Empirical Analysis of Rate Limiting + Leap Ahead (RL+LA) Countermeasure against Witty Worm

Wormable system vulnerabilities continue to be identified and so fast spreading network worms continue to pose a threat to the Internet infrastructure due to their increased virulence, speed and sophistication in successive Internet-wide outbreaks. The cost of a single worm outbreak has been estimated to be as high as US $2.6 billion. In this paper, we report the empirical analysis of distributed worm detection and prevention countermeasure Rate Limiting + Leap Ahead (RL+LA) by using Pseudo-Witty worm with real outbreak characteristics of Witty worm. RL+LA, is a distributed automated worm detection and containment scheme that is based on the correlation of Domain Name System (DNS) queries and the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary, while it also utilizes cooperation between different communicating scheme members using a custom protocol, which we term Friends. The results show a significant increase in time of infection of Witty worm, when the countermeasure scheme is invoked, although it cannot completely stops the propagation of worm.