Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Books Media Bug The Internet Book Reviews

Defense and Detection Against Internet Worms 142

Rathumos writes "The network security world has been waiting patiently for a definitive study of internet worms and defenses against them. Defense and Detection Strategies against Internet Worms by Dr. Jose Nazario has arrived to fill that space with a clear and concise analysis of the current state of worm defense." Read on for the rest of Rathumos' review.
Defense and Detection Strategies against Internet Worms
author Jose Nazario
pages 322
publisher Artech House
rating 10
reviewer Duncan Lowne
ISBN 1580535372
summary This book provides a solid approach toward detection and mitigation of worm-based attacks.

Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.

Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.

The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.

Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.

The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.

Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.

The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.

Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.


You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Defense and Detection Against Internet Worms

Comments Filter:
  • Referral Link: Amazon has this book for the same price as bn ($85) and with free shipping [amazon.com]
    Some cheaper copies are available from the Amazon marketplace users.
  • ....if DEET is as good of a defense against worms as it is against mosquitos. Hmmm....
  • For a better price (Score:1, Informative)

    by Anonymous Coward
    Check AddAll.com [addall.com]
  • Amazon links (Score:4, Interesting)

    by Rathumos ( 87696 ) <drl7@@@po...cwru...edu> on Thursday November 13, 2003 @01:39PM (#7466211) Homepage
    Is it standard practice these days to remove links to amazon.com? There were several in the original article. Did I miss some sort of OSDN/bn.com tie-in?
    • Re:Amazon links (Score:3, Informative)

      by zontroll ( 714448 )
      Slashdot Book Review Guidelines [slashdot.org]:
      "Speaking of links, please do not include personalized or "affiliate" links (to online bookstores, for instance) in your reviews. Slashdot has an agreement with Barnes & Noble; this is one way that Slashdot makes money, stays in business, etc. That's why when bn.com carries a particular book, you'll see a link to it at the bottom of the review."
  • by clifgriffin ( 676199 ) on Thursday November 13, 2003 @01:40PM (#7466222) Homepage
    is a good offense.

    And I'm sure that if I were a smarter man, I could figure out how that applies here.

    Blogzine [blogzine.net]
  • I met the good Dr (he has a PhD in the biomolecular sciences, IIRC) at a white-hat security conference a few years ago. He's probably not as well known as Dr Knuth or Dr. Bernestain, but his work is just as important, though sadly unrecognized. I guess when you do consulting/researching, you don't get the prestige that you do in acedemia.

  • Wasn't the author previously a Defense Against the Dark Arts teacher at Hogwarts?

    ...sorry, first thing that came to mind.

    ---
    I type this every time.
  • by johnthorensen ( 539527 ) on Thursday November 13, 2003 @01:45PM (#7466270)
    I read an article, sorry don't have the link, that talked about research that NIST was doing on internet worms. Essentially, they were looking back over intrusion patterns and making some generalizations the patterns by which worms spread. They then attempted to create models that took variables such as link speeds, number of "seed sites", etc. and tuned them until they matched the real data. They then set their models up with other values to predict what would happen in different scenarios. At any rate, guess what seed-site scenario resulted in the most catastrophic situation given limited resources of 5 seed sites and 24 hours in which to deploy the worm?

    Porn sites. Given how shady those guys are, this leaves me really hoping that they've got the sense to keep their systems secure.

    -JT
    • Wow! Parent needs to be modded up!

      I have often wondered what would happen if such a similiar outbreak happened on a service network such as AOL or MSN. I was thinking in terms of the amount of non-tech/security savvy users.

      As seems to be the case with operating systems, the more popular, the bigger the target.
  • by jp31415926 ( 722252 ) on Thursday November 13, 2003 @01:48PM (#7466304) Homepage
    OK, maybe I've been reading too much Harry Potter lately. :)

    But this all does seem to be more and more like a battle between good (computer users) and evil (worm/virus programmers). How bad will it get when we have everything electronic talking to everything else electronic? Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!

