Slashdot Mirror
Researchers Tout New Network Worm Weapon
coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."
Here's the pdf http://www.ece.osu.edu/~shroff/journal/worm.pdf. Seems like if these countermeasures were put in place, viruses would have to be choosy about which hosts they scan instead of just scanning tons of random addresses if they wanted to propagate.
There is an article about the Blast-o-Mat in the December 2006 issue of the USENIX magazine.
This has been brought up before. Basically, slowing down a worm allows for more time to create and disseminate a patch for the vulnerability. The idea was that when a virus is detected to throttle down on the bandwidth allocated to the computer and perhaps limit it to just specific securty sites for patching as well.
Basically dry up the resources available to the worm and make it as unprofitable as possible to run a botnet in that fashion.
Or in a more cost effective way, just throttle everybody's connection when there's a major outbreak while people get patched. Force the worms and viruses into a much smaller pool. Realistically when some of the larger worms have hit, the bandwidth ends up going mostly to the worms anyways, why not deny the resource to the worm.
Not really.
The reason Duke had to ban them was because the way they did their WiFi somehow clashed with the way Duke's WiFi network was set up. The end result was that a small concentration of iPhones managed to actually take down the WiFi network by consuming inordinate amounts of CPU time on the WiFi processors. This was confined to that one network - everywhere else, even those using the same WiFi accesspoints, worked just fine. It was an oddball configuration issue.
As for the $3000 phone bill, it is true. But it's not because of the scans - it's because the person was roaming, and data roaming is pricey. You can configure the iPhone to poll a mail server every so often (regular POP or IMAP). Guess what? Checking POP or IMAP takes bytes, and bytes are pricey (easily 5 cents per 1000 bytes or less - some providers count every byte sent over the air including all headers and trailers, and not just raw IP packets). This was resolved in a 1.1 firmware update which has the option to disable data roaming (the iPhone will not make an EDGE connection if it detects it's roaming - it won't even make a standby connection).
"Brick" means not revivable except possibly with special equipment that nobody has (an eprom programmer for example). What you describe is nowhere near that, it is only a temporary inconvenience.
The GP explained his point in an easily understandable way. I don't know how you failed to understand it. Anyway, here it comes again in slow motion for your benefit:
In most corporate networks, clients need to connect to servers. They do not need to connect to other clients.
If you block clients' ability to connect to other clients, no functionality is lost, but infected clients can not attack other clients directly.
(I know that some companies uses IM internally, but there is nothing forcing IM solutions to be P2P.)