin actual prevention. In fact, CAIDA research has shown that the majority of machines were still vulnerable to the attack more than a week after the initial CodeRed outbreak. Therefore, any mechanism to control the spread of Internet worms must be automated if it is to have any chance of success. To design such a mechanism, we first must understand the basic relationship between the rate of worm spread and the reaction time of the system to contain the outbreak. CAIDA, in collaboration with faculty in the UCSD Computer Science and Engineering Department, has performed some preliminary analysis of the reaction times necessary to stop the spread of a worm under optimal conditions. We'd like to expand this research to include realistic simulations of worm spread and containment. Specifically, we would like to explore the utility of firewall and router based methods of filtering to control the spread of the worm based on blackholing infected hosts or content signature blocking. Our preliminary results suggest that while deploying appropriate blocking technologies may be unable to contain the global spread of a worm, they may allow institutions using blocking technologies to protect themselves to a significant degree.

Key questions to be answered:

  • Are there fundamental limits on controlling the spread of Internet worms (or other self-propagating code)?
  • How effective are optimal reactive blocking strategies at controlling the spread?
  • How well can we succeed if only a portion of ISPs participate? How protected are the participating ISPs versus the non-participating ISPs?
  • Can we extend the use of backscatter techniques to more quickly detect attacks?

CAIDA has pioneered the use of large address space monitoring to track and understand global network security events such as global Denial-of-Service attacks and Internet worms. As part of this proposal, we wish to increase our ability to archive and analyze these forms of data. During the first two weeks of August, our monitoring of the spread of the CodeRed worm resulted in collection of half a gigabyte of compressed data per hour. We plan to develop more realtime techniques for detecting the onset of universal security threats and explore the extent to which distributed early detection systems could be globally deployed.

This project considers not just Internet worm detection, but also attempts to identify countermeasures to stop their spread. In particular, we hope to quantify the time in which a countermeasure must be deployed in order to effectively stop or slow DoS attacks.

We plan to:

  • Institute worm data collection independent of denial-of-service attack tracking efforts.
  • Develop automated means of data migration from monitor boxes to long-term storage, while preserving the accessibility and integrity of the data.
  • Incorporate aggregation and pre-analysis of worm activity and other host probing.
  • Extend backscatter techniques to improve their functionality.
  • Simulate how filtering in the network can control the spread of worms.
  • Investigate the effectiveness of prefix blocking and content blocking via access control lists at minimizing worm spread.

As a measurement focused research group, CAIDA is uniquely situated to monitor global security threats. We have a widely deployed monitoring infrastructure that is not tied to the development of security-related products and thus can be used to do independent operationally relevant research.

While several companies are developing products or services for preventing or blocking Denial-of-Service attacks (e.g. Asta, Arbor, Mazu, Reactive) and one has done a single study of CodeRed and Nimda propagation, commercial efforts have neither the resources nor the motivation to study the fundamental aspects of the feasibility of controlling Internet worm spread with any currently viable techniques.

Timelines for Funding and Research Completion

Funding begins 15 June 2002.

Research Milestones

15 Aug 2002 Equipment Purchase and Deployment

15 Dec 2003 Development of automatic data collection for monitors

14 June 2003 Provide data to simulators for evaluating effectiveness of countermeasures

Any Required/Expected Research Cooperation with Cisco

Only as requested by Cisco personnel.

Support Requirements

Total Budget: $100,000

Duration: June 15, 2002 - June 14, 2003


SampleSampleSampleSampleSampleSample ¯ linelinelinelinelinelinelineline ¯ $21,762.17 David Moore, P.I.  15% time for 12 months:  $21,762.17

Dan Andersen, Systems Administrator  5% time for 12 months:  $6,011.74

Student  50% time for 9 months:  $14,837.09

Subtotal: $42,611

Research Equipment

SampleSampleSampleSampleSampleSampleSampleSample ¯ linelineline 1.1 TB raid  $31,966

1.1 TB raid5 with an AMI Raid controller, 2 1GHz P-III processors. Server will be used for storage of raw trace data and aggregated data for tracking Internet worms and other security threats. Server will also be used to perform aggregation, analysis, and report generation for these data sets.

SampleSampleSampleSampleSampleSampleSampleSample ¯ linelineline Cisco OC12 line card (LC-1OC12/ATM-MM) $25,423

In order to collect baseline statistics necessary to understand these security events, CAIDA monitors all in- and out-bound traffic at the University of California, San Diego. In order to combine the data from all of the access links onto a single Gigabit Ethernet link, CAIDA currently uses a Cisco 12008 with a 4xOC3 ATM line card, an OC12 ATM card, an OC12 POS card, a GigE card, and 2 OC48 POS line cards. However, an additional OC12 ATM card is necessary to cover all ingress and egress points.
Subtotal: $57,389

Students Involved

An undergraduate or graduate Computer Science student will be recruited to work on this project.

Other Current or Anticipated Matching Funds

This project will leverage research funded by DARPA NMS and CAIDA members.

