— It has been clear since 1988 that self-propagating code can quickly spread across a network by exploiting homogeneous security vulnerabilities. However, the last few years have seen a dramatic increase in the frequency and virulence of such “worm” outbreaks. For example, the Code-Red worm epidemics of 2001 infected hundreds of thousands of Internet hosts in a very short period – incurring enormous operational expense to track down, contain, and repair each infected machine. In response to this threat, there is considerable effort focused on developing technical means for detecting and containing worm infections before they can cause such damage. This paper does not propose a particular technology to address this problem, but instead focuses on a more basic question: How well will any such approach contain a worm epidemic on the Internet? We describe the design space of worm containment systems using three key parameters – reaction time, containment strategy and deployment s...
David Moore, Colleen Shannon, Geoffrey M. Voelker,