Microsoft Worms and Global Routing Instability

James Cowie writes: "Fresh analysis here indicates that worm propagation periods correlate very strongly with global BGP routing instability, as measured by sustained exponential increases in the number of prefix announcements and withdrawals seen in BGP message traces."

Story misleading?

[baptiste]

The story seems to imply that the works spread faster because of BGP instability when the paper seems to be saying the BGP instability is being CAUSED by the worms.

In this online note, we summarize our preliminary analysis of the surprisingly strong impact of the Internet propagation of Microsoft worms (such as Code Red and Nimda) on the stability of the global routing system.

Re:Story misleading?

[DCheesi]

Err, no, you're just reading too much into it. The story only mentions a correlation between the two phenomena; there's no implication of causality there. In fact, my impression upon reading it was that the worms cause the instability --probably because that's the only scenario that really makes sense to me.

Re:Story misleading?

[sammy+baby]

What do you mean, "seems to imply?" It states it flat out:

Instead, we have documented a compelling connection between global routing instability and the propagation phase of Microsoft worms such as Code Red and Nimda... what were thought to be purely traffic-based denials of service in fact are seen to generate widespread end-to-end routing instability...

If you're trying to suggest that the story submission is unfair in alleging that Microsoft worms are causing this instability... well, that's exactly what the paper is saying, eh?

Re:Story misleading?

[leto]

They say "routing instability" not "BGP instability".

However, further down in the article they mention that people might need to give BGP packets some preference so that they don't get dropped when something like a microsoft virus sweeps through your routers, causing BGP reconnects (and thus BGP instability)

Leto

Re:Story misleading?

[baptiste]

Yeah well it was early and the caffinne IV wasn't in yet :)

Re:Story misleading?

[sammy+baby]

Doh. I completely misread Baptiste's original post. I should never reply to anything on /. prior to my first daily dose of caffiene. My apologies.

Re:Story misleading?

Ignore him, he can't read or has no brain.

Re:Story misleading?

Oh, or hasn't had any coffee yet. :-)

You don't say!!!

[squaretorus]

REALLY!!! Has anyone checked sun spot activity against this??

Also... and *not* off topic.

[minus23]

Net instability can also be predicted if Slashdot links to a .... well anything.

Re:Also... and *not* off topic.

Imagine a Beowulf cluster of naked and petrified Natalie Portmans pouring hot grits down her pants while KICKING YOUR PENIS BIRDS ASS and watching *BSD and Stephen King die!

The most obvious conclusion to be drawn

...is sad, but true:

Global Routing is dying.

Re:The most obvious conclusion to be drawn

Global routing doesn't exist anymore! Check your routing tables and if one of the major trunk routers go down you will loose a whole lot of the internet!

Microsoft x Worms

[carlosjordao]

Microsoft IIS Worms
Is the Worms cause or effect?
Is IIS the cause or effect?

If we shutdown one of them, net becomes stable?
Is it easier shutdown worms than IIS?

hmmm... it's a hard decision. Has anyone scanned Internet for viruses?

:-)

"Nobody is real - Powerman 5000"

Re:Microsoft x Worms

[carlosjordao]

ops, sorry,
I forgot say :
Microsoft IIS {=== net instability ====} Worms

Re:Microsoft x Worms

Which came first, the chicken or the egg? The Microsoft or the Worm? Did I start listening to pop music because I was miserable, or am I miserable because I listen to pop music?

Re:Microsoft x Worms

[ethereal]

If IIS gets r00ted in a forest where no one's around, can you still hear the nimda flood it unleashes?

Good report, but what's the point?

[disc-chord]

Very fascinating read, with lots of graphs that really strike the message home. But what is the point? Anyone with an internet connection will have no doubt experienced the instability.

I've personally had a particularly poor router lossing my packets for the last week, and have been trace routing it from all over the country to triangulate the problem. Doing a tracert from Maine, California and Texas seems to provide a reasonable picture of what's going on with a specific router by triangulating in on the offending router... so I'm a bit unclear on why this study was called for, unless it's just to point fingers at microsoft...

Re:Good report, but what's the point?

[iso]

But what is the point? Anyone with an internet connection will have no doubt experienced the instability. ... so I'm a bit unclear on why this study was called for

It's an analytical tool called a scientific proof. Believe it or not, anecdotal evidence (like you suggested) is not enough to prove your intuition that IIS worms influence global routing stability. You need scientific evidence to prove a hyptothesis such as this.

- j

Re:Good report, but what's the point?

[MemeRot]

Well I think the point to the researchers is just to find out what was causing what they saw. This is what researchers do :) This was not about one router, it was about global routing.

To me, the point of research like this is to point fingers at Microsoft. Microsoft can claim not to have a problem with security all they want. But if it is shown that security vulnerabilities in their system are causing instability in global internet routing, that could provide a way to show liability. Because dammit no software company should be doing anything that could degrade global internet routing.

Currently it's hard to argue in court that a reasonable programmer might not leave some of those vulnerabilities. But if those vulnerabilities were responsible for crippling the net? I think any court would hold that any reasonable programmer would make sure their program can't cripple the internet. Meaning the billions in dollars it costs everyone attached to the net when these viruses spread, not just MS users, could be recovered from MS and give them a real impetus to build security into their systems, which is currently missing. Many of you hold spammers to be responsible when they use your network resources without your permission. Microsoft is doing the same thing by leaving these holes. Why haven't the limited patches they have been pushed by critical update? Why has Microsoft come out in the press to say that millions are unnecessarily downloading these patches in an apparent attempt to dissuade people from downloading the patches? In the same week that critical update kept insisting I download patches for Win2k that are only relevant to servers when I only use my box as a workstation?

Re:Good report, but what's the point?

[tjgoodwin]

But what is the point? Anyone with an internet connection will have no doubt experienced the instability.

The point, is clearly stated in the article: Contrary to conventional wisdom, what were thought to be purely traffic-based denials of service in fact are seen to generate widespread end-to-end routing instability originating at the Internet's edge.

Maybe the "highway" analogy works here. Everybody knows that the Internet goes all flaky during worm propagation, but it's been assumed that this is simply due to too much traffic. This report is saying that it's more fundamental than that: during worm propagation, for as yet unknown reasons, many of the direction signs disappear at the intersections! Not only are the roads full, but many of the cars can't find where they're meant to be going...

Msft is definitely guilty

[ch-chuck]

of contributing to global worming. They need to cut back their toxic emissions immediately before it's too late to save the planet.

Re:Msft is definitely guilty

[sien]

Ha. Someone mod this up as funny please !
But seriously, if a company makes a product that costs large numbers of other companies money they get fined. If a company's negligence causes a public resource to be degraded they get sued. Has anyone heard anything about some of the major service providers or any of the major uses launching a class action against MSFT ? It seems that they would have at least a start for a case here.

Re:Msft is definitely guilty

Why? If the "Right-click here, left click there" admins kept up-to-date with updates and could secure a system, then it wouldn't have affected them.

If you want to sue somebody, sue your admins for incompetence.

Re:Msft is definitely guilty

[Lish]

I agree with you, they should be able to have _some_ redress for this. But legally, I don't think they can...that little "AS IS" clause in shrinkwrap licenses and all. Bah. We'll see.

Re:Msft is definitely guilty

[tconnors]

I agree with you, they should be able to have _some_ redress for this. But legally, I don't think they can...that little "AS IS" clause in shrinkwrap licenses and all. Bah. We'll see.

Except that I have never agreed to a MS license, and my connections were hurt. I'm guessing Cisco router operators that were affected never agreed to the license in question, either.

TimC.

Bah... what's so special?

[frleong]

The worms produce just a kind of DDOS and routers are expected to take a hit. If there are a lot of IRCbots attacking randomly, you'll see the same.

Artificial life

[YellowSubRoutine]

A study by a fully human-created phenomenon, and yet it's so complicated it's hard to understand.

Who said AI is not for tomorrow? The beast is already among u

Re:Artificial life

No router...don't look AT ME LIKE THAT! STAY AWA.........

Caching and port-scanning

[osolemirnix]

I would assume that this effect is in part due to the nature of port-scanning a wide range of IP adresses with a small data packet. This kind of traffic is different from "regular" traffic where a lot more data gets sent along the same route.

Consequently, since routes time out after a while (and get cached), the IP adress sweeping increases the necessity to figure out more seperate routes than usually (or FIFO caches are too small so routes get purged from the cache faster?).

This would logically increase the load on route discovery protocols such as BGP. A whole new class of DoS attacks...

