Article

Defending against hitlist worms using network address space randomization

Authors:
S. Antonatos

Institute of Computer Science, Hellas, Heraklion, Crete, Greece

Institute of Computer Science, Hellas, Heraklion, Crete, Greece
View Profile

,
P. Akritidis

Institute of Computer Science, Hellas, Heraklion, Crete, Greece

Institute of Computer Science, Hellas, Heraklion, Crete, Greece
View Profile

,
E. P. Markatos

Institute of Computer Science, Hellas, Heraklion, Crete, Greece

Institute of Computer Science, Hellas, Heraklion, Crete, Greece
View Profile

,
K. G. Anagnostakis

Institute for Infocomm Research, Singapore

Institute for Infocomm Research, Singapore
View Profile

WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcodeNovember 2005Pages 30–40https://doi.org/10.1145/1103626.1103633

Published:11 November 2005Publication History

WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

Pages 30–40

ABSTRACT

Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion.This paper examines a new proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. NASR limits or slows down hitlist worms and forces them to exhibit features that make them easier to contain at the perimeter. We explore the design space for NASR and present a prototype implementation as well as preliminary experiments examining the effectiveness and limitations of the approach.

References

D Shield: Distributed Intrusion Detection System. http://www.dshield.org.]]Google Scholar
CERT Advisory CA-2001-19: 'CodeRed' Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-200119.html, July 2001.]]Google Scholar
NLANR-PMAT traffic Archive: BellLabs-Itrace. http://pma.nlanr.net/Traces/Traces/long/bell/1, 2002.]]Google Scholar
NLANR-PMAT taffic archive: Leipzig-Itrace. http://pma.nlanr.net/Traces/Traces/long/leip/1, 2002.]]Google Scholar
DISCO: The Passive IP Discovery Tool. http://www.altmode.com/disco/, 2004.]]Google Scholar
Fingerprinting: The complete documentation. http://www.l0t3k.org/security/docs/fingerprinting/, 2004.]]Google Scholar
Fingerprinting: The complete tools box. http://www.l0t3k.org/security/tools/fingerprinting/, 2004.]]Google Scholar
Net Worm Uses Google to Spread. http://it.slashdot.org/it/04/12/21/2135235.shtml, Dec. 2004.]]Google Scholar
THC-Amap. http://thc.org/releases.php, 2004.]]Google Scholar
K. G. Anagnostakis, M. B. Greenwald, S. Ioannidis, A. D. Keromytis, and D. Li. A Cooperative Immunization System for an Untrusting Internet. In Proceedings of the 11th IEEE International Conference on Networking(ICON), pages 403--408, Sept./Oct. 2003.]]Google ScholarCross Ref
M. Arlitt and C. Williamson. An Analysis of TCP Reset Behaviour on the Internet. ACM SIGCOMM Computer Communication Review, 35(1):37--44,2005.]] Google ScholarDigital Library
M. Atighetchi, P. Pal, F. Webber, R. Schantz, and C. Jones. Adaptive use of network-centric mechanisms in cyber-defense.In Proceedings of the 6th IEEE International Symposiumon Object-oriented Real-time Distributed Computing, May 2003.]] Google ScholarDigital Library
R. A. Baratto, S. Potter, G. Su, and J. Nieh. Mobidesk: mobile virtual desktop computing. In Proceedings of the 10th Annual International Conference on Mobile Computing and Networking (MOBICOM), pages 1--15. ACM Press, 2004.]] Google ScholarDigital Library
E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM onference on Computer and Communications Security, Oct. 2003.]] Google ScholarDigital Library
S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat abroad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, pages 105--120, Aug. 2003.]] Google ScholarDigital Library
J. S. Chase, H. M. Levy, M. J. Feeley, and E. D. Lazowska. Sharing and protection in a single-address space operating system. ACM Transactions on Computer Systems, 12(4): 271--307, 1994.]] Google ScholarDigital Library
W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. deSouzae Silva, J. Kurose, and D. Towsley. Exploiting the IPID field to infernet work path and end-system characteristics. In Proceedings of the 6th Passive and Active Measurement Workshop(PAM2005), Mar. 2005.]] Google ScholarDigital Library
B. Croft and J. Gilmore. Bootstrap Protocol(BOOTP). RFC951, http://www.rfc-editor.org/, Sept. 1985.]] Google ScholarDigital Library
R. Droms. Dynamic Host Configuration Protocol. RFC2131, http://www.rfc-editor.org/, Mar. 1997.]]Google Scholar
Internet Systems Consortium Inc. Dynamic host configuration protocol(DHCP)reference implementation .http://www.isc.org/sw/dhcp/.]]Google Scholar
J. Ioannidis and G. Q. Maguire Jr. The design and implementation of amobile internet working architecture. In USENIX Winter, pages 489--502, 1993.]]Google Scholar
J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy, May 2004.]]Google ScholarCross Ref
J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and thee effectiveness of caching. In Proceedings of the 1st ACM SIGCOMM Internet Measurement Workshop(IMW), Nov. 2001.]] Google ScholarDigital Library
M. Kaminsky, E. Peterson, D. B. Giffin, K. Fu, D. Mazires, and M. F. Kaashoek. REX: Secure, extensible remote execution. In In Proceedings of the 2004 USENIX Technical Conference, pages 199--212, June-July 2004.]] Google ScholarDigital Library
