Research - Security
| 
|
|
Security research at CAIDA includes analysis of network-based attacks
e.g. denial-of-service attacks, data hosting and provision, and
measurement and statistical analysis of the trends and impact that
certain Internet worms and viruses have on the global network
infrastructure. We hope to develop meaningful and up-to-date
quantitative characterizations of attack activity and to produce
fundamental insights into the nature of malicious behavior on the
Internet and consequently the best directions for mitigating that
behavior.
| 
|
|
-
CAIDA is collaborating with the
MIT ANA Spoofer project to assess
macroscopic trends in IPv4 source address filtering, e.g., of private or
bogon addresses, which should not be exiting appropriately configured networks.
The UCSD network telescope acts as a passive data collection system. The network telescope is a portion of routed IP address space on which little or no legitimate traffic exists. Monitoring unexpected traffic arriving at a network telescope yields a view of certain remote network events. Among the visible events are various forms of flooding DoS attacks, infection of hosts by Internet worms, and network scanning.
-
PREDICT is a repository of data for cyber security research. PREDICT is a community of users who share data useful for research into cyber defense technologies, products, models and strategies.
CAIDA makes available a number of datasets for researchers
who wish to study data collected at the UCSD Network Telescope.
- Denial-of-Service Attack Backscatter
- Worms
-
[Virus] We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem/Blackworm virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software. For details, read on in The Nyxem Email Virus: Analysis and Inferences
-
[Worm] A joint effort of CAIDA and UC San Diego CSE to analyze the spread of the Witty Worm. At 8:45:18pm PST on March 19, 2004, the UCSD network telescope received its first Witty worm packet. In contrast to previous worms, we observed 110 hosts infected in the first ten seconds, and 160 at the end of 30 seconds. Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. Witty was also the first widely propagated Internet worm to carry a destructive payload, represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.
-
[DoS Attack] Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. In spite of rumors that SCO has faked the denial-of-service attack to implicate Linux users and garner sympathy from its critics, UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours. For details, read on CAIDA's report SCO Offline from Denial-of-Service Attack.
-
[Worm] A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE to provide an analysis of the Sapphire Worm. The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. The worm (also called Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures.
-
[Worm] On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. 43% of all infected hosts were in the United States, while 11% originated in Korea followed by 5% in China and 4% in Taiwan. The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%. We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm.
CAIDA's analysis of the Code-Red worms includes a detailed analysis of the spread of original Code-Red v1 as well as Code-Red v2 and CodeRed II, detailing their differences and spread.
|
|
Cooperative Association for Internet Data Analysis (CAIDA)