Fast Containment of Internet Worms and Tracking of DDoS Attacks with Distributed-Hashing Overlays

Internet catastrophes could be caused by large-scale worm outbreaks that lead to DDoS flooding attacks. Internet worms can be exploited to damage infected hosts and launch flooding attacks against high-profile Internet services. We suggest deploying distributed WormShield monitors to automatically detect and disseminate worm signatures. WormShield monitors analyze the global prevalence and address dispersion of worm signatures, collaboratively, using distributed hash table (DHT) overlays built on top of multiple edge networks. We simulated CodeRed-like worms on an Internet configuration of 105,246 edge networks and 338,562 vulnerable hosts. The results show that collaborative monitors detect worm signatures about 10 times faster than using independent monitors. This results in 27 times reduction of infected hosts as 1% of the vulnerable edge networks are monitored. A low-complexity traffic monitoring scheme is developed to track DDoS flooding attacks caused by worms. The article also assesses several worm research projects in academia and industry.