Researchers Tout New Network Worm Weapon 101
coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."
The paper (Score:3, Informative)
Re:Something like that is already in use (Score:1, Informative)
Re:Easy to circumvent. (Score:4, Informative)
Basically dry up the resources available to the worm and make it as unprofitable as possible to run a botnet in that fashion.
Or in a more cost effective way, just throttle everybody's connection when there's a major outbreak while people get patched. Force the worms and viruses into a much smaller pool. Realistically when some of the larger worms have hit, the bandwidth ends up going mostly to the worms anyways, why not deny the resource to the worm.
Re:iPhones (Score:3, Informative)
Not really.
The reason Duke had to ban them was because the way they did their WiFi somehow clashed with the way Duke's WiFi network was set up. The end result was that a small concentration of iPhones managed to actually take down the WiFi network by consuming inordinate amounts of CPU time on the WiFi processors. This was confined to that one network - everywhere else, even those using the same WiFi accesspoints, worked just fine. It was an oddball configuration issue.
As for the $3000 phone bill, it is true. But it's not because of the scans - it's because the person was roaming, and data roaming is pricey. You can configure the iPhone to poll a mail server every so often (regular POP or IMAP). Guess what? Checking POP or IMAP takes bytes, and bytes are pricey (easily 5 cents per 1000 bytes or less - some providers count every byte sent over the air including all headers and trailers, and not just raw IP packets). This was resolved in a 1.1 firmware update which has the option to disable data roaming (the iPhone will not make an EDGE connection if it detects it's roaming - it won't even make a standby connection).
Re:Merely? M E R E L Y ???? (Score:2, Informative)
Re:As a network admin... (Score:5, Informative)
The GP explained his point in an easily understandable way. I don't know how you failed to understand it. Anyway, here it comes again in slow motion for your benefit:
In most corporate networks, clients need to connect to servers. They do not need to connect to other clients.
If you block clients' ability to connect to other clients, no functionality is lost, but infected clients can not attack other clients directly.
(I know that some companies uses IM internally, but there is nothing forcing IM solutions to be P2P.)