Re:Caching and port-scanning

[mdouglas]

first off, i'd just like to say, i love it when a hardcore networking article gets posted to slashdot, the number of responses is so much lower due to the userbase having no experience with the subject; and mindless pontificating and chest beating (as in anti microsoft/pro linux articles) doesn't cut it with this subject matter.

as an aside, i don't mean the above preamble as a negative statement about the specific poster i'm responding to.

"Consequently, since routes time out after a while
...This would logically increase the load on route discovery protocols such as BGP."

well...not exactly. when 2 routers are set up in BGP partnership they exchange an initial set of rotes which are statically set by the AS administrator, there's no dynamic discovery process. those routes are only changed under a few specific conditions : explicit changes announced by the BGP partner, or the loss of connectivity to the partner (too many missed hello packets). BGP route exchange is not based on some kind of dynamic route timeout/refresh algorithm as that would be horrifyingly inefficient.

a few words on how routing and route caching work (this is assumed to be on an defaultless internet backbone router) :

a packet enters the router destined for some ip address, a lookup against the routing table is done, the appropriate outbound interface is selected (this set is known as path determination), the packet is then sent to the appropriate outbound interface, re-framed, and sent out to the next hop (this step is known as switching); route caching associates a destination ip address with an next hop interface, thus bypassing the redundant route table lookup. a definate gain in efficiancy, cisco makes a number of advanced caching/switching engines that are used in thier high end core routers.

to summarize/explain the BGP/worm paper : worms generate excessive traffic; the traffic overwhelms some routers and wan links; thus, BGP hello packets get lost or never sent depending upon traffic or router load; consequently the BGP routes are being announced/withdrawn at a high rate (this is known as route flapping). this is bad, having a route fail is not a problem, as long as it stays failed. rapidly changing states creates extra load on the router. route dampaning policies help, but with a worm creating these conditions everywhere at once the cumulative effect is instability.

check these sites out to learn networking :
http://www.cisco.com/univercd/cc/td/doc/cisintwk /i to_doc/index.htm
http://www.merit.edu/mail.archives/nanog/

anyone who writes a wise ass follow up to this had better include a CCIE number.

Re:Caching and port-scanning

[_ganja_]

Looks fine, Bassam would be proud :-)

#7066

Re:Caching and port-scanning

[Salamander]

These same high-end routers often have traffic shaping/prioritization features. You'd think that they could be configured so that the routing-protocol packets have a very high priority so that they're among the last to be dropped even at high load. If not, someone screwed up.

Re:Caching and port-scanning

Sir, I now feel 0wn3d.

Re:Caching and port-scanning

[PatJensen]

I'm just a meaningless CCNA, but I'm writing to say - Good article! +1, Informative.

Thanks mdouglas.

-Pat, CCNA

Re:Caching and port-scanning

[huckda]

first off, i'd just like to say, i love it when a hardcore networking article gets posted to slashdot, the number of responses is so much lower due to the userbase having no experience with the subject; and mindless pontificating and chest beating (as in anti microsoft/pro linux articles) doesn't cut it with this subject matter.

I couldn't agree more...unfortunately I sometimes get lost in the banter of techno-babble that spews forth from the fingertips of those who know not how to write a technical article in 'understandable' english for those who might not know everything there is to know about networking and the like. But a very big KUDOS to you sir for providing links where those who are interested can learn more. Thanks!

Re:Caching and port-scanning

(I fully understand that I'm replying to a troll...)

I do not have a CC[NA|IE|...] and I fully understood his article.

Re:Caching and port-scanning

[puppy0341]

BTW Route dampening
http://www.cisco.com/warp/public/459/16.html#A24 .4
is a mechanism which gives penalties to a route which is flapping.

Actually I wouldn't say it only helps a bit because there is a point where the system of routers fails (say like domino with a feedback loop) and thus this 'bit' quickly sums up to a byte or so.

Re:Caching and port-scanning

[figment]

> These same high-end routers often have traffic
> shaping/prioritization features. You'd think >that they could be configured so that the
>routing-protocol packets have a very high
>priority so that they're among the last to be
>dropped even at high load.


Not necessarily. In a lot of cases, mostly with multiple exit routers, it's more desireable for a hosed router to withdraw it's own route, presumably because you have another un-hosed router which can pick up the slack. In most cases, withdrawing a route is a lot better than advertising a route that doesn't work.

Re:Caching and port-scanning

[Salamander]

I think you missed the point of what I was saying. The problem that the original article talked about was BGP traffic getting dropped due to load. If that's happening, you can't add routes, you can't modify routes, you can't withdraw routes. What I was talking about was using existing facilities that allow you to prioritize traffic by type to ensure that the BGP packets get through even if nothing else does. Once you've done that, you can manipulate routes however you want to adapt to conditions.

What's happening now is like allowing emergency vehicles to get stranded in traffic because they don't have lights and sirens. I say give them lights and sirens, let them zip past the regular traffic so they can do something about the conditions that led to the traffic jam.

Re:Caching and port-scanning

[figment]

Very good explanation, but there's one pseudo-misunderstanding that a lot of people didn't pick up on. Routers can normally handle a lot of traffic (well good ones can), but are still susceptible to cpu overload due to the massive ip scanning that these worms do, which overloads the arp subsystem of the router. arp is mainly to blame, not necessarily increased ip traffic.

Assuming that the router has an interface with a larger than /30 subnet, the router has to do an arp request for every ip on that subnet during a scan, and if enough of these ips just don't exist, then it has to wait for a massive amount of timeouts, then rerequests again, etc. Endlessly.

While you suggest that saturated WAN links could be the problem (and it very well could be given enough infected machines and a small enough link), the data i have indicates that most, if not all, of the problems within our organization are because of excessive the excessive arp requests. A router at one of our pops doesn't run bgp and our traffic data shows it had plenty of bandwidth, but it's cpu usage was at 100% for 3 hours during the first nimda attack. We see similar cpu increases on other CPE equipment with no dynamic routing or any significant increase in traffic.

(ccie in progress ;)

Re:Caching and port-scanning

[figment]

hmm ok not necessarily a bad idea, though i don't know what advantage it would gain. BGP is a fairly static protocol, it doesn't adapt to changes very well (obviously, since it has to propagate around the world whenever something changes). I guess it could work, though personally i wouldn't try it due to all the potential bad things that could happen doing this and just keep you dampened longer.

Ciscos have the ability to traffic shape, but that does exactly that, traffic shaping. Most of the problems that i'm seeing because of codered/nimda/etc, isn't traffic saturation, but cpu overloads due to excessive arp requests. So what we're probably actaully looking for is some sort of cpu prioritization by process instead of necessarily traffic shaping based on routing/routed protocol.

Re:Caching and port-scanning

You're wrong. The fact that you're working on your CCIE does not make you less wrong.

Re:Caching and port-scanning

no ip proxy-arp

Re:Caching and port-scanning

[darkonc]

I think you missed the point of what I was saying. The problem that the original article talked about was BGP traffic getting dropped due to load. If that's happening, you can't add routes, you can't modify routes, you can't withdraw routes.

Er, um, NO.

BGP is designed for multi-pathed networks -- You have to have at least two paths into your network to be allowed to use bgp. This also means (usually) that you have at least two routers.

If your router is so saturated that it's dropping BGP packets, this means that it's also dropping other packets. This is considered bad. Under normal circumstances, 'flapping' your route for a short period (the document indicates that BGP has a 30 second minumum) will cause some of those packets to take the 'back' route, and will (hopefully) cause enough of a strain relief on the overloaded router for it to catch up to the (normally transient) overload.

The result of these worm attacks is that this presumption doesn't hold too well. everyody, everywhere (more or less) is experiencing overload. Quite often the traffic is internally generated, so it's quite possible that many/all of your bgp routers/routs are at or near overload. Under these conditions, flapping one router may cause your back path to overload and, in turn flap too.

Giving a higher than normal priority to BGP packets might increase the survivability of the network under a virulent worm attack, but it would also break the inherent load-limiting effect of flapping, and generally break the network worse under normal ovarload conditions. Given how uncommon these worm attacks have been (so far), It's probably better to keep the flap effect in place.
______
The article doesn't describe the flapping effect as bad. It simply uses logs of this well known and (I believe) normally benefecial effect as a way of measuring what's going on, and determining why it's happening.

As was said in the article. Some people originally thought that the outages were delayed effects of major (localized) traumas to the net. That this isn't the case, actually indicates that BGP is working pretty well for the normal case.

It would be nice to find a solution that can help the network to survive another worm-initiated overload, but if it's at the cost of more general stability of the network then I doubt that it would be worth it.