T. Karagiannis, A. Broido, M. Faloutsos, and K. claffy. Transport layer identification of P2P traffic. In IMC'04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 121--134, New York, NY, USA, 2004. ACM Press.]] Google ScholarDigital Library
G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In Proceedings of the ACM Computer and Communications Security Conference (CCS), pages 272--280, Oct. 2003.]] Google ScholarDigital Library
D. Kewley, J. Lowry, R. Fink, and M. Dean. Dynamic approaches to thwart adversary intelligence gathering. In Proceedings of the DARPA Information Survivability Conference and Exposition(DISCEX), 2001.]]Google ScholarCross Ref
T. Kohno, A. Broido, and kcClaffy. Remote physical device fingerprinting. In IEEE Symposiumon Security and Privacy, May 2005.]] Google ScholarDigital Library
J. Michalski, C. Price, E. Stanton, E. L. Chua, K. Seah, W. Y. Heng, and T. C. Pheng. Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project. Technical Report SAND 2002-3613, Sandia Nationa lLaboratories, November 2002.]]Google Scholar
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security & Privacy, pages 33--39, July/Aug. 2003.]] Google ScholarDigital Library
D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an Internet worm. In Proceedings of the 2nd Internet Measurement Workshop (IMW), pages 273--284, Nov. 2002.]] Google ScholarDigital Library
D. Nojiri, J. Rowe, and K. Levitt. Cooperative response strategies for large scale attack mitigation. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX), Apr. 2003.]]Google ScholarCross Ref
A. Pasupulati, J. Coit, K. Levitt, S. F. Wu, S. H. Li, J. C. Kuo, and K. P. Fan. Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities. In Proceedings of the Network Operations and Management Symposium (NOMS), pages 235--248, vol. 1, Apr. 2004.]]Google ScholarCross Ref
S. E. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 59--81, Oct. 2004.]]Google ScholarCross Ref
S. Sen, O. Spatscheck, and D. Wang. Accurate, scalablein-network identification of P2P traffic using application signatures. In WWW'04: Proceedings of the 13th international conference on World Wide Web, pages 512--521, New York, NY, USA, 2004. ACM Press.]] Google ScholarDigital Library
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS'04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298--307, New York, NY, USA, 2004. ACM Press.]] Google ScholarDigital Library
S. Sidiroglouand A. D. Keromytis. Anetwork worm vaccine architecture. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, June 2003.]] Google ScholarDigital Library
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm finger printing. In Proceedings of the 6th Symposiumon Operating Systems Design & Implementation (OSDI), Dec. 2004.]] Google ScholarDigital Library
A. C. Snoerenand H. Balakrishnan. Anend-to-end approach to host mobility. In MobiCom'00: Proceedings of the 6th annual international conference on Mobile computing and networking, pages 155--166, New York, NY, USA, 2000. ACM Press.]] Google ScholarDigital Library
S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, 2004.]]Google Scholar
S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In Proc. ACMCCSWORM, Oct. 2004.]] Google ScholarDigital Library
S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium , pages 149--167, Aug. 2002.]] Google ScholarDigital Library
T. Tothand C. Krügel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection(RAID), Oct. 2002.]]Google Scholar
H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM'04, pages 193--204, 2004.]] Google ScholarDigital Library
K. Wangand S. J. Stolfo. Anomalous Payload-based Network Intrusion Detection. In Proceedings of the 7th International Symposiumon Recent Advanced in Intrusion Detection (RAID), pages 201--222, Sept. 2004.]]Google Scholar
N. Weaver and V. Paxson. A worst-caseworm. In Proc. Third Annual Workshop on Economics and Information Security (WEIS'04), May 2004.]]Google Scholar
N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In Proceedings of the 13th USENIX Security Symposium, pages 29--44, Aug. 2004.]] Google ScholarDigital Library
M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. Technical Report HPL-2002-172, HP Laboratories Bristol, 2002.]]Google ScholarDigital Library
J. Wu, S. Vangala, L. Gao, and K. Kwiat. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the Network and Distributed System Security Symposium(NDSS), pages 143--156, Feb. 2004.]]Google Scholar
J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In A. Fantechi, editor, Proc. 22nd Symp. on Reliable Distributed Systems-SRDS2003, pages 260--269, Oct. 2003.]]Google Scholar
C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In In Proc. USENIX Summer 1993 Technical Conference, pages 175--186, June 1993.]]Google Scholar
V. Yegneswaran, P. Barford, and S. Jha. Global Intrusion Detection in the DOMINO Overlay System. In Proceedings of the Network and Distributed System Security Symposium(NDSS), Feb. 2004.]]Google Scholar
C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and Early Warning for Internet Worms. In Proceedings of the 10th ACM International Conference on Computer and Communications Security(CCS), pages 190--199, Oct. 2003.]] Google ScholarDigital Library

