Computer worms — malicious, self-propagating programs — represent a significant threat to large networks. One possible defense,
containment, seeks to
limit a worm’s spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable
for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer
than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for
cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. In addition, we
discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.
We then report on experiences subsequently implementing our algorithm in Click [13] and deploying it both on our own network and in the DETER testbed [6]. Doing so uncovered additional considerations, including the need to passively map the monitored LAN due to Ethernet switch
behavior, and the problem of detecting ARP scanning as well as IP scanning. We finish with discussion of some deployment issues,
including broadcast/multicast traffic and the use of NAT to realize sparser address spaces.
An earlier version of this chapter appears in Proceedings of the USENIX Securiv Symposium. 2004.