Abstract

Network telescopes have been invaluable for collecting information about dynamics of large-scale worm events. Yet, a telescope's observation may be incomplete due to scan congestion drops, hardware limitations, filtering and presence of NATs, a worm's non-uniform scanning strategy or its short life. We investigate inaccuracies in telescope observations that arise from worm-induced congestion drops of worm scans and show that they may lead to significant underestimates of the number of infectees and their scanning rate. We propose a method to infer worm-induced congestion drops from telescope's observations and use them to accurately estimate global worm dynamics. We apply our methods to CAIDA telescope's observations of Witty worm's spread, and release corrected statistics of worm dynamics for public use.

Date

October 20, 2008

Authors

Songjie Wei, Jelena Mirkovic

Book

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement

Pages

125-130