TAO: Protecting Against Hitlist Worms Using Transparent Address Obfuscation

  • Spiros Antonatos
  • Kostas G. Anagnostakis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4237)


Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion. Recent work has examined a proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. However, the originally proposed DHCP-based implementation may induce passive failures on hosts that change their addresses when connections are still in progress. The risk of such collateral damage also makes it harder to perform address changes at the timescales necessary for containing fast hitlist generators.

In this paper we examine an alternative approach to NASR that allows both more aggressive address changes and also eliminates the problem of connection failures, at the expense of increased implementation and deployment cost. Rather than controlling address changes through a DHCP server, we explore the design and performance of transparent address obfuscation (TAO). In TAO, network elements transparently change the external address of internal hosts, while ensuring that existing connections on previously used addresses are preserved without any adverse consequences. In this paper we present the TAO approach in more detail and examine its performance.


Worms address space randomization network security 


  1. 1.
    CERT Advisory CA-2001-19: Code Red Worm Exploiting Buffer Overflow in IIS Indexing Service DLL (July 2001),
  2. 2.
    NLANR-PMA Traffic Archive: Bell Labs-I trace (2002),
  3. 3.
    NLANR-PMA Traffic Archive: Leipzig-I trace (2002),
  4. 4.
    The Spread of the Sapphire/Slammer Worm (February 2003),
  5. 5.
    Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: Proceedings of the 11th IEEE Internation Conference on Networking (ICON), September/October 2003, pp. 403–408 (2003)Google Scholar
  6. 6.
    Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against Hitlist Worms using Network Address Space Randomization. In: Proceedings of the 3rd ACM Workshop on Rapid Malcode (WORM) (November 2005)Google Scholar
  7. 7.
    Atighetchi, M., Pal, P., Webber, F., Schantz, R., Jones, C.: Adaptive use of network-centric mechanisms in cyber-defense. In: Proceedings of the 6th IEEE International Symposium on Object-oriented Real-time Distributed Computing (May 2003)Google Scholar
  8. 8.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (October 2003)Google Scholar
  9. 9.
    Bhatkar, S., DuVarney, D., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, pp. 105–120 (August 2003)Google Scholar
  10. 10.
    Chase, J.S., Levy, H.M., Feeley, M.J., Lazowska, E.D.: Sharing and protection in a single-address-space operating system. ACM Transactions on Computer Systems 12(4), 271–307 (1994)CrossRefGoogle Scholar
  11. 11.
    Droms, R.: Dynamic Host Configuration Protocol. RFC 2131 (March 1997),
  12. 12.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)Google Scholar
  13. 13.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the ACM Computer and Communications Security Conference (CCS), pp. 272–280 (October 2003)Google Scholar
  14. 14.
    Kewley, D., Lowry, J., Fink, R., Dean, M.: Dynamic approaches to thwart adversary intelligence gathering. In: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX) (2001)Google Scholar
  15. 15.
    Michalski, J., Price, C., Stanton, E., Chua, E.L., Seah, K., Heng, W.Y., Pheng, T.C.: Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project. Technical Report SAND2002-3613, Sandia National Laboratories (November 2002)Google Scholar
  16. 16.
    Moore, D., Shannon, C., Brown, J.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd Internet Measurement Workshop (IMW), pp. 273–284 (November 2002)Google Scholar
  17. 17.
    Nojiri, D., Rowe, J., Levitt, K.: Cooperative response strategies for large scale attack mitigation. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX) (April 2003)Google Scholar
  18. 18.
    Schechter, S.E., Jung, J., Berger, A.W.: Fast detection of scanning worm infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM Press, New York (2004)Google Scholar
  20. 20.
    Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp. 220–225 (June 2003)Google Scholar
  21. 21.
    Staniford, S.: Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security (2004)Google Scholar
  22. 22.
    Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: Proc. ACM CCS WORM (October 2004)Google Scholar
  23. 23.
    Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium, pp. 149–167 (August 2002)Google Scholar
  24. 24.
    Weaver, N., Paxson, V.: A worst-case worm. In: Proc. Third Annual Workshop on Economics and Information Security (WEIS 2004) (May 2004)Google Scholar
  25. 25.
    Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Proceedings of the 13th USENIX Security Symposium, pp. 29–44 (August 2004)Google Scholar
  26. 26.
    Williamson, M.: Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. Technical Report HPL-2002-172, HP Laboratories Bristol (2002)Google Scholar
  27. 27.
    Wu, J., Vangala, S., Gao, L., Kwiat, K.: An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), pp. 143–156 (February 2004)Google Scholar
  28. 28.
    Xu, J., Kalbarczyk, Z., Iyer, R.: Transparent runtime randomization for security. In: Fantechi, A. (ed.) Proc. 22nd Symp. on Reliable Distributed Systems –SRDS 2003, pp. 260–269 (October 2003)Google Scholar
  29. 29.
    Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (February 2004)Google Scholar
  30. 30.
    Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and Early Warning for Internet Worms. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), pp. 190–199 (October 2003)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Spiros Antonatos
    • 1
  • Kostas G. Anagnostakis
    • 2
  1. 1.Distributed Computing Systems Group, Institute of Computer ScienceFoundation for Research Technology HellasGreece
  2. 2.Internet Security LabInstitute for Infocomm ResearchSingapore

Personalised recommendations