Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Tout New Network Worm Weapon

Posted by samzenpus on from the network-thumper dept.

coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."

3 of 101 comments (clear)

  1. The paper by textstring · · Score: 3, Informative

    Here's the pdf http://www.ece.osu.edu/~shroff/journal/worm.pdf. Seems like if these countermeasures were put in place, viruses would have to be choosy about which hosts they scan instead of just scanning tons of random addresses if they wanted to propagate.

  2. Re:Easy to circumvent. by hedwards · · Score: 3, Informative

    This has been brought up before. Basically, slowing down a worm allows for more time to create and disseminate a patch for the vulnerability. The idea was that when a virus is detected to throttle down on the bandwidth allocated to the computer and perhaps limit it to just specific securty sites for patching as well.

    Basically dry up the resources available to the worm and make it as unprofitable as possible to run a botnet in that fashion.

    Or in a more cost effective way, just throttle everybody's connection when there's a major outbreak while people get patched. Force the worms and viruses into a much smaller pool. Realistically when some of the larger worms have hit, the bandwidth ends up going mostly to the worms anyways, why not deny the resource to the worm.

  3. Re:As a network admin... by Gnavpot · · Score: 4, Informative

    Yeah, thats a fantastic approach, block computers from connecting to each other. Who wants a functional network anyway?

    The GP explained his point in an easily understandable way. I don't know how you failed to understand it. Anyway, here it comes again in slow motion for your benefit:

    In most corporate networks, clients need to connect to servers. They do not need to connect to other clients.

    If you block clients' ability to connect to other clients, no functionality is lost, but infected clients can not attack other clients directly.

    (I know that some companies uses IM internally, but there is nothing forcing IM solutions to be P2P.)