Tuesday, August 09, 2005

It's full throttle in the battle against viruses

Richard Brown, team leader at Hewlett-Packard Co.'s laboratory in Bristol, England, is one of the pioneers of a "neighbourhood watch" approach to combatting computer viruses.

About five years ago, in the wake of widespread, nasty infections by the Code Red and Nimda worms, HP Labs began experimenting with new ways to fight computer viruses. One idea was that if all the computers on a business network took small, preventive actions, they could add up to significant overall results.

Traditional antivirus programs look for signatures -- recognizable bits of virus code -- that identify viruses in incoming e-mail or on a computer's hard disk. HP researchers took another tack, aiming to slow the progress of any outbound network traffic that looks like a computer worm or virus trying to spread itself.

The technique, called throttling or traffic shaping, aims not to identify offending programs but to slow their infectious activity across public and business networks. Those experiments are now bearing fruit, and the results are appearing in commercial products aimed at Internet service providers, small and large business servers and even individual PCs.

"In its strongest form, it's just preventing a machine that's infected from infecting anyone else," says Matthew Williamson, an original member of the HP team who is now senior research scientist at Sana Security Inc., in San Mateo, Calif.

Mr. Williamson says the technique of spotting viruses based on a recognizable signature was developed to fight slow-spreading viruses, and isn't a complete solution to today's fast-moving worms. Approaches like throttling that block suspicious behaviour "really are a much more sustainable way of thinking about the arms race."

Throttling basically limits the number of connections that one computer can make to other computers. Throttling might set a limit of one new connection every second, which would have little or no effect on most legitimate programs. A Web browser exchanges many messages with a server as it downloads a Web page, but these are repeat communications with one machine and aren't affected by throttling. The Nimda virus makes up to 400 new connections a second, Mr. Brown says, so throttling slows its spread dramatically.

Throttling does cause outgoing traffic to backup on the infected machine, slowing or stopping legitimate programs' communication, but the virus's self-replicating activities would do that anyway. Meanwhile, this sudden filling up of the outgoing message queue warns that something is amiss, Mr. Brown says, so network security staff can be alerted.

Tom Copeland, president of the Canadian Association of Internet Providers (CAIP), says large ISPs were the early adopters and most have installed throttling capabilities. Now it is starting to filter down to products aimed at businesses.

For example, HP has built throttling capability into its ProLiant servers and ProCurve network switches. Mr. Brown says servers are often the first targets of virus attacks, but "there is no technical reason as far as I'm aware" not to implement throttling on client PCs as well.

In fact, Mr. Williamson calls a security feature Microsoft Corp. added to Windows XP last summer, limiting the number of network connections open at one time, a "very weak form of throttling."

Symantec Corp. is applying the same idea to fight spam. Its Security 8100 Series appliance attaches to a corporate network and monitors e-mail traffic. When the device sees large volumes of mail from a single Internet address, it limits the bandwidth allocated to traffic from that address.

This doesn't stop legitimate mail getting through, says Bruce Ernst, group product manager at Symantec, but spammers see outgoing messages backing up on their servers. "Most spammers just start to give up because they can't make their numbers." Mr. Ernst says large companies and ISPs are the major markets for the $4,995 (U.S.) appliance, but didn't say if a version would be made available to smaller organizations.

Dr. Clemens Martin, director of information technology programs at the University of Ontario Institute of Technology in Oshawa, Ont., says he is impressed by the results he has seen from throttling techniques, and the technology "definitely is worthwhile pursuing."


Post a Comment

<< Home