Putting enough smarts into the protocol to realize when a flap-dance is taking place because of worm-type general network overloads would add more CPU load to the protocol. This might cause more cpu-overload problems, over time, than it would solve. Another solution might be to have meta-routing machines that watch the logs of BGP packets, and initiate modifications to the BGP protocol parameters to handle the change. I don't know, for sure, how much work that would be, and if it could be done within the current confines of BGP. If it requires modifications to BGP, then it could be a long time in the pipe.

Re:Caching and port-scanning

umm ccie #2314566 reporting for duty.
show me the nearest politically incorrect router
sir...

Re:Caching and port-scanning

[cotu]

Ah, you seem to be saying that TCAM thrashing is
what is at the root of this. I'm not so sure about that.
For one, the GSR doesn't use a TCAM architecture nor any of of the processor based boxen (which is most of the edge boxen up until recently) . The FIB lookups are all done using the standard MTRIE algorithm. Secondly, I'm not sure why that would affect BGP _specifically_; ie, you'd expect that that would cause general trouble rather than just routing stability trouble.

My bet is that this more akin to a flooding attack and that BGP is just one of the casualties. If that were the case, you'd expect that marking the BGP traffic and doing differential diffserv treatment for it would help restore stability (like, say, CBWFQ, etc.).

Re:Caching and port-scanning

You're not replying to a troll. I meant to puncture Mr. Hot-Shit CCIE's ego, and I enjoyed the fuck out of doing it. Just because you've shelled out six or eight grand for a vendor's indoctrination on their products and can burble acronyms does not make you an expert or authority on anything.

Just try this scenario: Your employer tells you he wants to open the firewall to incoming traffic on some number of ports, and you tell him that's not a good idea. He says why, and you say: "Because I'm the fucking CCIE? Are you a CCIE?" I'm sure his response will be: "No. But unlike you I will be coming in to work here tomorrow."

The point is, he went out of his way to essentially say: "I'm the big fucking expert, and I'm going to talk like the big fucking expert, and before you dare argue with me, I want to see your credentials that you're a big fucking expert too. All you plebian non-experts out there can just sit back in awe and marvel at our massive expertness."

So, frankly I wasn't interested in even trying to follow the rest of what he had to say. He eradicated any credibility he might have had with his arrogance. Rather than simply and clearly state his premise, and why any of us ought to believe him, he wrapped it up in the shroud of his authority and obscured it with jargon, and clearly thought he was all that by doing so.

Re:Caching and port-scanning

[Salamander]

it's also dropping other packets. This is considered bad. This is considered bad.

It's unfortunate that your talent for stating the obvious is not matched by your ability to understand the less obvious.

Under normal circumstances, 'flapping' your route for a short period (the document indicates that BGP has a 30 second minumum) will cause some of those packets to take the 'back' route, and will (hopefully) cause enough of a strain relief on the overloaded router for it to catch up to the (normally transient) overload.

Flapping is undesirable. Period. Any routing protocol that didn't support load balancing across routes, without explicit route changes to flap back and forth, would be laughed out of the standards bodies. Fortunately, BGP is not in fact so poorly designed as you seem to think.

Giving a higher than normal priority to BGP packets...would also break the inherent load-limiting effect of flapping, and generally break the network worse under normal ovarload conditions.

Now you're just totally talking out your ass. Flapping is not an intentional method of limiting load; it's a pathological behavior that routing protocols including BGP try to avoid. "Normal overload" is of course an oxymoron, and even in more common (but still abnormal) overload conditions there's no reason whatsoever to suppose that the incredibly minimal CPU overhead associated with giving BGP a higher priority would have the effect you suggest.

I just don't know where you get that kind of crap from. That kind of buzzword-laden but unconnected-to-reality BS might have dazzled some fresh-out MBAs back at the height of dot-com mania, but don't expect anyone with even a minimal amount of technical knowledge to be fooled.

P.S. Either your web site is down, or your profile contains a broken link. Nice going either way.

Re:Caching and port-scanning

[Salamander]

Same here. However, the AC does have a point. Starting your post with "the userbase having no experience with the subject" and ending it with "better include a CCIE number" is going to piss a lot of people off. The people who design Cisco boxes and the protocols they use probably don't have formal CCIE credentials either; should we not listen to them? The CCIE program is actually very good as such things go, but at the end one is merely competent with regard to administering a particular implementation of the technology. Knowing which switches to flip isn't the same as knowing how the technology actually works or how it might be improved.

That said, I think targeting mdouglas was somewhat unfair. Despite his unfortunate choice of opening and closing remarks, his article was quite informative and technically correct. On this very thread there have been others - e.g. darkonc, cotu - more guilty of the crimes laid at mdouglas's doorstep.

Re:Caching and port-scanning

[Cato]

Agreed, see http://slashdot.org/comments.pl?sid=22054&cid=2367 894 for some more info on this, in response to a post on out of band management networks.

Re:Caching and port-scanning

[cotu]

If your router is so saturated that it's dropping BGP packets, this means that it's also dropping other packets. This is considered bad. Under normal circumstances, 'flapping' your route for a short period (the document indicates that BGP has a 30 second minumum)
will cause some of those packets to take the 'back' route, and will (hopefully) cause enough of a strain relief on the overloaded router for it to catch up to the (normally transient) overload.

This isn't quite true. On a distributed architecture, or when you have hardware assist, etc, you can slag the main processor by sending enough cruft up on the slow path, but the forwarding engines would still keep humming along.

Here's a great idea! (word association)

[Uttles]

OK, everyone knows that word association is a powerful marketing tool. Example: Microsoft Office. When you say "office suite of programs" to the average person, they automatically think Microsoft Office. Well this article sure gives us a great one:

In this online note, we summarize our preliminary analysis of the surprisingly strong impact of the Internet propagation of Microsoft worms (such as Code Red and Nimda) on the stability of the global routing system.

Look on AP, Yahoo, MSNBC, CNN, and you always see "the Nimda virus" or "the Code Red virus," but I prefer the way the article said it. So from now on in your conversations with others, refer to each virus in this category as a "Microsoft Virus" and hopefully by word of mouth word association we can sway public opinion away from this crappy MS software.

Re:Here's a great idea! (word association)

Serves them [MS] right for trying to associate linux and the GPL with 'virus' as well. Turnabout can only be fair play...

Re:Here's a great idea! (word association)

[DCheesi]

That's fine for casual conversation, but professionals and those writing formal papers need to steer clear of this sort of propaganda. I was going to criticize Slashdot for stating it that way, until I realized that the original authors used that same phrase. Calling it a Microsoft worm is really a distortion, and it's the kind of thing that can damage the credibility of the author. If you're preaching to the choir, that's one thing; but if you're trying to produce a study that will actually persuade a 'non-believer,' you need appear as unbiased as possible.

Re:Here's a great idea! (word association)

Beware Microsoft's Crack Moderation Squad has been deployed.

Re:Here's a great idea! (word association)

[dachshund]

When talking about biological viruses, there's nothing wrong with referring to the nasties with regards to their target. Take, for instance: "Plant virus", "Human virus" or "Canine virus". If these worms/viruses start attacking other types of systems, then I think it would be highly propagandistic for us to refer to them as as "Microsoft ". But as a matter of terminology, at the moment...?

How about Microsoft-targeted worm?

Re:Here's a great idea! (word association)

[pubjames]

That's fine for casual conversation, but professionals and those writing formal papers need to steer clear of this sort of propaganda.

I completely disagree.

'Cancer', 'Intellectual property destroyer', 'viral like' these (amongst others) are all terms that Microsoft has associated with the GLP and hence linux when communicating with their customers. And look how effective they've been - they have got loads of press coverage about it. And the terms are misleading, and in the case of 'cancer' just downright offensive.

To describe the Nimda virus or the Code Red virus as Microsoft worms is not misleading at all - it is difficult to argue that they are not Microsoft worms, after all.

I think this is a great idea. May I also suggest 'Outlook viruses' as a term we should use to cover Outlook specific email attachment viruses.

Re:Here's a great idea! (word association)

[peter+hoffman]

Some people refer to them as MSTDs which I think is pretty funny and accurate.

Re:Here's a great idea! (word association)

[Tr15]

I don't think a Microsoft virus would be as effective as Code Red or Nimda!

Re:Here's a great idea! (word association)

[Coolumbus]

Well, I give you that "MS Worm" sounds as if the worm was created by MS, sort of like "MS NT" etc.

But the professional could simply write "the new worm blha bha that only hits MS systems", given that they'd write that every time, I'd guess that most people would simplify it to "MS worm blha blaha".

Given enough time people might actually catch up with the service pack lingo also as well. So instead of simply saying Code Red, Code Red II, Code Blue, Nimda etc, people might say MS Worm 1.0, MS Worm SP1, MS Worm SP2, MS Worm 2.0 :)

Re:Here's a great idea! (word association)

[HiThere]

Do you feel that anyone has hesitated to describe something as a Unix worm?