Index Terms

Defending against hitlist worms using network address space randomization
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Defending against hitlist worms using network address space randomization

Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
Read More
A study of mass-mailing worms
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Mass-mailing worms have made a significant impact on the Internet. These worms consume valuable network resources and can also be used as a vehicle for DDoS attacks. In this paper, we analyze network traffic traces collected from a college campus and ...
Read More
On the detection and origin identification of mobile worms
WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode

Mobility can be exploited to spread malware among wireless nodes moving across network domains. Because such mobile worms spread across domains by exploiting the physical movement of mobile nodes, they cannot be contained by existing defenses. In this ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode
November 2005
94 pages
ISBN:1595932291
DOI:10.1145/1103626
General Chair:
Vijay Atluri
Rutgers University
,
Program Chair:
Angelos D. Keromytis
Columbia University
Copyright © 2005 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 November 2005
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
internet worms
network security
randomization
traffic analysis
Qualifiers
- Article
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 61
  Total Citations
  View Citations
- 763
  Total Downloads
- Downloads (Last 12 months)20
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Defending against hitlist worms using network address space randomization

WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

ABSTRACT

References

Cited By

Index Terms

Recommendations

Defending against hitlist worms using network address space randomization

A study of mass-mailing worms

On the detection and origin identification of mobile worms

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Defending against hitlist worms using network address space randomization

WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

ABSTRACT

References

Cited By

Index Terms

Recommendations

Defending against hitlist worms using network address space randomization

A study of mass-mailing worms

On the detection and origin identification of mobile worms

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media