Defense and Detection Against Internet Worms

Rathumos writes "The network security world has been waiting patiently for a definitive study of internet worms and defenses against them. Defense and Detection Strategies against Internet Worms by Dr. Jose Nazario has arrived to fill that space with a clear and concise analysis of the current state of worm defense." Read on for the rest of Rathumos' review. Defense and Detection Strategies against Internet Worms author Jose Nazario pages 322 publisher Artech House rating 10 reviewer Duncan Lowne ISBN 1580535372 summary This book provides a solid approach toward detection and mitigation of worm-based attacks.

Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.

Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.

The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.

Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.

The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.

Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.

The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.

Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.

You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

$85?

[herrvinny]

You mean I have to pay $85 to read about stuff we know already and learn about practices all smart admins should take? Forget it.

But seriously, all of know already what we SHOULD do, it's just that we don't do it. How many people regularly work on their computer using an admin-level account, doing stuff that doesn't require admin level access? Far too many people do this, even techies.

I do everyday work logged onto a Limited account on Win XP, although I admit, it's a real pain to have to login to the root account to download an ActiveX control, configure hardware, do Windows Update, norton antivirus update, etc. But I do because I know it's safer to only use an admin level account when that type of access is required.

How many people do that? How many techies do that? How many college students in some tech-illiterate college (ex Liberal arts type majors) do this? What we need isn't a book, it's a good kick in the pants to force us to adopt good safety measures.

What's the point ?

[Space+cowboy]

Anyone who is going to be interested enough to purchase this book is already outside the class of people who are likely to benefit from purchasing the book...

The vast majority of worms spread via unmaintained systems. There is the occasional (one comes to mind) worm that exploited a novel problem, but most worms exploit already-patched issues. The problem is "admins" not maintaining the security level of their systems.

Unless basic security levels are increased (home users on ADSL/Cable modems without firewalls spring to mind) then worms (nefarious or otherwise) are going to be a problem, and the good Doctor's book may well aid in tracking down the perpetrator, but sadly, there seem to be an inexhaustible supply of them :-(

Depressed.

Simon.

Re:What's the point ?

[minas-beede]

"The vast majority of worms spread via unmaintained systems."

You ask the right question: "What's the point?" and show that you indeed don't see the point.

Yes, the worms travel via insecure systems. It may be taken as a given that there are and always will be insecure systems. If the sole approach taken is "secure the systems" then the worm authors will always win - no effective countermeasures are being taken, will be taken. That is the point, IMHO.

The worms (including worms that create spam zombies) propagate by some form of abuse. The prevailing attitude, as you show, is "ignore the abuse." This book takes a different direction: "pay attention to the abuse." There's hope that if enough follow what this book recommends that the worm authors will be defeated.

Same with spam. I'd guess 99% of those reading this haven't a clue as to what a spammer relay test message looks like - yet those test messages underlie the sending of spam via open relays. Again, 99% know nothing about how spammers test for open proxies, yet that testing underlies sending of spam via open proxies. Usually one need look no further than one's own system to see how spammers test - but most don't see. They ignore the abuse, they say "the problem is insecure systems," they secure their systems, they do no more, the spam continues - and grows.

It makes very good sense to watch the abuse that underlies the offenses. It makes no sense at all to ignore it. It would take fewer than 1% of the operators on the internet watching the abuse to track it down and get the accounts used to send the abuse terminated. Continuing to blame "insecure systems" and to fail to act gives you what we have now: a wide-open opportunity for abuse.