Defense and Detection Against Internet Worms

Rathumos writes "The network security world has been waiting patiently for a definitive study of internet worms and defenses against them. Defense and Detection Strategies against Internet Worms by Dr. Jose Nazario has arrived to fill that space with a clear and concise analysis of the current state of worm defense." Read on for the rest of Rathumos' review. Defense and Detection Strategies against Internet Worms author Jose Nazario pages 322 publisher Artech House rating 10 reviewer Duncan Lowne ISBN 1580535372 summary This book provides a solid approach toward detection and mitigation of worm-based attacks.

Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.

Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.

The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.

Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.

The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.

Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.

The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.

Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.

You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

I can't

[Pingular]

comment on the book being reviewed because I haven't read it, but I know you can't go far wrong with
Inoculate your network against the viruses, worms, and Trojans of today -and tomorrow.
Virus writers are becoming craftier and more numerous every year, resulting in huge losses-in revenue, data, productivity, and reputation-for companies and organizations around the world. Going beyond the partial xes of today's off-the-shelf security solutions, this book delivers the hands-on strategies and tactics you need to foil malicious code-and protect the integrity of your network. Drawing on his day-to-day networking experience, security expert Douglas Schweitzer describes the threats-both current and projected-and offers detailed, practical advice for securing BIOS, boot sequences, e-mail, instant messaging, Web servers, and more. It's all you need to lock out viruses-and lock down security for your network.
You'll learn how to:
* Understand the threat virus writers and hackers pose
* Get a handle on various types of malicious code
* Protect BIOS, booting, le systems, memory, and other basics
* Secure e-mail, browsers, and le sharing
* Eliminate virus threats to instant messaging
* Mobilize staff against the threat of viruses and social engineering
* Strengthen rewalls, intrusion detection, and data recovery
* Defend against server-side exploits
* Prepare for cyberterrorism and the viruses of the future
The companion Web site contains multiple links to security software solutions.
A must for anyone with a small to medium sized network who wants to get caught up with the latest in network security.

Re:I can't

[dubdays]

That's the biggest damn link I've even seen. I guess my Firebird browser must be worm-infested.

Re:I can't

[Mista+LovaLova]

le systems??? le sharing??? WTF? I haven't heard of those. Does anyone know what a LE system is, much less LE sharing? :D

INTERNET FISH ON TEH SPOKE!!!~`1

Re:First case of homosexual necrophilia in the fro

[dubdays]

Very good, troll...I think you've actually succeeded in parsing a few of my brain cells for reading that. Well done.

defense against trouser worms

[Horny+Smurf]

Detection: Is that a tic-tac in your pocket, or a re you happy to see me?

Defense: Chastity belt!

BEHOLD THE GLORY OF SIR HAX

yet ANOTHER WINNING POST from Sir Haxalot

Is the IP ban still in place?

Re:Chapter One, Page Two.

[Paladin_Krone]

"Note: RMA the cdrom drive that linux "destroyed" since it was a problem with the drive not being up to standard."

Reason wins over Christian fanaticism

Alabama's nine-member Court of the Judiciary removed Roy Moore from his position as chief justice today for defiance of a federal judge's order to move his Ten Commandments monument from the rotunda of the state courthouse.

With a unanimous vote, the panel concluded Moore violated judicial ethical standards and removed him halfway through his six-year elected term.

"This court hereby orders that Roy S. Moore be removed from his position as chief justice of the Supreme Court of Alabama," said Presiding Judge William Thompson. "The chief justice showed no signs of contrition for his actions."

--

Good riddance. The last thing this country needs is a fucking Christian radical judge - although GWB and his henchmen would probably love it.

Re:Reason wins over Christian fanaticism

While I know the judge wanted the Ten Commandments displayed, there is a possibly legitimate reason of having them in a courthouse. If you think about it, the Ten Commandments were an early code of laws. Some of the laws were of a religious nature, simply because religion played a different role in the lives of people then, than it does now. But it's still a code of laws, and can be interpreted as a symbol of history and law, or a symbol of religion. You know, nobody would care if it was Hammurabi's code being displayed instead of the Ten Commandments. People would see a historical value, but it's also there in the Ten Commandments.

Again, I know, this judge had it displayed because of its religious nature. I just hope my point is taken about it doesn't have to be viewed as a religious symbol.

Defense and Detection Against: +1, Patriotic

Against Despots - The
Cheney-Rumsfeld Regime ?

Patriotically yours,
Kilgore Trout

Re:props to Dr. Nazario

[holzp]

Indeed, I once found myself with a need to get something done that I could not do it myself and Dr. Nazario was kind enough to help me out of a pinch. A good fella.