Then why should we hesitate to describe it as a Microsoft Worm. Perhaps one should say Microsoft(tm) Worm rather than Microsoft Worm(tm), as the second form is inaccurate. But Microsoft Worm is an accurate and correct description of the phenomena (given that the term worm is correct).

Re:Here's a great idea! (word association)

Or call them "LookOut Viruses"

Re:Here's a great idea! (word association)

Yes -- Ever since I got onto the Internet in the late 80s, I've been hearing the the legends of the great RTM "Internet Worm".

Well - it wasn't an "Internet Worm", it was a UNIX Worm, and the VMS etc hosts on the net were unaffected.

(And honestly, the Unix community only got the security religion a few years ago. Before then, they were exactly the way microsoft is now -- 'umm. file permissions? ummm')

Re:Here's a great idea! (word association)

[ectoraige]

Calling it a Microsoft worm is really a distortion

I agree, and I must say, it surprised me too. When choosing a term under which to classify something, it should describe a characteristic common to members of that category. Given that Roach and co. are examining the correlation between unusual arp traffic and the worm's attack vector, then deciding to classify it based on who wrote such shoddy software is a bit odd. Though if the media want to it as their new buzzword, that's fine by me.

My first thought would be to call them 'surge worms', based on the explosiveness of their propagation. Doing some proper classification, here's the main characteristics of the two worms:

Characteristics of CodeRedII:
OS: Windows 2000 only.
Vector:

1. Scans random IP-addresses via HTTP/GET for IIS servers open to the .ida buffer overflow. Randomness is weighted to stat within local subnet. Delivers payload via HTTP. Uses multiple (300/600) threads to scan for vulnerable servers.

Doesn't reinfect self

Limited propagation lifespan (Oct 2001)
Effects:

Places trojan backdoor on system

Isn't memory-resident, reboot doesn't clear

Doesn't deface infected websites.

Doesn't launch targeted DOS attack.

Characteristics of Nimda:
OS: Any windows OS
Vector: Uses 4 distinct methods of propagation:

1. Scans for multiple IIS vulnerabilites via HTTP/GET requests to 'random' IP addresses. Randomness is weighted to stay within local subnet. Payload delivered via TFTP. Uses multiple (200) threads to perform network scanning.
2. Self propagates via email sent to addresses stored on infected servers.
3. Delivered via HTTP-responses to clients of infected IIS servers
4. via open network file shares

Doesn't reinfect self
Effects:

Places trojan backdoor on system

Isn't memory-resident, reboot doesn't clear

Doesn't deface infected websites.

Doesn't launch targeted DOS attack.

It's clear that the commonality between them lies in
a) The random, multi-threaded propagation via HTTP/GET, which tends to remain localised
b) The installation of a trojan backdoor on infected hosts.

Hence a formal classifcation should be something like "multi-threaded, locally biased trojan worms". The effect of the virus on the host isn't even that important in this case, so "multi-threaded, locally biased worms" would do too.

"Surge worms" wasn't too bad a choice then :)

Re:Here's a great idea! (word association)

[Tim+Doran]

Call me a karma whore, but if these worms were propagating through linux, you can bet we'd all (even /.'ers) be talking about linux worms.

Re:Here's a great idea! (word association)

[ectoraige]

well bye-bye to my karma...

"you can bet we'd all (even /.'ers) be talking about linux worms."

You're missing the point!! This article is about two particular worms.

The platform is irrelevant, the software is irrelevant, the exploits are irrelevant, and the effects on the hosts are largely irrelevant.

This only thing about them that is relevant is the manner in which they spread - lot's of small, probing requests, mostly within the same subnet.

In this discussion, the *only* relevance platform has is that it happens to be a pretty common one. But there's lots of other common platforms that the same thing could happen to. Say... cisco?

Re:Here's a great idea! (word association)

[darkonc]

Calling it a Microsoft worm is really a distortion, and it's the kind of thing that can damage the credibility of the author.

Separately, they are the Nimda work and the Code red II. Together, one of the things that they have in common is that they're Microsoft based. Chances are, in the future, that most of the worms that are going to have this sort of effect are going to be Microsoft based.

I can think of two (OK, three) reasons why:
1) There are lots of MS machines out there that are just RIPE for infection.
2) Microsoft has (throught negligence and/or design), set things up such that the default configuration of these machines is to be very insecure.
3)Even if someone were to come up with a worm that could breach each and every Linux box out there, it would not, at this time, have the kind of volume effect on things that these MS worms have had.

They are Microsoft viruses. The description is succinct and accurate. There are also likely to be more of them. It also puts some PR pressure on Micro$oft. The PR department is the one department that seems most in charge of Microsoft. If we're lucky, they will respond to it by starting to pay some real attention to security for their software.

Re:Here's a great idea! (word association)

[darkonc]

The "internet" worm, also known as the Morris worm, affected a lot of machines, including a VAX that I was administering at the time. The class of machines that it affected included much of the backbone of the Internet at that time, thus it was actually accurate to call it an internet worm.

VAXen were the norm on the backbone. Suns were just starting to break into the backbone. I still remember some of the the machines on the net, like decvax ucbvax and (the mythical) moscvax (used in an April fools joke -- the fact that people would automatically take moscvax to mean a vax located in Moscow would indicate the state of The Internet back then). These days, the backbone of the internet is a bit more diverse, so it would be a lot harder to describe a worm as an internet worm., unless it was very multi-platform.

Up until the Morris worm, people cared about security, but it was generally believed that you could trust other machines on the net... At that time, to get your site on the net, you had to have someone who was already on the net vouch for you and back you. As such, you could generally trust the administrator of each machine you were talking to.

This was, however, the time of the ascendency of the PC. These machines were owned by the user. Now you not only had to trust the network administrator, you had to trust each and every user with a PC. Even after plugging the holes exploited by the Morris worm, people were starting to deal with the fact that you could no longer presume (or even hope!) that a packet from a low port number could be trusted to come from a secure program. It really was the dawn of a new age in the internet world -- not entirely unlike what seems to be happening in North America in the wake of the WTC attacks.

The morris worm also opened up people's eyes to the problem ofbuffer overflows. This was the first really widespread exploit of buffer overflows. After the worm came out, people started going through code, weeding out potential buffer overflows. It's not that people didn't care about security. There was, instead, a certain presumption of trust that -- these days -- would be considered naive. The Morris (internet) worm woke people up to the naivete of those presumptions.

Re:Here's a great idea! (word association)

[darkonc]

My first thought would be to call them 'surge worms', based on the explosiveness of their propagation.

Worms, by their nature, have a surge propogation distribution. Sometimes, if the propogation is slow, the surge gets eaten by the noise of system trafic. In cases like the two worms caught in this study, the worms propogated fast enough and were active enough that they were able to affect overall internet communication as a side effect.

Re:Here's a great idea! (word association)

[RoninM]

Not just the manner in which they spread, but the base from which they spread. Since exploitable Microsoft boxen far outnumber exploitable, say, Linux boxen by a significant number (for many reasons, not the least of which is the installed user base's size), the scale of the attack and thus the observed effects on global routing are directly related to the fact that these are Microsoft worms. The manner in which they probe, alone, is insignificant. (Other things are comparable in approach.) The magnitude makes all the difference.

Re:Here's a great idea! (word association)

It's not clear in your post, but hopefully you know the difference between VAX and VMS. The VAX hosts affected were running UNIX, not VMS.

Re:Here's a great idea! (word association)

[revengance]

That's not the point. The point is Microsoft virus is more "correlated" than open source and communism.

/. effect in action!

[obidex]

mirror at http://dangermouse.pod4.org/nimda/bgp_instability. html

What will be done?

I have followed this problem extensivly in my local area... When code red came out, mrtg and numerous sites around the city showed large spikes in bandwidth usage. I have discussed this with several large corporations (Nationwide, Bank-One.. and telecom's Time Warner and AT&T) and i have heard very little about how to approache what are Application layer exploits at layer 2 or 3...
I understand that to serve people, telecom and internal IT departments can't very well restrict ports and such based on response to each and every exploit that causes problems...
so what can telecoms and large corporations do to cut down on meaningless uses of bandwidth?

Viruses, terrorism and Microsoft

[riflemann]

So...on a related note.

If it is true that viruses create BGP instability, one can extrapolate that this is a form of
terrorism, by disrupting international communications.

Now - as Microsoft has done almost nothing to effectively eliminate the threat of viruses, and
hence a form of terrorism, MS can then be seen as "harbouring terrorism".

Didn't George W himself say that those who harbour terrorists will receive the same fate?

It's therefore in the international communities best interests to destroy Microsoft!

