Emergic: Rajesh Jain's Blog

Emergic: Rajesh Jain's Blog header image 2

Throttling Viruses

November 25th, 2002 · No Comments

An interesting story from the Economist on how viruses can be throttled early on in their life to prevent an epidemic breaking out:

Dr Matthew Williamson’s approach is based on the observation that computers infected by a virus behave differently in one key respect from uninfected computers. Once a virus has infected a machine, it will generally try to connect that machine to as many new computers as possible, as fast as possible, so as to spread itself further. A virus called Nimda, for example, gets its hosts to make new connections at a rate of up to 400 a second. Uninfected machines normally make connections at a far less frantic rate. Those connections are also more likely to be to machines that are both familiar and in big demand, such as mail servers or the hosts of favourite websites.

The idea, then, is to limit the rate at which a computer can connect to new computers, where “new” means those that are not on a recent history list. Dr Williamson’s “throttle” (so called because it is both a kind of valve and a way of strangling viruses at birth) restricts such connections to one a second. This might not sound like much to a human, but to a computer virus it is an age.

And it seems to work. Recently, the throttle was tested on a group of 16 machines connected in an isolated network. When one of these machines was exposed to Nimda without the throttle being installed, all but one of the group were infected within 12 minutes. However, in one test when the throttle was applied, it took 13 minutes for a second machine to be infected, and half an hour for a third.

But the particular benefit of throttling is that it alerts people to an attack. When a virus infects a computer with a throttle, a huge backlog of requests develops within a few seconds. This is easy to detect, and once detected, human intervention becomes possible. In addition, though throttling has a big impact on the spread of a virus, it makes little difference to ordinary activities such as web browsing. Dr Williamson has been testing the system on his colleagues over the past three months. Some 98% of connections were made with no extra delay. The maximum delaywhich was experienced in one connection in 80,000was of only five seconds.

Why did no one think of this before? The Economist has an interesting point: “According to Dr Williamson, part of the reason is that most people think of computer security in a binaryie, on or offfashion. Throttling merely slows things down, making a system resilient rather than completely resistant. People also, not unnaturally, think mainly about protecting themselves from attack. Yet, like vaccinating children, much of the benefit of throttling accrues to othersie, those to whom the virus is not transmitted, even if those others have not taken the trouble to protect themselves. In fact, it is in some ways worse than vaccination, since at least a vaccinated individual is also protected (albeit at the small risk of an adverse reaction to the vaccine). With throttling, all the benefit accrues to others.”

The story is fascinating example of how thinking a little differently and creatively can make a big difference.

Tags: Software

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment