An Empirical Analysis of Rate Limiting Mechanisms to Contain Internet Worms

Опубликовано 6 сентября 2016, 5:49

One class of worm defense techniques that received atten­ tion of late is to ``rate limit'' outbound traffic to contain fast spreading worms. Several proposals of rate limiting techniques have appeared in the literature, each with a different take on the impetus behind rate lim­ iting. This paper presents an empirical analysis on diifferent rate limiting schemes using real traffc and attack traces from a sizable network. In the analysis we isolate and investigate the impact of the critical parameters for each scheme and seek to understand how these parameters might be set in realistic network settings. Analysis shows that using DNS-­based rate limiting has substantially lower error rates than schemes based on other traffic statistics. The analysis additionally brings to light a number of issues with respect to rate limiting at large. We explore the impact of these issues in the context of general worm containment. This is joint work with my students Cynthia Wong, Ahren Studer, and staff Stan Bielski. We will be presenting the paper at RAID this year.