Re:Viruses, terrorism and Microsoft

[SteveX]

Microsoft has done almost nothing to eliminate the threat of viruses?

The last two big worms had patches available before they started spreading... It's the folks who put freshly installed boxes on the Internet without applying the latest patches who are guilty. (Are they terrorists? Does buying Windows and installing it at home make you a terrorist? Or maybe you become a terrorist without even realizing it when someone exploits your box!)

The only thing Microsoft has done here is make it easy for unqualified people to set up and run boxes with open, exploitable ports...

If a particular Linux distro was as widespread as Windows is, and the default install left things exposed (which has happened on numerous occasions) then the virus authors would be exploiting holes in that distro the same way these worms are exploited.

The thing saving Linux from worm attacks right now is low marketshare among novice users.

- Steve

Re:Viruses, terrorism and Microsoft

[dachshund]

Well... I know of a number of people who installed the patches and were still infected by the worms that the patch was supposed to prevent. I'm told that a major cause of this is people upgrading to the next service pack (and consequently rolling back the patch.) Apparently there are a whole lot of other ways to accidentally remove the patch, many of which are day-to-day operations.

At the time of the most recent worm outbreak (the one that used multiple exploits), I believe that there was no reliable patch available. Is that true?

In any case, these are bugs that should never have made it into the system. I think Microsoft should have issued a recall, and made an aggressive effort to contact its customers (by real mail) in order to get this problem fixed. If the brakes on my Toyota have a major flaw, Toyota doesn't sit back and wait for me to check their web page.

Re:Viruses, terrorism and Microsoft

[thrig]

Windows has anti-virus software, for windows.

Linux has anti-virus software, for windows.

FreeBSD has anti-virus software, for windows.

Solaris has anti-virus software, for windows.

Open, exploitable ports are nothing compared to the design flaws inherent in the Office document format and the Outlook family, that cause wave after wave of new virus to saunter past anti-virus software, laughing.

Re:Viruses, terrorism and Microsoft

[maxpublic]

Low market share and the fact that the OS has far fewer exploitable bugs.

Given the number of linux servers out there right now, do you honestly think that worm creators would give Linux a pass if it were anywhere near as easy to punch into as IIS? Or are you saying that the people who run an IIS box are generally idiots, while those who run Linux boxes aren't?

Max

Re:Viruses, terrorism and Microsoft

[darkonc]

The last two big worms had patches available before they started spreading...

If you've ever read hitchhikers guide to the galaxy, there's a scene (repeated in variation) where Arthur Dent (and then, in the variation, Earth) gets informed that the plans of immanent distruction have been on public display for a long time:

In a locked cabinet in a dark room in the abandoned depths of the basement with a sign on the door saying "man eating tiger -- stay out!".

The plans for Earth's destruction were on display on Alpha Centari

In any case, the Microsoft patches were available, but not on their push list, and I'm seeing reports that Microsoft weenies were describing attempts to download the fix(es) as "unnecessary".

The larger question, as well, is one of Microsoft not having security very high on their list of priorities. Given a choice between a whiz-bang feature, or a secure system, they seem to go for whe whiz-bang, and hope (wrongly - time and again) that hackers won't notice yet-another gaping hole.

The problem that Microsoft users face with respect to security is not just that MS windows is a common system. It's that Windows is a common system built like swiss cheese. If Linux and Unix were designed and maintained with the lax attitude towards security that Microsoft products display, we'd have more Linux worms than a dead gnu carcas.

Re:Viruses, terrorism and Microsoft

[stubear]

These patches were announced on Microsoft's Security list serve atleast a month before the exploits became a problem. Is this not puch enough for you? ALL ITs running IIS should be on this list serve or at the very least shoudl visit http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/default.asp.

Re:Viruses, terrorism and Microsoft

[Stephen+Samuel]

The problem isn't just IT's its all the people who have a default load of windows 2000 at home, Rogers wave and are lucky if they even know about windowsupdate.microsoft.com.

Re:Viruses, terrorism and Microsoft

[revengance]

If a particular Linux distro was as widespread as Windows is, and the default install left things exposed (which has happened on numerous occasions) then the virus authors would be exploiting holes in that distro the same way these worms are exploited.

The thing I always read about Linux having low market shares and therefore no one wants to attack it. I don't think Slashdot actually got more readers than msdn or cnn but there are a lot of idiots claiming first post.

Face It

The IIS team really opened the can!!

what?!?

[SGDarkKnight]

are you trying to tell me that microsoft is unstable and most likely carrying some form of a virus? thanks impossible!

Prelimary list of reasons

[lythari]

"complete list of reasons still needs to be documented, but we suspect i) congestion-induced failures of BGP sessions due to timeouts; ii) flow-diversity induced failures of BGP sesions due to router CPU overloads; iii) proactive disconnection of certain networks; and iv) failures of other equipment at the Internet edge such as DSL routers and other devices."

Microsoft is killing the Net!

[ZigMonty]

Am I the only one that had a feeling something like this would happen. All those hundreds of thousands of simultaneous probes have to have some effect. People on badly hit networks have reported massive bandwidth loss. This is the

• "most of the links at the Internet edge had serious performance problems during the worms' probing and propagation phases"

part of the article.

Mind you, Nimda is probably gentler to non Windows systems, because it checks if the victim is vulnerable first, whereas CodeRed sent itself anyway. So although Nimda fills your logs quicker because it checks 16 or so backdoors for each attack, it probably, IMO, sends less data.

Re:Microsoft is killing the Net!

Nimda is probably gentler to non Windows systems, because it checks if the victim is vulnerable first, whereas CodeRed sent itself anyway.

Where are you getting your information from?

All of my boxes are Unix, and my web server logs are full of Nimda crap.

Re:Microsoft is killing the Net!

[ZigMonty]

Nimda floods your log files because it makes more attempts on your computer BUT unlike CodeRed, it doesn't try to send the worm itself unless you're found to be vulnerable. If it detects that you ARE vulnerable, it uses TFTP to copy itself to the victim. CodeRed sent itself as a buffer overflow. So the request itself contained to worm. I'm guessing that the 16 or so small requests that Nimda makes don't add up, size wise, to the single big request that CodeRed makes.

Re:Microsoft is killing the Net!

[GTRacer]

HA! Well, you're right, but for those of us who run small family-oriented servers, those 16 probes per, and the 16 emails from my IDS *DO* dramatically slow me down.

Fortunately, Apache is immune, and I haven't had any real problems. But with Nimda, and to a lesser extent, CR, I have to lose email service for about an hour a day while the error reports clog my inbox.

I want the logs to give to our ISP (since most of the top probers are on our subnet) but I'm thinking I may have to compromise my IDS to cut out some of the crap...

GTRacer
- Apache on WinNT...Mmmm!

slashdotted

[kingdon]

I've put up a mirror (article there now, images should be up by the time you read this).

As for the article itself, this kind of published analysis is what makes the internet great - compare with the telephone system where each company keeps (more of) their analysis to themselves and engages in more finger-pointing.

Oh, wow.

[jd]

You mean, if the Internet gets saturated by bizare routing requests, it puts its feet in the air and dies?

I'd never have guessed.

Seriously, though, this does strongly suggest that merely using NAT and crude approximations of heirarchical routing are not enough. The networks aren't capable of tolerating the kinds of loads even a humble skript can put on them.

In short, we need a better routing system, better IP stacks, a more stream-lined structure, and better load-balancing. In short, we need IPv6, if we're to survive anything but these relatively feeble virus attacks.

(And they are feeble! In comparison to what could be done. The world is very, very lucky.)

Oh, and we also need a stronger backbone. T3's don't cut it, in a world where T4's are "standard items" and high-speed optics of up to 4 Tbs are potentially usable tomorrow.

When you start upping the bandwidth across the board by 2-3 orders of magnitude, the impact of a few flea-bag packets will not be noticable. For that matter, the impact of a major world event (such as the Starr Report, or the WTT disaster) would not bring the information infrastructure to its knees.

*Orator Mode On* Now, more than ever in the history of humanity, our society, our economy and our security depend on good lines of communication. No expense is too great, because the price of failure is greater still. This truth has tragically shown itself these past few weeks, and no amount of money can undo a single death, reverse a single bereavement, or heal a single injury.

Forty billion dollars has been allocated to the cause of chasing shadows, yet we know that shadows can never be caught. A mere four billion, on shining the light of information around the world, would have gone a long way to prevent the shadows from being there to start with.