    • Not to nitpick or anything, but computers, radar, anything electronic doesn't work near Hogwarts, they "go haywire" according to Hermione.

      Hermione really does say that. Check in book 4, where Harry is trying to figure out how Rita Skeeter is finding out loads of stuff about Hagrid, and he's going through the list of ways Rita could spy on Hogwarts without being detected. One of the things he mentions is an electronic bug, at which point Hermione butts in and says how electronic stuff won't work near Hogwar
    • Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!

      Isn't that what BlueTooth is for?

      ;)
    • make your next book The Diamond Age and apply that idea, then you'll get really really scared.

    • always was.

      Technology is the application of your knowledge of nature to modify it.

      Magic, wether by people or "supernatural beings" (lovely oxymoron, that) is exactly the same, only with modified laws of nature.

      The difference, I believe, is that science and tech are more democratic:
      A normal person can, with a lot of work and help, understand and apply
      some of the basic principles.
      On the contrary, muggles and squibs just can't perform magic no matter
      How hard they'll work.
  • $85? (Score:4, Insightful)

    by herrvinny ( 698679 ) on Thursday November 13, 2003 @01:51PM (#7466336)
    You mean I have to pay $85 to read about stuff we know already and learn about practices all smart admins should take? Forget it.

    But seriously, all of know already what we SHOULD do, it's just that we don't do it. How many people regularly work on their computer using an admin-level account, doing stuff that doesn't require admin level access? Far too many people do this, even techies.

    I do everyday work logged onto a Limited account on Win XP, although I admit, it's a real pain to have to login to the root account to download an ActiveX control, configure hardware, do Windows Update, norton antivirus update, etc. But I do because I know it's safer to only use an admin level account when that type of access is required.

    How many people do that? How many techies do that? How many college students in some tech-illiterate college (ex Liberal arts type majors) do this? What we need isn't a book, it's a good kick in the pants to force us to adopt good safety measures.
    • Chapter 1: Firewall

      Step 1: Get a firewall.
      Step 2: Close all the ports you don't use.

      Simple huh?

    • Never.

      I'm always logged in as me. Never as root. If I *need* root access, it's about 4 seconds away via 'su'. Why run the risk ?

      Perhaps a difference between linux/win32 ?

      Simon.
      • sudo is much better than su because:
        • Only one person needs the root password (great when there are several admins; a shared secret is not a secret)
        • A senior admin can delegate some admin tasks to others, not simply hand over total control
        • It keeps an audit trail of what you did
        • If someone is using su, then you have been cracked, and can detect that more easily in the logs
        • You never are tempted to do any unnessessary stuff as root.
    • Hell I'd do it too, if the OS would just prompt me for an admin password when required. And while you can do the equivalent of su on windows, it's too annoying to set up.

      Too many developers for windows boxes (and I am one) have admin access to the development machine so they never have to think about security until someone tries to install their software in a locked down environment.

  • Synopsis: (Score:1, Funny)

    by grub ( 11606 )
    Introduction
    Chapter 1 - Why You Shouldn't Use Windows
    Index
  • Finding a half of a worm.

    More stupid worm jokes to follow...
  • What's the point ? (Score:5, Insightful)

    by Space cowboy ( 13680 ) on Thursday November 13, 2003 @02:02PM (#7466458) Journal
    Anyone who is going to be interested enough to purchase this book is already outside the class of people who are likely to benefit from purchasing the book...

    The vast majority of worms spread via unmaintained systems. There is the occasional (one comes to mind) worm that exploited a novel problem, but most worms exploit already-patched issues. The problem is "admins" not maintaining the security level of their systems.

    Unless basic security levels are increased (home users on ADSL/Cable modems without firewalls spring to mind) then worms (nefarious or otherwise) are going to be a problem, and the good Doctor's book may well aid in tracking down the perpetrator, but sadly, there seem to be an inexhaustible supply of them :-(

    Depressed.

