October 2003

The Internet Reborn

Continued from page 2

By Wade Roush

Baiting Worms

The Achilles' heel of today's Internet is that it's a system built on trust. Designed into the Net is the assumption that users at the network's endpoints know and trust one another; after all, the early Internet was a tool mainly for a few hundred government and university researchers. It delivers packets whether they are legitimate or the electronic equivalent of letter bombs. Now that the Internet has exploded into the cultural mainstream, that assumption is clearly outdated: the result is a stream of worms, viruses, and inadvertent errors that can cascade into economically devastating Internet-wide slowdowns and disruptions.

Take the Code Red Internet worm, which surfaced on July 12, 2001. It quickly spread to 360,000 machines around the world, hijacking them in an attempt to flood the White House Web site with meaningless data-a so-called denial-of-service attack that chokes off legitimate communication. Cleaning up the infected machines took system administrators months and cost businesses more than $2.6 billion, according to Computer Economics, an independent research organization in Carlsbad, CA.

Thanks to one PlanetLab project, Netbait, that kind of scenario could become a thing of the past. Machines infected with Code Red and other worms and viruses often send out "probe" packets as they search for more unprotected systems to infect. Dumb routers pass along these packets, and no one is the wiser until the real invasion arrives and local systems start shutting down. But in theory, the right program running on smart routers could intercept the probes, register where they're coming from, and help administrators track-and perhaps preempt-a networkwide infection. That's exactly what Netbait, developed by researchers at Intel and UC Berkeley, is designed to do.

This spring, the program showed how it can map a spreading epidemic. Brent Chun, Netbait's author, is one of several senior researchers assigned to PlanetLab by Intel, which helped launch the network by donating the hardware for its first 100 nodes. Chun ran Netbait on 90 nodes for several months earlier this year. In mid-March, it detected a sixfold spike in Code Red probes, from about 200 probes per day to more than 1,200-a level of sensitivity far beyond that of a lone, standard router. The data collected by Netbait showed that a variant of Code Red had begun to displace its older cousin.

As it turned out, there was little threat. The variant turned out to be no more malignant than its predecessor, for which remedies are now well known. But the larger point had been made. Without a global platform like PlanetLab as a vantage point, the spread of a new Code Red strain could have gone undetected until much later, when the administrators of local systems compared notes. By then, any response required would have been far more costly.

Netbait means "we can detect patterns and warn the local system administrators that certain machines are infected at their site," says Peterson. "That's something that people hadn't thought about before." By issuing alerts as soon as it detects probe packets, Netbait could even act as an early-warning system for the entire Internet.

Netbait could be running full time on PlanetLab by year's end, according to Chun. "Assuming people deem the service to be useful, eventually it will get on the radar of people at various companies," he says. It would then be easy, says Chun, to offer commercial Internet service providers subscriptions to Netbait, or to license the software to companies with their own planetwide computing infrastructures, such as IBM, Intel, or Akamai.