Researchers tout new-fangled network worm weapon

Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University say they can and they have the method to prove it.

The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans -- a sign that it has been infected -- administrators should take it off line and check it for viruses. A scan is just a search for Internet addresses -- what we do every time we use search engines such as Google. The difference is, a virus sends out many scans to many different destinations in a very short period of time, as it searches for machines to infect.

Seems pretty straightforward. In a nutshell, the researchers developed National Science Foundation funded a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.

"The difficulty was figuring out how many scans were too many," said Ness Shroff, Ohio Eminent Scholar in Networking and Communications at Ohio State. "How many could you allow before an infection would spread wildly? You want to make sure the number is small to contain the infection. But if you make it too small, you'll interfere with normal network traffic. It turns out that you can allow quite a large number of scans, and you'll still catch the worm."

In simulations, Shroff and his cohorts pitted their model against the Code Red worm, as well as the SQL Slammer worm of 2003. Code Red was a random scanning worm while the SQL slammer caused denial of service attacks. They simulated how far the virus would spread, depending on how many networks on the Internet were using the same containment strategy: quarantine any machine that sends out more than 10,000 scans. They chose 10,000 because it is well above the number of scans that a typical computer network would send out in a month.