Understanding Localized-Scanning Worms Zesheng Chen School of Electrical & Computer Engineering Georgia Institute of Technology Atlanta, GA 30332 Email: zchen@ece.gatech.edu Chao Chen Department of Engineering Indiana University - Purdue University Fort Wayne Fort Wayne, IN 46805 Email: chen@engr.ipfw.edu Chuanyi Ji School of Electrical & Computer Engineering Georgia Institute of Technology Atlanta, GA 30332 Email: jic@ece.gatech.edu Abstract— Localized scanning is a simple technique used by attackers to search for vulnerable hosts. Localized scanning trades off between the local and the global search of vulnerable hosts and has been used by Code Red II and Nimda worms. As such a strategy is so simple yet effective in attacking the Internet, it is important that defenders understand the spreading ability and behaviors of localized-scanning worms. In this work, we first characterize the relationships between vulnerable-host distributions and the spread of localized-scanning worms through mathematical modeling and analysis, and compare random scanning with localized scanning. We then design an optimal localized-scanning strategy, which provides an upper bound on the spreading speed of localized-scanning self-propagating codes. Furthermore, we construct three variants of localized scanning. Specifically, the feedback localized scanning and the ping-pong localized scanning adapt the scanning methods based on the feedback from the probed host, and thus spread faster than the original localized scanning and meanwhile have a smaller variance. I. I NTRODUCTION Self-propagating Internet worms have posed significant threats to network security. For example, Code Red [7], Nimda [20], and Witty [10] worms infected hundreds of thousands of computers and cost tremendous efforts to eliminate them. Therefore, it is important that we understand how worms spread to design effective countermeasures accordingly. A worm spreads by using distinct scanning mechanisms including topological and hitlist scanning [12]. Our focus, however, is only on scanning worms that probe the entire IPv4 address space or the routable address space, such as random, routable, importance, and localized scanning. Random scan- ning chooses target IP addresses at random and is exploited by Code Red and Witty worms. Routable scanning selects targets only in the routable address space by using the infor- mation provided by BGP routing table [14], [16]. Importance scanning exploits an uneven distribution of vulnerable hosts and focuses worm scans on the most relevant parts of the IPv4 address space [4], [3]. In this work, our focus is on localized scanning, which has been used by such famous worms as Code Red II and Nimda. Localized scanning preferentially searches for vulnerable hosts in the “local” address space. For example, the Code Red II worm selects target IP addresses as follows [19]: • 50% of the time, an address with the same first byte is chosen as the target, • 37.5% of the time, an address with the same first two bytes is chosen as the target, • 12.5% of the time, a random address is chosen. Song et al. showed that Nimda and Code Red II worms accounted for 90% infection attempts in the seven-week period from September 19 to November 3, 2001 [11]. Why is such a localized strategy so effective? It has been observed that in the current Internet, a sub-network intends to have many computers with the same operating systems and applications for easy management [9]. Hence, vulnerable hosts usually form clusters [2]. Once a vulnerable host in such a subnet is infected, a localized-scanning worm can rapidly compromise all the other local vulnerable hosts. The goal of this work is to better understand the spread- ing ability and characteristics of localized-scanning worms. Specifically, we attempt to answer the following questions: • What is the effect of vulnerable-host distributions on the spread of localized-scanning worms? The prior work has studied this effect empirically [2], [17], [9]. In this work, we use mathematical reasoning to show the relation- ships between vulnerable-host distributions and localized- scanning worms. Specifically, it is shown analytically that localized-scanning worms spread slower than random- scanning worms if vulnerable hosts are uniformly dis- tributed, or faster if highly unevenly distributed. More- over, if infected hosts are uniformly distributed, localized- scanning worms can speed up the propagation with nearly a rate of the non-uniformity factor that quantifies the non- uniformity of a vulnerable-host distribution [5]. • What is the propagation capacity of a localized-scanning worm? We design an optimal localized-scanning strategy that maximizes the localized-scanning worm propagation speed. Such a strategy dynamically adapts the param- eters used for scanning the local sub-network and the global Internet, based on the distribution of uninfected vulnerable hosts. Although the optimal localized scanning is difficult to implement, it provides an upper bound on the spreading speeds of the currently used localized scanning and its variants. Moreover, we empirically show that the propagation speed of the currently used localized scanning can approach that of the optimal strategy. • What are some possible variants of localized-scanning worms? We study three variants of localized scanning