It is common practice to interconnect computers to form networks; the benefits offered by this approach are widely understood. In addition to computers, a network will typically contain ancillary devices, such as printers and traffic routers, which also have some data processing ability. It is often useful to refer to such devices and computers collectively as data processing machines. In this document, such entities will be referred to simply as “machines.”
FIG. 1 shows an IP (internet protocol) network, which is a common type of computing network. In an IP network, machines are assigned IP addresses. An IP address is a 32 bit binary number and is usually rendered in decimal form by treating the 32 bit address as four concatenated 8 bit words and converting each 8 bit word into a decimal number in the range 0 to 255, thus producing a sequence of four decimal numbers. An example of an IP address in decimal form is 17.154.11.117.
In an IP network, traffic can be sent to a particular machine by directing the traffic to the IP address of the machine concerned. However, a machine participating in an IP network may be required to handle network traffic relating to several different tasks at the same time. To cater for situations such as this, it is usual for a machine to differentiate between traffic for different tasks by allocating “port numbers” to the tasks. Thus, rather than describe traffic as passing from one machine to another, it is more usual to refer to traffic passing from a specific port on one machine to a particular port on another machine.
Certain port numbers are reserved for certain purposes. For example, port numbers 21, 25, 53 and 80 are reserved port numbers. Port number 80 is reserved for web access. If a machine hosts a web server application, then that application will monitor port 80 for requests from the network for web content. Port 21 is used in a similar manner for file-serving. If a machine hosts a file server application, then that application will monitor port 21 of the host machine for (FTP) file transfer protocol requests. Ports 25 and 53 are used in a similar manner for SMTP (i.e., e-mail) and DNS (domain name service) traffic. A DNS application is responsible for resolving a tendered, human-readable, Internet address (e.g. www.hp.com) into an IP address (or vice versa) or for referring the conversion request elsewhere for completion.
Traffic travels in and out of the network 10 through a router 12. Within the network 10, the machines are arranged in subnets. Two subnets 14 and 16 are shown in FIG. 1. Subnet 14 has a router 18 and subnet 16 has a router 20. Traffic enters and leaves subnet 14 through router 18 and, likewise, traffic enters and leaves subnet 16 through router 20. The network 10 also includes a switch 22, to which the three routers 12, 18, and 20 are connected. The switch 22 allows network traffic to pass between the three routers. For example, traffic emanating from subnet 14 and destined for subnet 16 passes out of subnet 14 through router 18 and then through switch 22 to router 20 and then into subnet 16. It will be appreciated that, in practice, a subnet may include several routers for allowing traffic to pass across the boundary of the subnet. Similarly, a network is, in practice, likely to contain more than one switch in order to provide a desired pattern of connections for allowing traffic to pass between the subnets and the network boundary.
FIG. 2 shows an example of a subnet. The subnet 23 contains a router 24, which provides a means for traffic to enter and leave the subnet. The router 24 is connected to a switch 26, and the switch is connected to four other machines 28, 30, 32, and 34. The four machines 28, 30, 32, and 34 can communicate with one another by sending traffic through the switch 26. Also, the four machines 28, 30, 32 and 34 can access the router 24 through the switch 26 for the purposes of sending traffic to, and receiving traffic from, the wider network outside the subnet.
It is normal practice for machines in a subnet of an IP network to be assigned IP addresses which, in binary form, begin with a common sequence of bits followed by a unique (within the subnet, at least) sequence of bits. The common portion of the IP addresses within a subnet is known as the subnet address. For example, if one assumes that the IP address of 17.154.11.117 belongs to a machine in a subnet of 256 members whose IP addresses range from 17.154.11.0 to 17.154.11.255, then the address of the subnet is 17.154.11.
Traffic within an IP network can be characterized as conforming to a connection-based or connectionless protocol. Both types of traffic can be flowing at the same time. In a connection-based protocol, such as HTTP (hypertext transfer protocol), two intercommunicating machines will establish a logical connection with one another before transmitting data between themselves, the logical connection providing, amongst other things, a mechanism for checking the safe receipt of data that is to be transmitted. A connection is normally established by one machine sending another a packet containing a connection request. In a connectionless protocol, by contrast, there is no coordination between machines prior to sending data between them. RTSP (real time streaming protocol) is an example of a connectionless protocol.
Associating machines to form a network has certain drawbacks. For example, it may become difficult to control the behavior of a machine in a network, since the machine will, in all probability, be influenced in its behavior by its interactions with other machines in the network. Insofar as certain behaviors may be undesirable to an operator of a machine, certain communications between networked machines are also undesirable. For example, a virus can be regarded as a communication that is sent to a machine to cause a change in the behavior of the machine. The types of behavioral change that are considered undesirable often involve the weakening of the security of a machine, the removal of information from a machine, or the transmission of information away from a machine.
A virus usually propagates by causing a machine to communicate the virus to one or more other machines. Schemes exist for impeding this propagation. For example, it is possible to use firewalls and other related network access technologies to control the traffic that enters or leaves a network. For example, in the network 10 of FIG. 1, a firewall could be installed in the router 12. In general terms, a firewall examines traffic attempting to cross a network boundary, classifies this traffic as either permissible or impermissible and allows only permissible traffic to cross the network boundary 11. The criteria used by a firewall to assess this permissibility are normally determined by a human administrator. In practice, a firewall or other network access control technology will not succeed in blocking all of the traffic that such an administrator would wish to block. For example, an administrator may fail to identify a certain type of undesirable traffic to a firewall, perhaps because he is unaware of that type or he is unable to categorize that type to the firewall. This problem is often exacerbated in practice, since networks tend to have more than just a single access point at which traffic can cross the network boundary.
A genre of mechanisms called throttles can complement firewalls and similar schemes in the control of virus action. A throttle is a mechanism, usually implemented in software, that controls the communications sent out from a machine. In the present document, a machine that is under the control of a throttle will be referred to as a throttled machine and a machine that is not under the control of a throttle will be called an unthrottled machine. In general terms, a throttle monitors the traffic that a machine is attempting to send out and governs the rate at which the machine may send traffic to other machines that are not familiar contacts of the machine. Typically, a throttle will allow a machine to send traffic freely to up to a maximum number F of destinations that are regarded as familiar to the machine and to send traffic to other destinations at up to a maximum rate of R distinct destinations per unit time. By using a throttle, the speed of propagation of a virus can be reduced considerably.
The failure of a throttle, due to, for example, deactivation or circumvention by a user or a virus, is undesirable since, clearly, a virus, if present, will be able to spread more freely. From a network management perspective, throttle failure is particularly undesirable given that some viruses, such as Nimda, are optimized for determining the addresses that might correspond to machines that neighbor an infected machine inside a network.