Terror, fear - these are weapons that rely on ignorance and superstition. Without ignorance, terror has nothing to hold onto. Yet ours is a society that lives in ignorance. We have computers on our desks that are many hundreds of times more powerful than the ones used to put man on the moon. Yet those computers can be crippled by a simple forwarder virus, and the users of those computers do not wish to know. The dark is much more comforting than the light, even though it is the dark, not the light, that these viruses can grow in. Perhaps, because in the light, you do not need comforting. There is no fear to be comforted over.

Someday, maybe, people will become less frightened of living in understanding. When that day comes, the terrors of the night will no longer threaten.

*Orator mode off*

Re:Oh, wow.

[pohl]

The networks aren't capable of tolerating the kinds of loads even a humble skript can put on them.

Isn't that a little like calling a forkbomb "a humble process"?

Re:Oh, wow.

Yet ours is a society that lives in ignorance.

The Makers of Modern Schooling

be gentle, i'm sure that site isn't up to the /. challenge.

Re:Oh, wow.

[Cato]

IPv6 will not solve this problem, which has nothing to do with NAT or load sharing. The key element of the solution is to provide a higher priority (CoS/QoS) for BGP traffic, and to somehow limit the amount of CPU spent on ARPing for non-existent IP addresses on the router's directly-connected subnets.

I am all for using IPv6 where appropriate, but it's irrelevant here. Putting in bigger pipes is expensive, and may well just make things worse (a Pentium III can just about saturate a gigabit ethernet link - what if some well-connected hosting centres get infected and start spamming the net via these larger pipes?).

Doesn't that...

[Hammer]

...put him in a funny spot. He has publicly wowed to destroy those who harbour terrorists and also that MS is good for America.
So, does he go after the hand that fed him? Or will he leave MS alone and thereby in effect harbour someone who's harbouring terrorism. We all know what he promised to do to those ;-D

Re:Doesn't that...

[Mathness]

No, he is going to FED them ;)

Yeah I know, stupid joke. Couldn't resist though.

MSGP

[artoo]

In an effort to reduce confusion regarding the correlation between IIS/MS Windows viruses and worms and degredation in internet traffic, Microsoft has announced the realease of their own global routing protocol, MSGP.

"MSGP has taken a few days to develop this great technology using some of the brightest minds from around the world. Incorporating transfer of information using FEP (http://www.ietf.org/rfc/rfc3093.txt), we can ensure that when a virus hits, all internet traffic will come to a screaching halt" a Microsoft spokesperson said at yesterdays press conference.

Cisco has announced they will have firmware revisions tomorrow to incorporate this into all their products.

Re:MSGP

[Doctor_D]

Heh, and then once MSGP is implemented, people could set their routers to drop all packets from MSGP sites, and eliminate the M$/IIS viruses/worms.

New law

[mnordstr]

Since they are making new laws to forbid strong encryption, they might do something useful and introduce a law that forbids software which can be (easily) used to run worms on.

That might kick M$ from their chairs and make them focus on the quality of their programs, instead of the quantity.

Re:New law

[t00tie]

OK. Since linux is an excellent server OS, it's also an excellent platform to run worms on (it doesn't even crash as much as windows under high load).

So lets forbid linux.

s/linux/your favourite stable OS/g

D'uh.

Back on topic: Couldn't routing protocols be changed to only cache routes for significant traffic flows - especially if the worms typically send small amounts of traffic to large network segments? Or better still to ignore worm-like activity (scans) at least for route caching purposes?

again.. slashdot = suck

I seriously doubt that whoever posted this new piece even understands the paragraph that they quoted. My God, will they post anything as if it's news or if it really matters?

Is it just me..

or are slashdot commenters the most unfunny people ever?? the jokes are so fucking corny and lame, but they get modded up anyways. I find the trolls 1000x more funny than this laugh-o-rama.

The state of Slashdot

Linux == Good
Internet == Good
BGP == Good
Microsoft == Satan
Outlook == Bad
IIS == Bad
IE == Bad
Worms == Bad
Corporations == Bad


Score:5 Informative

Why is this flamebait?

Come on now, he's got a good point, lets start to use the same tricks on them that they use on us! He's not suggesting that we make any untrue or even misleading statements, simply that we associate these viruses with what they attack. You'd better believe that the first worm that hits Linux will get the MS spokespeople attempting to permanently link the word "worm" with "Linux" in the brains of the public, then each time THEY get hit with a worm, the unimformed public will shake their collective fists at Linux.

Flamebait would have been "Linux rulez0rs all you Micro$haft sluts"

Re:Why is this flamebait?

[bubbha]

I would like to rise up in support of this opinion as well. Look at how Micropatch has tried to associate the various "open" movements with communist sympathizing hippies. The CLEAR motive here is to form an image in the "collective minds" (sorry!) of IT management that open software is not "corporate" software. I'm not suggesting that we stoop to the level of dishonesty, but after all, it is a Microsoft Virus.

It has to be said...

[El+Volio]

A communications disruption can mean only one thing: invasion.

Viruses and evolution

What we are seeing here is evolution happening on the internet. When we (humans) became the dominating species on earth, viruses started spreading amongst us. The same thing is happening among computers now!

We have two choices to fight this problem:
1: We can try to fight it using antivirus-programs, which is equivalent to using medicine to cure our viral diseaces. We already know that this means fighting an uphill-battle, because protection against the unknown is hard, if not impossible.
2: We can try to bring more diversity to the operatingsystems and programs we use. This would automatically decrease the viruspopulation, because a virus designed to infect more than one program/os/specie, would have to be far more advanced, and would thus lower the probability for it's existance. And in the case of computers, the bugs on one platform/program is rarely the same as the bugs on another.

A better conclusion.

Ipv4 is dying.

....does that one work at all?

Just a thought

No: Microsoft worms are NOT "web/email viruses"!

[Jens]

... but professionals and those writing formal papers need to steer clear of this sort of propaganda ...

Whats propaganda here? They are telling the truth. Those viruses only propagate and damage Microsoft systems. They are there because Microsoft systems are so vulnerable. If it weren't for IIS, Windows 2000 etc. those worms wouldn't exist. (And don't "but others would" me - I don't see any reason why Unices, Apache, etc. would be unsafer without Windows.)

Tell the truth. Don't hide behind words. That's a journalist's job, isn't it? And anyway, now with Microsoft distributing reports that claim Apache is also vulnerable, citing relatively harmless directory listing bugs from 1999, why should we not try to educate the public?

Re:I have a very short attention span

[gazbo]

For christ's sake, why was this modded down, but all of the other usual uninformed anti-MS shite is left alone or modded up?

If you want to read something informative, check THIS POST out - it's the only post so far with any information. If you know bugger all about networking and just want a laugh, read this post's parent. If you don't know anything about networking, but your parents have let you boot up into Linux for a quick play on Lynx, then I suggest writing a post along the lines of 'Microsoft should be sued for letting this happen' Don't worry, you've got plenty of company.

</rant>

Yeah Well, Except...

[Greyfox]

The patches to prevent these worms were out for ages. It's just that system administrators and others never installed them. So Microsoft has quite an out there, and for some reason the businesses that whine about the costs of these worms never seem to be looking to their own admin staff and asking them why the hell those patches were never installed.

Re:Yeah Well, Except...

[anomaly]

It's easy to say this, but speaking as one who works for an enterprise, it's not easy to do.

We've got tens of thousands of PCs running hundreds of applications - some internally developed, some externally developed.

For MS security patches (or anything else) that we release into "production" we need to engineer the build to make sure it works with our OS build, then test against Tier 1 applications.

Once that is complete, the development groups need to sign off saying that their application runs with that code.

Specifically in terms of IE 5.5 SP2, Quicktime is no longer compatible. Sure, there's an update to Quicktime, but my point is this - how many other things stop working? Which of our internal apps are dependent on IE or subcomponents that no longer work with IE5.5 SP2?

We don't know. Frankly, even if we thought that we knew, we couldn't be sure outside of testing.

IE has seen 7 security patches in the last 8 months. Particularly in this economy, we can't afford the testing staff to nail each of these as they are released.

Of course we're at risk. Now is the time to question our continued use of MS products. I'm doing that.

Regards,
Anomaly

Re:Yeah Well, Except...

[seanfuller]

I know how to fix this. Have microsoft add an automatic update when connected to the Internet. Any of their OSs would just automatically contact microsoft when online and check for any relevant patches and just apply them automatically. That way dumb users that don't know their butt from a hole in the ground will have microsoft take care of them. In fact, a safer thing for microsoft to do would be to remove the capability of doing this manually. How is a stupid user to know what patches to apply. In fact, I know some stupid sysadmins also. You know, maybe we could all just mail in our root passwords and get it over with?

Re:Yeah Well, Except...

