After two days discussing about the nature of the universe -- a big computer or a collection of algorithms -- it's time to get back to basic technology. So today, we'll talk about a brand new and excellent idea: stopping the infection of our computers by viruses and worms by simply delaying new connections to the outside world.
The Economist has the story for you
Early in the morning of July 19th 2001, a variant of a computer virus known as Code Red started spreading across the Internet. Within 14 hours, some 350,000 machines were infected. Like most modern virus outbreaks, it happened too quickly for people to intervene.
Matthew Williamson, a researcher at the Hewlett-Packard laboratories in Bristol, England, has now thought of a way to hamper the spread of a virus until engineers can finish their pizzas and get to the scene of the crime. He presented it at a recent conference at the Santa Fe Institute in New Mexico.
We are such docile creatures, normally, that it takes a virus to jolt us out of life’s routine. A couple of days in a fever bed are, in a sense, health-giving; the change in body temperature, the change in pulse rate, and the change of scene have a restorative effect on the system equal to the hell they raise.
—E. B. (Elwyn Brooks)
Dr Williamson's approach is based on the observation that computers infected by a virus behave differently in one key respect from uninfected computers. Once a virus has infected a machine, it will generally try to connect that machine to as many new computers as possible, as fast as possible, so as to spread itself further. A virus called Nimda, for example, gets its hosts to make new connections at a rate of up to 400 a second. Uninfected machines normally make connections at a far less frantic rate.
So he had the idea of limiting this rate. And does his idea work? Yes.
Recently, the throttle was tested on a group of 16 machines connected in an isolated network. When one of these machines was exposed to Nimda without the throttle being installed, all but one of the group were infected within 12 minutes. However, in one test when the throttle was applied, it took 13 minutes for a second machine to be infected, and half an hour for a third.
Throttling viruses in this way is such a simple idea that it raises the question of why it has not been thought of before. According to Dr Williamson, part of the reason is that most people think of computer security in a binary -- ie, "on" or "off" -- fashion. Throttling merely slows things down, making a system resilient rather than completely resistant.
I have a simple word to qualify this new idea: amazing! Hundreds or thousands of developers are working to improve Web servers security day after day, and nobody thought about this. Really incredible!
Source: The Economist print edition, November 21, 2002.