Washington, June 5 : Researchers at Ohio State University have come up with a way to protect computer networks from Internet worms similar to Code Red, which scans the web randomly looking in search for vulnerable hosts to infect.
"These worms spread very quickly. They flood the Net with junk traffic, and at their most benign, they overload computer networks and shut them down," said Ness Shroff, Ohio Eminent Scholar in Networking and Communications, whose team described the new strategy in IEEE Transactions on Dependable and Secure Computing.
Shroff highlighted how Code Red blocked network traffic to important physical facilities like subway stations and 911 call centres in 2001, and caused 2.6 billion dollars in lost productivity to businesses worldwide.
"Code Red infected more than 350,000 machines in less than 14 hours. We wanted to find a way to catch infections in their earliest stages, before they get that far," he said.
Shroff revealed that his strategy relied on software that had been designed to monitor the number of scans sent out by machines on a network.
He said that sending out too many scans by a machine would be a sign that it had been infected, and that administrators should take such a machine off line and check it for viruses.
According to him, a scan is just a search for Internet addresses, quite similar to what a netizen does as he/she uses search engines like Google.
The difference lies in the fact that a virus sends out many scans to many different destinations in a very short period of time, as it searches for machines to infect.
"The difficulty was figuring out how many scans were too many. How many could you allow before an infection would spread wildly? You want to make sure the number is small to contain the infection. But if you make it too small, you'll interfere with normal network traffic," Shroff said.
"It turns out that you can allow quite a large number of scans, and you'll still catch the worm," he added.
Shroff revealed that working on an idea that a Purdue University doctoral student named Sarah Sellke conceived in 2006, the team developed a mathematical model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.
Pitting the model against the Code Red worm as well as the SQL Slammer worm of 2003, they came to the conclusion that administrators should quarantine any machine that sent out more than 10,000 scans.
Shroff said that 10,000 was chosen because it was well above the number of scans that a typical computer network would send out in a month.
"An infected machine would reach this value very quickly, while a regular machine would not. A worm has to hit so many IP addresses so quickly in order to survive," he said.
He said that the simulations pitted against the Code Red Worm allowed them to prevent the spread of the infection to less than 150 hosts on the whole Internet, 95 per cent of the time.
He further said that the strategy was also effective in containing a a variant of Code Red worm (Code Red II), which scans the local network more efficiently and finds vulnerable targets much faster.
Shroff said that in the simulations, he and his colleagues were able to trap the worm in its original network 77 per cent of the time.
Network administrators wishing to use this strategy will have to install software to monitor the number of scans on their networks, and allow for some downtime among computers when they initiate a quarantine.
"Unfortunately there is no complete foolproof solution. You just keep trying to come up with techniques that limit a virus's ability to do harm," Shroff said.
He and his colleagues are now trying to adapt this strategy to stop targeted Internet worms, ones that have been designed specifically to attack certain vulnerable IP addresses.