Mass-mailing worms have made a significant impact on the Internet. These worms consume valuable network resources and can also be used as a vehicle for DDoS attacks. In this paper, we analyze network traffic traces collected from a college campus and present an in-depth study on the effects of two mass-mailing worms, SoBig and MyDoom, on outgoing traffic. Rather than proposing a defense strategy, we focus on studying the fundamental behavior and characteristics of these worms. This analysis lends insight into the possibilities and challenges of automatically detecting, suppressing and stopping mass-mailing worm propagation in an enterprise network environment. Categories and Subject Descriptors D.4.6 [Operating Systems]: Security and Protection-Invasive software General Terms Security Keywords Internet Worms, Network Security, Traffic Analysis
Cynthia Wong, Stan Bielski, Jonathan M. McCune, Ch