Network worms and viruses have existed for well over 20 years. One of the first and famous worm programs to impact the Internet was the Morris Worm in November of 1988. This worm exploited vulnerabilities in the finger and sendmail programs. At that time the Internet consisted of approximately 60,000 hosts. This worm infected approximately 10% of the hosts and caused significant outages and slowdowns of mail servers across the net. In July of 2001 a new worm infection appeared that would significantly raise awareness of the threat posed by these malicious software programs along with the dramatic landscape change of the Internet.
An estimated 650 million hosts are today connected to the Internet hence a fundamental shift in the potential number of participants to propagate a worm. CodeRed spread quickly and became the most widespread and damaging worm to hit the Internet since the Morris Worm. An estimated total of 360,000 hosts were infected within a period of 14 hours. Two months after CodeRed another large-scale worm named NIMDA (ADMIN spelled backwards) impacted the Internet. More recently, the Internet saw the appearance of a new type of worm that infected the Internet at such a high rate that it was classified as a flash worm. The fast scanning rate of SQL Slammer in January 2003 was achieved because of its small size (single packet of 376 byte) as well as the fact that the worm was not TCP but UDP based (connectionless). SQL Slammer reached its full scanning rate of 55 million scans/sec within 3 minutes of the start of the infection and infected the majority of vulnerable hosts on the Internet within 10 minutes of the start of the infection with an estimated 250,000 - 300,000 infected hosts overall. Summer 2003 witnessed the infamous Blaster and January 2004 was the turn of MyDoom to impact Internet users.
While the underlying exploits used to achieve access to the target hosts varied between these worms the methods and technologies used to mitigate and contain the infection remained the same. In order to protect the network from these threats, the security system must be able to protect and react against both known and unknown attacks. This calls for an integrated security solution that is both flexible and pervasive, providing tighter collaboration between network services, security services, hosts, applications, management and business processes. As worms typically invade an environment in a multi-phased approach, this layered structure is an effective way to protect networks from these threats.