Verme: Worm Containment in Overlay Networks

F. Freitas, E. Marques, R. Rodrigues, C. Ribeiro, P. Ferreira, and L. Rodrigues.

Selected sections of this report were published in the Proceedings of the 39th IEEE/IFIP International Conference on Dependable Systems and Networks, Estoril, Portugal, June 2009.

Abstract

Topological worms, such as those that propagate by following links in an overlay network, have the potential to spread faster than traditional random scanning worms because they have knowledge of a subset of the overlay nodes, and choose these nodes to propagate themselves; and also because they can avoid traditional detection mechanisms. Furthermore, this worm propagation strategy is likely to become prevalent as the deployment of networks with a sparse address space, such as IPv6, makes the traditional random scanning strategy futile.

We present a novel approach for containing topological worms based on the fact that some overlay nodes may not have common vulnerabilities, due to their platform diversity. By reorganizing the overlay graph, it is possible to contain topological worms in small islands of nodes with common vulnerabilities that only have knowledge of themselves or nodes running on distinct platforms. We also present the design of Verme, a peer-to-peer overlay based on Chord that follows this approach, and VerDi, a DHT layer built on top of the Verme routing overlay.

Simulations show that Verme and VerDi have a low overhead when compared to Chordīs corresponding layers, and that our new overlay design helps containing, or at least slowing down the propagation of topological worms.

Also available extended report (pdf)


Luís Rodrigues