Slashdot Mirror


Defense and Detection Against Internet Worms

Rathumos writes "The network security world has been waiting patiently for a definitive study of internet worms and defenses against them. Defense and Detection Strategies against Internet Worms by Dr. Jose Nazario has arrived to fill that space with a clear and concise analysis of the current state of worm defense." Read on for the rest of Rathumos' review. Defense and Detection Strategies against Internet Worms author Jose Nazario pages 322 publisher Artech House rating 10 reviewer Duncan Lowne ISBN 1580535372 summary This book provides a solid approach toward detection and mitigation of worm-based attacks.

Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.

Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.

The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.

Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.

The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.

Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.

The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.

Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.

You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

9 of 142 comments (clear)

  1. First case of homosexual necrophilia in the frog by frogsarefriendly · · Score: -1, Troll

    On 5 June 1995 an adult male frog collided with the facade of CmdrTaco's ass and died. An other frog raped the corpse almost continuously for 75 minutes. Then the author disturbed the scene and secured the dead frog. Dissection showed that the rape-victim indeed was of the male sex. It is concluded that the frogss were engaged in an 'Attempted Rape Flight' that resulted in the first described case of homosexual necrophilia in the frog.

  2. MY GREASED YODA DOLL USES INTERNET WORMS.. by Anonymous Coward · · Score: -1, Troll

    to catch internet fish!

    it's "the good grease".

  3. Re:same price and free shipping by Anonymous Coward · · Score: -1, Troll

    And I'm sure KIA/Saturn/other plastic car brand is worth what you pay for. Let me guess, you're just thrilled that your car is so "reliable". "Wow, it runs!" What a great car!

  4. Open Source vs. Worms by Anonymous Coward · · Score: -1, Troll

    It was dark in the Holland, Michigan office nestled deep within Slashdot's Geek Compound. Shifting and moaning, ESR laid sprawled over his filthy desk. Dried spittle stuck several Post-It notes to his cheek. His PC, running Linux, silently printed swap error after swap error to the screen, lighting ESR's sickly form. As he burped several times he attempted to recall the night before that had led to this stupor. Holding his head in his hands, he was interrupted by lights and doors slamming-- someone was in the office!

    As Rob "CmdrTaco" Malda walked past ESR, he noticed the several empty bottles of Jgermeister and what appeared to be fecal stains on the floor and walls surrounding the recovering ESR-- nothing new. He also noticed the some semen bubbling in the cracks of ESR's chafed lips.

    "Another all-night office orgy, Eric?" Rob asked coyly.

    Tilting his head gingerly toward Rob and raising his eyebrows slowly, ESR spoke softly. "Oh shit. Is that what happened last night? I believe I blacked out at some point-- I can't remember anything. Who was here last night?"

    "Well, CowboyNeil got there a little late last night, but he said that by the time he got there that Alan, Emad, Jamie, Michael, and Signal 11 were already pretty drunk," Rob said just a little too loudly for ESR's tender head.

    Closing and opening his eyes gently, ESR muttered to himself about having not invited Signal 11. He also started sniffing the air and licking his lips. "I can smell dried feces on a dick a mile away. Just where were you last night, Robbie? You get a piece of ass last night and decide to ditch my party?"

    "What's it to you? Your breath smells like semen and you don't hear me asking whose it is," Malda shot back.

    ESR smiled and swiveled with a gleam in his eyes. "Ah, but you see, this is my own sperm!"

    "And it must taste specfuckingtacular!" Rob shot back.

    Eric interjected before Rob could go on. "Ah yes. You see, I like to add a shot of Jger to it to give it a little kick."

    "No," Rob replied with anger rising in his voice, "you fucking raging alcoholic. Your semen tastes like unchanged 15,000 mile-old motor oil. I think you may have ruptured both of your testicles and now your colon is shooting diarrhea out of your cock-hole."

    "What!? You little fudge-packing piece of shit!" ESR threatened, "Ditch one of my office parties because Hemos calls up and says he's lonely, will you? I bet that's what happened. Well, guess who I'll be recommending we lay off at the next LNUX board meeting? How do you like that, Taco?"

    "Whatever, Eric. You don't scare anyone except your parents," Rob said as he stormed out of ESR's office, his green plaid flannel whipping in the wake behind him. "You would be nothing without Slashdot."

    ESR stammered and shook. Ever since the LNUX stock had plummeted, things were so tense around the office. Relations were falling apart between he and the Slashdot admins. Last night, Michael and Jamie had pounded each other exclusively, ignoring ESR's crooked, erect penis, and Eric had to convince Emad and Alan to restrain CowboyNeil before he could engage in homosexual intercourse with him.

    With a flick of his wrist, ESR popped a dozen extra-strength Bayers down his stinking gullet and washed them down with some Jger from the bottle he had woken up holding. Depressed, aching, and on the verge of vomiting up the entirety of last night's semen binge, ESR cried silently and went back to sleep at this desk, ignoring the pile of work that sullied the landscape of his desktop.

    Clapping twice to darken his office, ESR curled into fetal position as best he could and rested, preparing to do it all over again later that night.

  5. Defenses against worms : by Gago · · Score: -1, Troll

    A good defense would be for Microsoft to set non-absurd default settings on its products. How many ports open by default on Windows, against Mac OS X ?

    Even thoug worms are likely to target the mainstream OS, they can only do actual damage in an OS where foreign executable code is executed by default, and where most people log on with administration priviledge.

    Making Linux the standard desktop OS would almost definitly solve the problem. When I think of it, it is amazing how many science-fiction films and book rely on the concept of viruses, a thing that should be history by now.

  6. Re:First case of homosexual necrophilia in the fro by Anonymous Coward · · Score: -1, Troll

    You apparently don't understand the definitions of "troll" or "parse". Parse means to break something like a sentence up into more easily understood components. I've never heard of parsing brain cells. Perhaps instead of using "big" words, you should stick to words you know, like "destroy", which is surely what you meant in your tripe-filled sentence.

  7. Re:First case of homosexual necrophilia in the fro by Anonymous Coward · · Score: -1, Troll

    YHBT, HAND.

  8. YAWN by notoriousE · · Score: -1, Troll

    this post is so boring i think i've become a corpse with worms coming out of my nose...

    --


    And then there was E
  9. Re:BEHOLD THE GLORY OF SIR HAX by Anonymous Coward · · Score: -1, Troll

    [A different AC here.] I don't understand. You were banned?