IMC '05, 2005 Internet Measurement Conference Abstract
Pp. 351364 of the Proceedings
Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event
Abhishek Kumar, Georgia Institute of Technology; Vern Paxson and Nicholas Weaver, ICSI
Abstract
Network ``telescopes'' that record packets sent to
unused blocks of Internet address space have emerged as an important
tool for observing Internet-scale events such as the spread of worms and
the backscatter from flooding attacks that use spoofed source addresses.
Current telescope analyses produce detailed tabulations of packet rates,
victim population, and evolution over time. While such cataloging is a
crucial first step in studying the telescope observations,
incorporating an understanding of the underlying processes generating
the observations allows us to construct detailed inferences about the
broader ``universe'' in which the Internet-scale activity occurs,
greatly enriching and deepening the analysis in the process.
In this work we apply such an analysis to the
propagation of the Witty worm, a malicious and well-engineered
worm that when released in March 2004 infected more than 12,000 hosts
worldwide in 75 minutes. We show that by carefully exploiting the
structure of the worm, especially its pseudo-random number generation,
from limited and imperfect telescope data we can with high fidelity:
extract the individual rate at which each infectee injected packets into
the network prior to loss; correct distortions in the telescope
data due to the worm's volume overwhelming the monitor; reveal the
worm's inability to fully reach all of its potential victims; determine
the number of disks attached to each infected machine; compute when each
infectee was last booted, to sub-second accuracy; explore the ``who
infected whom'' infection tree; uncover that the worm specifically
targeted hosts at a US military base; and pinpoint Patient Zero,
the initial point of infection, i.e., the IP address of the system the
attacker used to unleash Witty.
- View the full text of this paper in HTML and PDF.
The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
|