The Nortel anti-worm defence system

Catch-all

Nortel Networks yesterday revealed the anti-computer worm defences it had developed in-house after it was hit hard by last year's outbreaks of Nimda and Code Red 2.

According to John Morris, an IT manager at Nortel Networks, the anti-worm system could help large institutions and even ISPs. He challenged vendors to develop a commercial equivalent to the bespoke system designed by Nortel.

When Nortel was hit by Code Red 2, the outbreak was manageable - for the first 30 minutes, following which the worm spread exponentially. The spread of Code Red 2 was curtailed only when the worm ran out of worm food (vulnerable servers to infect) and as its actions pulled down the network services it needed to propagate.

Speaking at the Virus Bulletin Conference in New Orleans yesterday, Norris said no single strategy is enough to constitute an effective countermeasure for the spread of such worms.

AV tools and personal firewalls can mitigate the risk against spreading worm, software patching restricts exposure and traffic filtering and tarpitting help slow down the spread on malware, but even all three on their own are not enough.

Shutting down port 80 traffic in a network as a cure may allow other traffic, such as email, to continue across a network but represents a cure worse than the disease from the point of view of many end-users.

Detect worms and taking infected servers off the network is very time consuming, so Morris and his colleagues developed a variety of early warning systems to catch worm in the crucial, early stage of infection. This allows Nortel to quickly quarantine infected machines, preventing incidents becoming outbreaks.

In many ways Nortel's anti-worm defence is very similar to an intrusion detection system, albeit designed specifically to look out for network-aware worms.

Among the measures Nortel implemented are worm lures, honeypot servers placed directly in the path of likely paths of worm infection; honeypot email accounts, designed to catch email-borne worms that send themselves to the first addresses in users address books and SMB lures, designed to flag up machines attempting to spread across file shares. Nortel also uses what Norris described as a Black Widow tool to detect worms crawling the Web.

Lastly, with the spread of possible successors to Nimda in mind, Nortel has established a large number of IP addresses on one machine, which will therefore show early signs of a large-scale worm assault on the companies network.

Nortel has had the system in production for six months and reports considerable success, with the SMB Lure proving to be the most effective tool in isolating problems (it accounts for four out of five quarantine events thus far).

Doubts were expressed about whether Nortel's systems led to an unacceptable level of false positives, but Morris said that tuning the system minimises this risk.

Other end users attending the conference said they used some, but not all, of the techniques deployed by Nortel. But there was a marked scepticism from vendors about Nortel's ideas, and no particular appetite to rise to Morris challenge to commercialise an anti-worm defence system. ®

Sponsored: Network DDoS protection