Boffins tackle random scanning worms

Internet worms scan the internet randomly looking for vulnerable hosts to infect

Scientists may have found a new way to combat random scanning internet worms such as the notorious Code Red and SQL Slammer infections.

Ness Shroff and his colleagues at Ohio State University claim to have discovered how to contain virulent worms that scan the internet randomly looking for vulnerable hosts to infect.

Code Red caused an estimated $2.6bn in lost productivity to businesses worldwide in 2001, blocking network traffic to important physical facilities such as subway stations and emergency call centres.

"Code Red infected more than 350,000 machines in less than 14 hours. We wanted to find a way to catch infections in their earliest stages before they get that far," Shroff said.

The key to containing the threat of random scanning worms lies in developing software to monitor the number of scans that machines on a network send out.

When a machine starts sending out too many scans - a sign that it has been infected - administrators should take it offline and check it for viruses.

"The difficulty was figuring out how many scans were too many, and how many you could allow before an infection would spread wildly," said Shroff.

"You want to make sure the number is small to contain the infection. But if you make it too small, you'll interfere with normal network traffic.

"It turns out that you can allow quite a large number of scans, and you'll still catch the worm."

Shroff was working at Purdue University in 2006 when doctoral student Sarah Sellke suggested making a mathematical model of the early stages of worm growth.

With Saurabh Bagchi, assistant professor of electrical and computer engineering at Purdue, they developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken offline.

In simulations, they pitted their model against Code Red and SQL Slammer. They simulated how far the virus would spread, depending on how many networks on the internet were using the same containment strategy, i.e. quarantine any machine that sends out more than 10,000 scans.

They chose 10,000 because it is well above the number of scans that a typical computer network would send out in a month.

"An infected machine would reach this value very quickly, while a regular machine would not," Shroff explained. "A worm has to hit so many IP addresses so quickly in order to survive."

In the simulations pitted against Code Red, they were able to prevent the spread of the infection to less than 150 hosts on the whole internet 95 per cent of the time.

To use this strategy, network administrators would have to install software to monitor the number of scans on their networks, and would have to allow for some downtime among computers when they initiate a quarantine.

"Unfortunately there is no complete foolproof solution," Shroff said. "You just keep trying to come up with techniques that limit a virus's ability to do harm."