8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005) September 7-9, 2005, Seattle, Washington. Supercedes Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-05-103, March 2005.
Cynthia Wong, Stan Bielski, Ahren Studer, Chenxi Wang
Dept. Electrical and Computer Engineering
Carnegie Mellon University
One class of worm defense techniques that received attention of late is to “rate limit” outbound traffic to contain fast spreading worms. Several proposals of rate limiting techniques have appeared in the literature, each with a different take on the impetus behind rate limiting. This paper presents an empirical analysis on different rate limiting schemes using real traffic and attack traces from a sizable network. In the analysis we isolate and investigate the impact of the critical parameters for each scheme and seek to understand how these parameters might be set in realistic network settings. Analysis shows that using DNS-based rate limiting has substantially lower error rates than schemes based on other traffic statistics. The empirical analysis additionally brings to light a number of issues with respect to rate limiting in practice. We explore the impact of these issues in the context of general worm containment.
KEYWORDS: Internet Worms, Network Security, Traffic Analysis, Worm Containment
FULL PAPER (conference version): pdf
FULL PAPER (TR): pdf