Short Biographies of the Researchers

David Moore

David Moore is a PI and Assistant Director of CAIDA (the Cooperative Association for Internet Data Analysis). His responsibilities include general management of a staff of 25 employees, including administrative and office staff, programmers, researchers, PhD's, and technical managers, as well as management and oversight of 3 NSF grants, a 2.4 million dollar DARPA grant, membership funds, and gift accounts.

David is also the lead technical manager at CAIDA. In this capacity, he has directed research efforts for passive management, including the CoralReef software suite [3], traffic workload characterization [4], Internet topology and performance [5][6], fragmented IP traffic [7], denial-of-service attack characterization [1], and DNS characterization. He also led the development of NetGeo [8], an automated tool that maps IP addresses, domain names, and Autonomous Systems (AS) numbers to geographic locations. He is a project collaborator for Walrus, a hyperbolic 3-D visualization tool for viewing large (on the order of one million nodes) directed graphs [7].

David's research interests are high speed network monitoring, denial-of-service attacks and infrastructure security, and Internet traffic characterization. His current research includes tracking and quantifying global DoS attacks using the backscatter analysis technique, developed with Geoff Voelker and Stefan Savage of UCSD. Most recently, David has been applying some of the same measurement techniques using large address spaces to monitor several of this summer's large worms: CodeRed v1 and v2 [9], CodeRed-II [10][11], and Nimda. He presented preliminary results on the control of Internet worms at the Ïnternet Under Crisis Conditions Workshop" [2] held by the Computer Science and Telecommunications Board of the National Academies of Science in March 2002.

David's work has also been featured with a cover photograph and story in Information Security Magazine (for work with Geoff Voelker and Stefan Savage), in Scientific American, and in numerous newspaper articles and television news programs. An animation of the spread of the CodeRed worm, developed by Jeff Brown and David Moore, appeared on CNN.

Dan Andersen

Dan Andersen has been a systems administrator for nine years. He currently remotely maintains and operates all of CAIDA's remote skitter monitor boxes and he is responsible for the collection of 1.5GB of data from 25 monitors every day. Dan was also responsible for collecting and archiving over 500GB of CodeRed data during August 2001. He studied computer science at the University of California, San Diego from 1989 until 1995. His experience includes support of 200 people and 50 unix machines in a development environment. He has extensive experience with FreeBSD, Linux, Solaris, SGI, DEC, Ultrix, and Windows operating systems. He has a strong network administration background, including configuration and support of routers and switches.


An undergraduate or graduate Computer Science student at the University of California, San Diego with requisite experience in computer networking and security will assist in the implementation of the monitoring infrastructure.

Names of Cisco Champions

Barry Raveendran Greene

Barb Fraser

Names and Address of the Relevant University Administrative Contact

Shanley Miller

SDSC Business Office 0505

La Jolla, CA 92093-0505



David Moore, Geoffrey M. Voelker and Stefan Savage, CAIDA/UCSD, ``Inferring Internet Denial-of-Service Activity'', USENIX Security Symposium. Washington, D.C. Aug, 2001.
David Moore, Colleen Shannon, Geoffrey M. Voelker and Stefan Savage, CAIDA/UCSD, ``Fundamental Limits on Blocking Self-Propagating Code'', Presentation at Internet Under Crisis Conditions Workshop, CSTB. Washington, D.C. Mar, 2002.
Ken Keys, David Moore, Ryan Koga, Edouard Lagache, Michael Tesch, k claffy, CAIDA, ``The Architecture of the CoralReef Internet Traffic Monitoring Suite'', PAM 2001. Amsterdam, Netherlands. Apr, 2001.
C. Dovorolis, P. Ramanathan, D Moore, ``What do packet dispersion techniques measure?'', InfoCom 2001. Alaska. Jan, 2001.
B. Huffaker, M. Fomenkova, D. Moore, k claffy, CAIDA, ``Macroscopic analyses of the infrastructure: measurement and visualization of Internet connectivity and performance'', PAM 2001. Amsterdam, Netherlands. Apr, 2001.
B. Huffaker, M. Fomenkova, D. Moore, E. Nemeth, k claffy, CAIDA, ``Measurements of the Internet topology in the Asia-Pacific Region'', Inet '00. Yokohama, Japan. Jul, 2000.
C. Shannon, D. Moore, k claffy, CAIDA, ``Characteristics of fragmented IP traffic on Internet links'', ACM SIGCOMM Internet Measurement Workshop. San Francisco. Nov, 2001.
D. Moore, R. Periakaruppan, J. Donohoe, k claffy, CAIDA, ``Where in the world is, Inet '00. Yokohama, Japan. Jul, 2000.
David Moore, CAIDA, ``The Spread of the Code-Red Worm (CRv2)''. Jul, 2001.
David Moore, Colleen Shannon, CAIDA, ``CAIDA Analysis of Code-Red''. Aug, 2001.
Colleen Shannon, David Moore, CAIDA, ``Code Red, the second coming - from whence diurnal cycles'', USENIX Security Symposium Work-In-Progress Session, Washington, D.C. Aug, 2001.

File translated from TEX by TTH, version 2.92.
On 13 Sep 2002, 12:01.

  Last Modified: Mon Feb-12-2007 11:20:01 PST
  Page URL: