which knows how to detect abnormal requests and re- plementation vulnerabilities, (iv) the programs often ex- sponses, the worm could spread very widely without de- ecute on user's desktops rather than servers, and hence tection(though perhaps other detection means such as are more likely to have access to sensitive files such ripwire file integrity checkers [Tw02] might discover as passwords, credit card numbers, address books, and (v)the use of the P2P network often entails the transfer of grey"content(e.g, pornography, pirated music and In addition to exploiting the natural communication pat- videos), arguably making the P2P users less inclined to terms to spread the worm, these might also be used by the draw attention to any unusual behavior of the system that attacker to then control it and retrieve information from they perceive the infected hosts, providing that the endemic traffic terns prove of sufficient frequency and volume for the The final, sobering quality of P2P networks for form attacker's purposes. (Or, of course, the attacker might ing contagion worms is their potentially immense size more directly command the infected hosts when the time We obtained a trace of TCP port 1214 traffic recorded is ripe, blowing their cover in the course of a rapid in November, 2001, at the border of a large university strike for which keeping the hosts hidden can now be Port 1214 is used by the KazaA [Kaol] and Morpheus sacrificed.) Muol] P2P sharing systems(both built on the Fast Track P2P framework [Faoll). As of January, 2002, As described above. one might find contagion worms a the Kazaa distributors claim that more than 30.000.000 clear theoretical threat, but not necessarily such a grave copies have been downloaded [Kaol]. Since our data threat in practice. The example requires a pair of ex- does not allow us to readily distinguish between KazaA ploits, and will be limited by the size of the populations and Morpheus traffic, for ease of exposition we will sim- vulnerable to those attacks and the speed with which ply refer to all of the traffic as KazaA Web surfing would serve to interconnect the populations While some argue the Web exhibits the"small world" Our KaZaA trace consists of summaries of TCP con- phenomenon [Br+001, in which the distance between nections recorded by a passive network monitor. We different Web items in the hypertext topology is quite have restricted the data to only those connections for low, this doesnt necessarily mean that the dynamic pat- which successful SYN and Fin handshakes were both terms by which users visit that content exhibit a similar seen(corresponding to connections reliably established degree of locality and terminated, and eliminating unsuccessful connec- tions such as those due to scanning) We now present a more compelling example of the la tent threat posed by the contagion model, namely lever- The volume of KazaA traffic at the university is im- aging peer-to-peer(P2P)systems. P2P systems gener- mense: it comprises 5-10 million established connec- ally entail a large set of computers all running the same tions per day. What is particularly striking, however, is sofhvare. Strictly speaking, the computers need only all the diversity of the remote hosts with which hosts at the run the same protocol, but in practice the number of university participated in KazaA connections. During independent implementations is quite limited, and it is the month of November, 9 million distinct remote IP ad- plausible that generally a single implementation heavily dresses engaged in successful KazaA connections wit dominates the popl ulation university hosts. (There were 5,800 distinct university KazaA hosts during this time. Each node in the p2P network is both a client and a server. Accordingly, the problem of finding a pair of Distinct addresses do not directly equate to distinct com- exploits to infect both client and server might likely be puters. a single address can represent multiple comput- reduced to the problem of finding a single exploit, signif- ers due to the use of NAT, DHCP, or modem dialups ac- icantly less work for the attacker. P2P systems have sev- cessed by different users. On the other hand, the same eral other advantages that make them well suited to computer can also show up as different addresses due agion worms: () they tend to interconnect with many to these mechanisms. Thus, we do not have a precise different peers, (ii) they are often used to transfer large sense of the number of distinct computers involved in the files,(iii) the protocols are generally not viewed as main- November trace, but it appears reasonable to estimate it stream and hence receive less attention in terms of moni- as around 9 million toring by intrusion detection systems and analysis of im- Kazaa uses a variant of Http for framing its applica- fect hosts that initiate a connection, Such faws cannot be effectively used for fast-spreading worms, but are suitable for contagion worms framework(Reo2]which knows how to detect abnormal requests and re￾sponses, the worm could spread very widely without de￾tection (though perhaps other detection means such as Tripwire file integrity checkers [Tw02] might discover it). In addition to exploiting the natural communication pat￾terns to spread the worm, these might also be used by the attacker to then control it and retrieve information from the infected hosts, providing that the endemic traffic pat￾terns prove of sufficient frequency and volume for the attacker’s purposes. (Or, of course, the attacker might more directly command the infected hosts when the time is ripe, “blowing their cover” in the course of a rapid strike for which keeping the hosts hidden can now be sacrificed.) As described above, one might find contagion worms a clear theoretical threat, but not necessarily such a grave threat in practice. The example requires a pair of ex￾ploits, and will be limited by the size of the populations vulnerable to those attacks and the speed with which Web surfing would serve to interconnect the populations. While some argue the Web exhibits the “small world” phenomenon [Br+00], in which the distance between different Web items in the hypertext topology is quite low, this doesn’t necessarily mean that the dynamic pat￾terns by which users visit that content exhibit a similar degree of locality. We now present a more compelling example of the la￾tent threat posed by the contagion model, namely lever￾aging peer-to-peer (P2P) systems. P2P systems gener￾ally entail a large set of computers all running the same software. Strictly speaking, the computers need only all run the same protocol, but in practice the number of independent implementations is quite limited, and it is plausible that generally a single implementation heavily dominates the population. Each node in the P2P network is both a client and a server.7 Accordingly, the problem of finding a pair of exploits to infect both client and server might likely be reduced to the problem of finding a single exploit, signif￾icantly less work for the attacker. P2P systems have sev￾eral other advantages that make them well suited to con￾tagion worms: (i) they tend to interconnect with many different peers, (ii) they are often used to transfer large files, (iii) the protocols are generally not viewed as main￾stream and hence receive less attention in terms of moni￾toring by intrusion detection systems and analysis of im- 7Of particular interest are flaws which can only be exploited to in￾fect hosts that initiate a connection. Such flaws cannot be effectively used for fast-spreading worms, but are suitable for contagion worms. plementation vulnerabilities, (iv) the programs often ex￾ecute on user’s desktops rather than servers, and hence are more likely to have access to sensitive files such as passwords, credit card numbers, address books, and (v) the use of the P2P network often entails the transfer of “grey” content (e.g., pornography, pirated music and videos), arguably making the P2P users less inclined to draw attention to any unusual behavior of the system that they perceive. The final, sobering quality of P2P networks for form￾ing contagion worms is their potentially immense size. We obtained a trace of TCP port 1214 traffic recorded in November, 2001, at the border of a large university. Port 1214 is used by the KaZaA [Ka01] and Morpheus [Mu01] P2P sharing systems (both8 built on the Fast￾Track P2P framework [Fa01]). As of January, 2002, the KaZaA distributors claim that more than 30,000,000 copies have been downloaded [Ka01]. Since our data does not allow us to readily distinguish between KaZaA and Morpheus traffic, for ease of exposition we will sim￾ply refer to all of the traffic as KaZaA. Our KaZaA trace consists of summaries of TCP con￾nections recorded by a passive network monitor. We have restricted the data to only those connections for which successful SYN and FIN handshakes were both seen (corresponding to connections reliably established and terminated, and eliminating unsuccessful connec￾tions such as those due to scanning). The volume of KaZaA traffic at the university is im￾mense: it comprises 5–10 million established connec￾tions per day. What is particularly striking, however, is the diversity of the remote hosts with which hosts at the university participated in KaZaA connections. During the month of November, 9 million distinct remote IP ad￾dresses engaged in successful KaZaA connections with university hosts. (There were 5,800 distinct university KaZaA hosts during this time.) Distinct addresses do not directly equate to distinct com￾puters. A single address can represent multiple comput￾ers due to the use of NAT, DHCP, or modem dialups ac￾cessed by different users. On the other hand, the same computer can also show up as different addresses due to these mechanisms. Thus, we do not have a precise sense of the number of distinct computers involved in the November trace, but it appears reasonable to estimate it as around 9 million. KaZaA uses a variant of HTTP for framing its applica- 8 In early 2002, Morpheus switched to instead use the Gnutella P2P framework [Re02]