CAIDA Released Code-Red Worm Post Mortem

davidu writes "David Moore at CAIDA (The Cooperative Association for Internet Data Analysis) was monitoring an entire /8 network while the code-red worm traversed the net. His findings are really interesting and show just how swiftly code-red moved across the net and infected hosts. It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential. note: Check the graphs, these pictures really do tell a thousand words."

Wait til August 1st

[LinuxHam]

I'm surprised that no one is mentioning that the random infection part of Code Red is programmed to restart on the 1st of *every month*. Sure, by changing the IP of whitehouse.gov and short circuiting packets destined for the old IP to the bit bucket, the attack phase will never be a problem.

However, since it appears the number of infections capped at about 359,000 machines, I would venture that at least a quarter of those machines will not be repaired/rebooted by August 1st. If the number of infections went from zero to 359,000 in a couple of days at most, imagine what kind of storm is going to kick off on August 1st when nearly 100,000 machines restart the infection phase of the worm! How long will it take for the estimated 6 *million* vulnerable IIS servers to be patched?

Just for the sake of gloom-and-doom, how long will it take before the Internet only becomes usable between the 20th and the end of each month, due to Code Red infection storms between the 1st and the 19th? I don't think the core Internet routers can perform stateful-enough inspection as to route "Code Red infection" attacks to /dev/null. Perhaps that would drive enough white hat hackers to spread a repair worm, and start that whole argument all over again.
--
Steve Jackson

You can't blame them entirely

[Dr_Cheeks]

It's really disturbing to think that the Internet's stability rests on the shoulders of these people, half of whom probably don't even understand the concept of keeping up-to-date with security patches.

I think it's safe to say that most people on Slashdot are not only competent enough to apply patches, but interested enough in computers (for work or a hobby or whatever) to actually do it.

But we're not a typical cross-section of the public. People are used to buying something and having it work. They don't need to patch their TV every couple of months to prevent people abusing it, and they just don't (and probably never will) see why they should do this for their PC, which is just another appliance (to them at least). And I'll bet that 95% or more of Slashdotters wouldn't fix their car themselves if it started burning a lot of oil - it's all a matter of whether you're willing and able to do the job.

The only way you're going to stop people like this propagating worms or virii or whatever in this manner is by taking that need for vigilance out of their hands. Quite how you do that without infringing on their privacy is beyond me. But just think about the fuss that would be kicked up here on Slashdot if Microsoft wrote it's software to require MS full access to it's OS at all times over the phone line under the pretext of helping home users keep their machines up to date.

Don't criticise the regular consumers unless you've got a better solution. And I don't count banning them from the net as better (even if it does have a certain appeal).

Eerie parallel with biological epidemics

[MagikSlinger]

If ever there was a more graphic proof why monopolies are bad...

What I find interesting is the parallels with biodiversity. One of the argument for biodiversity, especially in agriculture, is that a wide variety of species will slow the growth of any disease or epidemic. If everyone planted the exact same species and variety of wheat, a single organism could wipe out the global harvest; but if everyone used whatever species or variety they felt like, an opportunistic organism's growth would be blunted. The organism can't adapt and infect to a hundred varieties of a crop, so it will try to infect unideal hosts and fail.

This same argument can be said for software. If everyone uses the exact same software from the same company, then an opportunistic hacker or virus could rapidly take over everything; but if there were more companies and products out there, then the virus/worm would either have to learn how to hack a dozen or more different systems, or it is limited to growth among one particular system. So if MS gets its way, we'll get computer equivalents to AIDS and Ebola creating pandemics of worms and viruses. But if there were more competitors, then no single worm or virus could ever pose much of a threat.

The world is safe again ...

[s20451]

It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.

Once again, evil is thwarted because, just as on television, the villans are incompetent while the virtuous are strong and intelligent.

I wonder if the virus author also committed any of the following classic villan errors:

1. Brought the heros to his/her secret mountain lair to kill them personally rather than letting a henchman do it at great distance
2. Explained his/her dastardly plan in detail to the heros before killing them
3. Arranged for a dramatic but overly-complicated and easily escapable death for the heros
4. Once the heros escape, get a squad of elite ninjas to track them down, but have the ninjas attack one at a time so as to ensure defeat in spite of superior numbers

So, the world is safe again ... but ... for how long?