[Bert64]

Well, the windows update site was compromised by code red (see safemode.org or alldas.de mirror), now imagine if a smart enough cracker, instead of an automated worm, had got into the site.. and if every windows machine AUTOMATICALLY updated.. he could have infected thousands of people with a backdoored patch before anyone noticed.

Re:Yeah Well, Except...

[ImaLamer]

Not to mention the fact it's mainly home users running w2k who are infected.

But really, if your running a web server why would you want to reboot it? Isn't this the solution to a Code Red infection, simply reboot?

Ok I know if I ran a web server I'd run *nix, *bsd, NOT windows of any sort.

Rebooting is for lamers.

Re:Yeah Well, Except...

Thank god for kantian pure reason and large integer studies..

Re:Yeah Well, Except...

[Electrum]

Encryption can partially solve this problem. Updates are already signed by Microsoft, the same way device drivers are signed. Presumably, the automatic updater would only updates that had a proper signature. Though, there was that story a while ago about someone else getting a Microsoft certificate out of VeriSign...

Embrace and Extend

[Greyfox]

Whenever a popular product shows up on Windows, Microsoft usually ends up either buying the company or writing their own version which sucks for the first few versions. So when will we be seeing MS Worm Version 1.0?

Re:Embrace and Extend

[bubbha]

You know I think M$ really missed the market here. Perhaps they should start giving their software away for free and sell the patches. They could change their name from Microsoft to Micropatch.

Re:Embrace and Extend

[trixillion]

or maybe they would go for Microshaft

MS guilty by negligence.

I just had a brilliant idea!!!! If the MS worms are indeed proved to be causing the routing problems, then the big network companies and all their customers can then legitimately launch a real, valid class-action product liability lawsuit against MS for MS's products causing them tangible harm and then seek a legal remedy.

A Simple Solution

One of the inherent problems with all routing protocols is that rely on inband announcements and updates, and communciate state purely by reachability. This is clearly a flawed approached on heavily loaded links and routers. This problem has already been addressed worldwide on the telephone network with the introduction of SS7. One of the key aspects of SS7 is that it is transported over an Out of Band network (the actual transport may be on a dedicated timeslot on a SONET link, but the basis is that the link is dedictated to management).

By implementing a low throughput (say 64K -256K - this requires more analysis) management network, the ISPs could be certain that the state of the BGP peering sessions and the integrity of the UPDATE messages are always intact.

One of the key aspects/benefits of BGP is that unlike other routing protocols it does not advertise routes in the simple - "here's my routing table" messages that protocols such as RIP and while less so, but similarly, OSPF and ISIS use. BGP relies on TCP sessions between peers. On connection the entire known (or filtered via policies) short test path routing table is exchanged. After this the link stays idle, with the exception of TCP keepalives, until an UPDATE message is sent to communicate that a new route is added or an existing route is removed from that peer's routing table. Also BGP does not assign any significance to the port that receives the information - merely the peer. This all makes BGP inherent scaleable, stable and reliable - unless resources are not available (CPU, memory, buffers or links). TCP is the reliability mechanism here. The presence of the TCP session validates all the routes learned via that session. The absence of the TCP session invalidates all the routes and causes them to be withdrawn for that TCP session.

Maintenance of the TCP session stability is key to the stability of the routing table. With over 80,000 routes on any BGP full update, the processing needed to cope with multiple TCP sessions failing or starting is immense (and probably better servered by a UNIX platform than by a router to be honest).

SS7 uses a mechanism whereby UNIX servers process the routing information and create the core routing table - note: table is the key - it is not the path the data or calls follow. Building a similar architecture within the Internet would allow routers to have one or two TCP sessions to BGP servers (a concept already grasped with route reflector servers) and dedicate their CPU to forwarding packets etc. The dedicated servers never need to see a packet to be forwarded - it's just not that important to BGP, so they have no need to be on the same physical cables/links as user packets. This architecture would take some rethinking but not would not be outside the plans of most ISPs, and definitively not outside the skillsets.

Clearly the next problem then becomes low speed customer connections. Again the Telco industry has addressed this problem with ISDN - with the B channels. For these lower speed connections, there is no need to change the existing model. Losing one customer here or there is nothing (UPDATEs on BGP are typically well over 100 a second at NAPs) and would be catered for simply.

The NAPs could merely serve as routing table peering points, and not data transfer points - again another area of congestion.

The Internet is proving to be reliable and a trustworthy international communications medium, the next step is to make it even more robust, and truly scalable. Using OOB management is the obvious next step to this goal.

GMPLS is being touted as the next step for ISPs in terms of exchanging routing information in an OOB network. This is only one aspect of the work that is being done there.

Re:A Simple Solution

[Bazzargh]

Is moving routing info out of band not just guaranteeing QoS for that info? So why not guarantee QoS in band?

Excellent informative post BTW.

Re:A Simple Solution

Out of Band (OOB) management is a bad idea. How long after this great internetwork of low volume management links before someone finds a way in and crashes the entire network. While this would be fine for smaller, individually maintained networks, placing the entire internet routing in the hands of a few links is a bad idea. It would be virtually impossible, and economically unfeasible, to recreate the entire redundancy already built into the internet simply for routing updates.

Re:A Simple Solution

wow.

Somebody's on the ball today....

Re:A Simple Solution

>Is moving routing info out of band not just guaranteeing QoS for that info? So why not guarantee QoS in band?

QoS (queing) costs cpu cycles, you can't spare cpu cycles to do that sort of thing in core routers, they are all about I/O.

>Excellent informative post BTW

i second that

Re:A Simple Solution

>It would be virtually impossible, and economically unfeasible, to recreate the entire redundancy already built into the internet simply for routing updates.

actually that was addressed at the end of his post : (G)MPLS - (general) multi-protocol label switching

mpls allows the creation of multiple virtual circuits (think frame-relay or atm) in an ip network. although unlike frame or atm, mpls does not use pvc's. it hooks into the ip routing protocol and creates any to any connectivity.

the upshot here is that this could be implemented on the existing physical infrastructure, while creating seperate logical circuits that could be segmented for security purposes.

Re:A Simple Solution

Anything you can do with GMPLS can already be done by other means on the current crop of routers/switches. Just because we implement some 'cool new features' in the gear doesn't mean anyone will use them as intended...

As far as having a 'unix' system to handle BGP, have you actually LOOKED at some of the systems that are handling BGP out there these days? With the exception of cisco, they all appear to be some form of Unix, whether it be FreeBSD, or a big Solaris box handling peering at a NAP (yes yes, I know, most people at the NAPs don't bother peering with the thing, unless they HAVE to, and NAPs are becoming pointless as the few remaining Big Networks do more and more private interconnects)

a KEY diffrence between the voice and internet networks is that the telephone system has a geographicly based, hierarchical addressing system. So SS7 does not have to scale (at a core level) nearly as much as BGP does. IP networks are tossed about almost at random, and as smaller customers multi-home, smaller and smaller prefixes are being announced into the global routing table (which is something ss7 will NEVER have to deal with)

After studying the concept of doing an Out of Band routing update system on and off over the years, I can honestly say it did not add any significant potential uptime to the network as a whole. In other words, it would be a horible waste of money.

Your milage may vary, but this argument is older than the hills, and usually only proposed by old telco engineers who don't know any better.

Re:A Simple Solution

As the original author of this comment I wanted to respond to a couple of the replies.

The argument for QoS is strong, but IP is not a QoS aware protocol and IPv6 is some way off. IP was designed to be best effort, the products that were created for many years were desgined to be best effort. QoS is the enemy of best effort. To implement QoS the product MUST be QoS enabled int eh first place.

The Type of Service field in IPv4 was included for exactly these purposes but has languished unused until Differentiated Services was proposed. These are not simple things to implement on a large network, and really address CoS not QoS. CoS being the ability to prioritse traffic, QoS the ability to guarantee bandwidth. Its worth remembering that many of the IP routers in use on the internet today, were not designed to do much more than forward packets at incredible speeds.

The most extreme form of QoS is fundamentally TDM, which would imply that the management would be out of band. QoS mechanisms, if implemented, which they aren't in most IP hardware to the level possibly needed, still take local resources from the router.

The concept of out of band takes that further. Not only is the traffic removed, hence the denial of service suggested in one of the posts is removed, but also the processing overhead is removed. Injecting illegal packets is already catered for in most routing protocols with anthentication hashes attached to all packets. So DOS to avoid is congestion caused by too much traffic, or attacks on TCP ports on the router.

The concept of an Out of Band network is not to build an accessible network, but a truly parallel network. A number of data devices today use IP for the backplane, each card has a unique IP address, and the management traffic is forwarded between the cards. Much as Virutal Routers create the concept of private routing space, so does the management plane of a number of IP routing devices. Taking this concept a step further the OOB network would be inaccessible to inband traffic - there would no possible way to forward your packet between a user port and a management port.

