Hiding Patterns in IP Address Allocation to Prevent the Rapid Spread of Internet Worms
Jedidiah Crandall
Security Lab Seminar
11/6/02
Despite the lack of accurate data, it is widely accepted that a worm can infect many hosts on the Internet more quickly by exploiting patterns in IP address allocation. This is probably due mostly to the following two reasons: 1) IP addresses are allocated in contiguous blocks to reduce the size of distance vector routing tables and 2) many of the hosts in a contiguous block of IP addresses are likely to be the same platform (i.e. several dozen Intel machines running RedHat 7.2 in a computer lab). This is why many successful Internet worms, such as Code Red [1], generate IP addresses for the hosts they attempt to infect in a localized fashion.
The possible consequences of an Internet worm that infects
hundreds of thousands of hosts warrants a major effort to prevent the spread
of worms on the Internet [2]. Prior work in opposition of Internet worms includes
the LaBrea software, which transforms vacant IP addresses on a network into
virtual computers that trap worms trying to connect to them [5]. We will propose
a broader scheme to replace IPv6, which will hide the patterns in IP address
allocation from the application and transport layers but make these patterns
available to the routers at the network layer. The following issues will be
addressed:
-- Any kind of cryptography will cause a very significant processing delay penalty.
This will likely make our scheme infeasible for a datagram network. We will
explore future directions of the Internet backbone, such as MPLS [4], to determine
which of them works best with our scheme.
-- It's possible that different routing algorithms work better with this scheme
than others. We'll explore these tradeoffs because it's possible our scheme
won't be used on the Internet but might be useful in a virtual private network
or a small, dedicated network.
-- We will develop a simple computer simulation to quantify the effect our scheme
has on the spread of an Internet worm.
-- There are other ways for a worm to find new hosts to infect other than using
the IP address space [2] [3]. We will identify these in order to be objective
about the impact our scheme will have in reducing the vulnerability of the Internet
to a worm.
-- There might be legitimate reasons why the application and transport layers
need access to patterns in the IP address space. We will try to identify these.
References
[1] Internet Security Systems. Resurgence of "Code Red"Worm Derivatives.
6 August 2001. Available:
<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise90>
[2] S. Staniford, V. Paxson, N. Weaver. How to Own the Internet in Your Spare
Time. 2002. To Appear in the Proceedings of the 11th USENIX Security
Symposium. Available: <http://citeseer.nj.nec.com/staniford02how.html>
[3] E. Spafford. The Internet Worm Program: An Analysis. 1988. Purdue Technical
Report CSD-TR-823. Available: <http://citeseer.nj.nec.com/spafford88internet.html>
[4] International Engineering Consortium. Multiprotocol Label Switching (MPLS).
2002. Available: <http://www.iec.org/online/tutorials/mpls/>
[5] M. Delio. A ŒTarpit‚ That Traps Worms. 19 September 2001. Wired
News. Available: <http://www.wired.com/news/technology/0,1282,46964,00.html>