Worm Detection in an IPv6 Internet

It is a commonly held belief that IPv6 provides greater security against random scanning worms by virtue of a very sparse address space. As a result, worm authors are looking for new ways to acquire vulnerable targets without relying on random scanning for them. It is possible to find vulnerable Web servers by sending carefully crafted queries to search engines or Domain Name System (DNS) queries to DNS servers. In this paper, we discuss scanning strategies of possible worms in the IPv6 Internet. The performance of the worm depends heavily on these strategies, which in turn depend on how secure directory and naming services of a network are. We present an integrated system for the detection and automatic containment of worm propagation in an IPv6 local area network. The detection engine of our system utilizes the DNS anomalies of the worm traffic. We propose a worm detection algorithm based on user habit of sending DNS queries in an IPv6 Internet. Experiment results show that the algorithm is able to detect worms propagation accurately at its early stage in real-time. Our results bring insight on the future battle against worm attacks.