vthrottle: stopping worms with milter

Jose Nazario, monkey.org, Ann Arbor, MI
Presented at UMEET 2003

early reaction to worm outbreaks has been commonly accepted as a worthwhile goal in worm defense mechanisms. however, worms typically are growing at an increasing rate in this critical early phase. due to a lack of insght into the propogation mechanism, network and system administrators cannot react quickly enough to make a difference in this early phase.

using vthrottle, a sendmail milter-based plugin, a generic worm propogation limiting mechanism has been developed. this idea is based on the presumption that damaging worms often attempt to spread as quickly as possible. this spread rate typically requires nework activity well above a host's normal rates. by enforcing rates which limit their impact to worm behaviors, the network or network access devices (such as servers) can limit the spread of worms and other malware, giving administrator's time in reacting to the scenario. vthrottle is a simple implementation of an SMTP rate limiting mechanism for sendmail servers.

presentation text: [TXT]

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16

Generated by MagicPoint