    Simon.
    • by Rathumos ( 87696 )
      I disagree. I'm not a sysadmin, but I highly benefitted from reading the book. This is NOT a "...for dummies" or "...in a nutshell" book. It's got much broader appeal. There's stuff in there that would tickle statisticians, epidemiologists, computer scientists, software engineers, historians, and even the occasional home user who wonders why the hell his network keeps dying.
    • by phorm ( 591458 ) on Thursday November 13, 2003 @02:25PM (#7466639) Journal
      Buy the book for the people whom you know need it. Dogtag/highlight relevant pieces in highlighter.
      Leave gift-wrapped in the vicinity of the bathroom. It may take awhile, but eventually somebody will probably pick it up and start perusing (bathroom is the best place to plant reading material). If you're lucky, they may find it interesting, or at least stay long enough to catch some important points.

      Oh, and if you want, you could speed up the reading process by also lacing the Xmas cookies/etc with a little X-lax icing.
    • "The vast majority of worms spread via unmaintained systems."

      You ask the right question: "What's the point?" and show that you indeed don't see the point.

      Yes, the worms travel via insecure systems. It may be taken as a given that there are and always will be insecure systems. If the sole approach taken is "secure the systems" then the worm authors will always win - no effective countermeasures are being taken, will be taken. That is the point, IMHO.

      The worms (including worms that create spam zombies)
  • Internet Worm FAQ (Score:3, Informative)

    by Anonymous Coward on Thursday November 13, 2003 @02:06PM (#7466487)
    This FAQ seems to have a lot of good information on Internet Worms:

    http://www.networm.org/faq/ [networm.org]
    • The FAQ includes the interesting sentence:

      Oddly, under the Bush administration, there has been a massive contraction in research funding into Internet Security.

      It would be interesting to see details of this charge. Is it really true? If so, we should be publicising it.

      Contrary to much of the marketing hype, the Internet was in fact developed primarily with US government funding. DoD funding, in particular, through (D)ARPA.

      The commercial world is trying to take credit, but they did very little to hel
  • Shai-hulud.... First you get the spice, then you see the future, then you get the women.
  • What I'd like to know, is what is good software to use for anti-worm security in a linux (server) windows (desktop) environment. There's a lot I can do on the server (firewall, proxy, mail-filter, etc), but not so much on the client... how about antivirus software, what's good, what's bad, and what's affordable or open-source (linked articles are informative, but don't cover specific apps).

    Anyone got some feedback on this, or perhaps whether the book covers good apps in significant depth?
      • Behind a firewall, use Microsoft Software Updates Services (SUS) together with group policies to totally automate daily software critical updates.
      • Use snort to detect the infected machines.
      Any more suggestions, please?

      I see little other discussion of worm prevention and treatment. Has everyone else totally solved this major problem? How do you cope with people like my manager, who says that he will never install updates because it stops his applications from working?

  • Can you say intrusion prevention? I saw the Tipping Point UnityOne product stop in their tracks Blaster, Nachi, and SobigF. Just hours after the outbreak. I have personally put several of these in place at Colleges, City government and Medical facilites in the past 5 months and it works flawlesly! And I have yet to have a single false positive. Feel free to check it out at http://tippingpoint.com/ IT WORKS like nothing else I have seen yet. Granted I have only been doing network security for 5 years.
  • cook all pork thoroughly before feeding it to your computer. Or, better yet, only feed it SPAM!
  • If you have a lot of worms around the office, all you need is a couple of chickens to get rid of them.
  • i haven't read this book, so i dont know if it covers this: if i'm an isp, can i stop worms for the benefit of my subscribers?

    it seems like all the big time worms look the same to the network, cause each one uses the same vulnerability over and over. that means that the packets hit the same port, so you could just look at the port number in the header.

    not only that, but so far worms aren't self-modifying (does that mean they're reentrant or non-reentrant? i always get that mixed up). that means th

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...