Flow-Data Compressibility Changes During Internet Worm Outbreaks

September 20, 2005 • White Paper

By

Arno Wagner (Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich))

In this paper, Arno Wagner presents measurements and analysis done on a Swiss internet backbone during the Blaster and Witty internet worm outbreak.

Publisher

Software Engineering Institute

Subjects

Flocon Situational Awareness

Abstract

During outbreaks of fast Internet worms the characteristics of network flow data from backbone networks
changes. We have observed that in particular source and destination IP and port fields undergo compressibility changes, that are characteristic for the scanning strategy of the observed worm. In this paper we present measurements done on a medium sized Swiss Internet backbone (SWITCH, AS559) during the outbreak of the Blaster and Witty Internet worms and attempt to give a first explanation for the observed behaviour. We also discuss the impact of sampled versus full flow data and different compression algorithms. This is work in progress. In particular the details of what exactly causes the observed effects are still preliminary and under ongoing investigation.

Software Engineering Institute