How to 0wn the Internet in Your Spare Time
Stuart Staniford, Vern Paxson, Nicholas Weaver
http://www.icir.org/vern/papers/cdc-usenix-sec02/cdc.pdf
Proceedings of the 11th USENIX Security Symposium (Security '02)

Summary:

The authors analyze the ability of a user or an organization to launch
viruses and gain control over millions of Internet hosts. They base their
analysis on a mathematical model derived from empirical data and show how
the spread of Internet viruses can be approximated as a logistic equation
which governs the rate of growth of epidemics in finite systems. The
logistic equation is characterized by an initial exponential growth, with
a sharp decrease in new infections after a certain amount of time, with
a very long tail of sporadic low-intensity outbreaks.

In addition to analyzing the mechanisms of worm infection authors describe
four new techniques to create more virulent worms viz., hit list scanning,
permutation scanning, Warhol worms and flash worms. In HL scanning, the
worms spread by probing and infecting machines that are already known to
be vulnerable based on pre-compiled lists of potential victims.
Permutation scanning tries to increase the efficiency of scanning by
reducing the amount of multiple redundant scans per machine. The Warhol
worm is a combination of HL and permutation worms.  A flash worm uses HL
scanning with the added benefit of using high-bandwidth links to gain
initial knowledge of vulnerable sites and thereby infect a large number of
servers in a very small amount of time. A limitation of some these
techniques seems to be the need to store and send out large blocks of
addresses along with the worm.

While commenting about the lack of effective countermeasures for these new
modes of infection, the authors also discuss a new class of worms called
surreptitious worms. These worms spread along normal channels of
communication, during the course of legitimate requests and replies
between Internet clients and servers. This mechanism of infection seems to
be tailor-made for P2P networks. The authors also discuss how techniques
like distributing control and programmatic updates that can overcome
limitations of worms that are launched and controlled by a central entity,
or allow worms to mutate and become more malicious respectively.

Finally, the authors make a strong case for the need to the establish a
CDC for Internet worm control modeled to combat the scourge of Internet
worms and viruses, and come up with a partial list of tasks for the
Center.

DISCUSSION:

The paper is not clear about why the authors are doing the modeling and
analysis? Are they trying to answer the question "Can worms be detected by
traffic analysis?"

Why can't these virus infection techniques be used to propogate
"anti-viruses"? Why can't you use a worm to fight a worm?

Seems to me that virus infection rate is directly dependent on the ability
to scan and detect vulnerabilities on Internet hosts? Why not focus on how
to prevent scanning? What are the difficulties?

CONS (Contributed by Erin Wolf)

I felt the first of part of the paper, the modelings, were very
simplistic.  They also seemed designed to scare you into agreeing with
them.  I thought they neglected to take into consideration increased
awareness and more systems being patched.  Also, looking at their data, I
am not convinced that the problem got worse and worse with each but.
Their data seemed perhaps to be a bit off, or skewed to convince you to
agree with them.

Their CDC analog seemed like a good idea, but obviously not fleshed out
enough.  Also, they didn't really research anything new, just analyzed
some data and suggested their solution.

VOTING:

Reject -4
Accept -6