This all translates to a number of benefits.
1) DoS virtually elimiated - you can't get to the network in the first place
2) QoS is guaranteed due to separation of the management traffic from user traffic
3) The process of aggregating the input from 10s to 100s if peers is placed on a device who's sole function is to maintain TCP sessions and process data - which is a fair description of a UNIX platform - not a router
4) Removing the load from the routers reduces some of their costs - again, to beat the pundits, the price of an OC-48 POS card outweighs the cost of CPU and memory considerably.
5) It also opens the door to more router vendors, which in theory creates competition and improves the product.

As one person points out, this is an old concept. The fact that the phone network, the largest public network in the world, works as well as it does is inpart due to OOB. The fact that UUNet proposed MPLS, based on Cisco's Tag switching was because routing doesn't scale - according to UUNet. What UUNet really wanted was Frame Relay at OC-48 and OC-192 - but that switch has only recently been proposed by a couple of vendors.

The datacomms industry is rightfully accused, in one post, of creating standards for problems that don't exist and leveraging sales muscle to force the new standards on customers. As a member of the datacoms vendor industry I am fully aware of this, and its good that it is understood by people. However, much work is being done that is necessary. BGP is a product of that work, and is definitely a good thing. GMPLS may not be the right thing, but some of the concepts are solid, to not pursue these goals, when every ISP knows that routing protocols are hurting (hence MPLS from an ISP in the first place), would be the wrong thing. The problem is to sift through the hundreds of IETF drafts to find the one that works, amid the vendor politics that now abound. Given the evidence that viruses are causing this sort of problem, does imply that there is a problem there as well. So we do need a solution that protects the routing information from the malicious publics hands, and a method of scaling routing protocols better. I would think that the proposal laid out early meets all criteria, no new protocols, protects the management plane and reduces the complexity of the routing architecture.

Re:A Simple Solution

[darkonc]

The in-band nature of the Hello packets, loss of which causes the 'flapping' is not an accident or an error. It is a feature. If you lose the hello packets, then chances are that you're losing other packets as well. This means that this branch of the network is overloaded and you should try another path.

Lost packets cause retries -- which cause even more traffic. If your problem is overload, you are far better to try another path than to lose packets and generate (overall) more packets through retries on the shorter path.. If all inbound paths to a network are overloaded, then the whole network is overloaded, anyways. You might as well just drop the packet, and give the overloaded routers that 30 second flap time to catch up to the backlog.

If you took those packets out of band, then you'd be needing another method to measure packet loss... This would require more CPU and/or more packets (bandwith) -- thus making the whole problem even worse.

Re:A Simple Solution

[Cato]

QoS can cost virtually nothing in CPU cycles, as long as you have the right router - e.g. Junipers, or high-end Ciscos such as a 7500 with VIPs, using CEF. All that's needed is to have one queue for essential traffic (routing etc) and another for other traffic.

The real solution is to also dedicate some CPU to the router's routing processes, so that even when the forwarding path is being heavily hit by a worm, there is no impact on the routing side's use of CPU. QoS will then make sure that the BGP and other updates get through OK.

Re:A Simple Solution

[Cato]

IPv6 has almost nothing to do with QoS, despite what most people seem to think. Its only QoS-specific feature is the Flow Label, which allows RSVP-aware routers to more efficiently classify traffic. RSVP is not a great option for safeguarding QoS for routing traffic. Any realistic implementation of QoS today, outside VoIP, simply uses class of service (CoS) based loosely on the DiffServ model, using the TOS byte in IPv4 or the Traffic Class equivalent in IPv6.

Most routers in the Internet today are Cisco or Juniper, which have fairly reasonable CoS support - high-end Cisco routers have no trouble handling a few more queues, and Junipers can do four queues at wire speed through hardware support for CoS. The ability to throttle back worm-generated (or other) DoS traffic, or protecting routing traffic's QoS, is worth spending some CPU cycles for, as it avoids the massive load of BGP sessions stopping and then re-starting (every restart involves a full routing table update, which is very expensive in router CPU time).

CoS implementations are getting much simpler due to the availability of policy-based network management (PBNM) tools, which enable thousands of routers to be configured for CoS within less than an hour. (Disclosure: I work for a company that makes such tools.) The real issue is whether CoS is enough - as you suggest, an OOB network is better, particularly with respect to denial of service attacks. However, an OOB network is very expensive, and the trend is towards in-band management in packet networks for this reason, so a combination of IP QoS and extra IP security might be enough. You might also want to run IPSec between all BGP peers, and to have extra ACLs, so that only IPSec-authenticated BGP peers can connect using BGP. However, IPSec is quite an admin hassle, even though PBNM can help as well here - might be better to put anti-DoS features into routers to protect BGP, e.g. rate limits on inbound BGP traffic.

Finally, MPLS is not really about out-of-band routing - it does decouple routing and forwarding, but the routing (control) packets travel over the same network as the data packets. You could separate control traffic onto a separate network, but that's not something that MPLS requires or encourages. The main reasons to use MPLS are for traffic engineering, VPNs and harder end to end QoS, not OOB management.

The concept of OOB management is useful, but IMO it's best to consider building a 'virtual OOB network' that uses QoS and security to partition its resources, while using the same links and routers as the main traffic on the network.

Re:I have a very short attention span

Yes...yes it was excellent.

Re:assembly woes

Wow. What is this, a post from 1997? 1998? Anyways, in case you're serious (in which case you're the biggest loser on the planet), TASM and NASM .obj files are not compatible.

Distortion ?

[AftanGustur]

Calling it a Microsoft worm is really a distortion, and it's the kind of thing that can damage the credibility of the author.

And what is being distorted ? Truth ?

Until worms start to propagate efficiently on other platforms, this problem is strictly limited to Microsoft products and calling it "Microsoft worm" is a reflection of reality.

so why weren't they in criticalupdate?

[MemeRot]

Today windowsupdate told me to install a patch to resolve the "Malformed Data Frame Sent to a Windows 2000 Computer Through an Infrared Port Causes Stop Error". Great. Of course my computer doesn't HAVE an ir port. But MS is pushing this patch. And NOT pushing the limited patches they have for the iis vulnerability that Code Red and others exploited.

Explain please how that makes sense?

Re:so why weren't they in criticalupdate?

[WoofLu]

Wow! I thought this vulnerability was already out one or two months ago!

You'll porbably get the CodeRed patch when CodeBlue-and-some-green-points-in-the-middle will get out .. ;)

Re:so why weren't they in criticalupdate?

[harvardian]

Criticalupdate is not for server admins. Hotfixes are for server admins.

If you're a server admin and you get your security updates from criticalupdate, your intranet is in big trouble.

Re:so why weren't they in criticalupdate?

where does it say that on the Microsoft site?
And why doesn't Microsoft allow linux/netscape-java-javascript/lynx combinations to go to their site and download hotfixes? when there's a huge outbreak like code red or nimda, those are the only clients I trust and Microsoft has turned off support for them.

Why? Because they care more about tending their monopoly than they do about the public. fuckers. Why can't folks like the Unabomber or bin Laden target them? oh yeah, they're terrorists, it's professional courtesy.

Re:so why weren't they in criticalupdate?

[Tony-A]

>>If you're a server admin and you get your security updates from criticalupdate, your intranet is in big trouble.

Now that's the best laugh I've had all day. Personally I've found that priority.redhat.com (or a random mirror) to work much better.

root cause nothing to do with credibility

[twitter]

Calling it a Microsoft worm is really a distortion, and it's the kind of thing that can damage the credibility of the author.

Nope, sorry a tabbaco virus is a tobbaco virus because it destroys tobbaco crops. These worms are MS worms because they destroy MS boxes which then attempt to destroy everything. It's time the world knew about it.

You won't hear the popular press refering to "another MS worm", however. They would not risk losing their piece of the $1,000,000 advert budget MS has for XP. As you see, "professionals", and those writing formal papers are free to call the thing what it is and should. The popular press will get it sooner or later.

You and I should not censor our own speech for MS and their sloppy wares.

Re:root cause nothing to do with credibility

[ectoraige]

The point is, this was a scientific paper, not a WSJ article.

A tobacco virus attacks tobacco plants, sure, but if I was examing how two similar tobacco viruses worked, I wouldn't refer to them as tobacco viruses, I'd refer to their particular classification.

I can give you a list of worms that attack Microsoft products, but only Nimda and CodeRedII have displayed this behaviour. Hence the need for proper classification.

Re:root cause nothing to do with credibility

[mosch]

If Windows XP had a $1m advertising budget, EVERYBODY would bash Microsoft. The budget is much, much bigger. $1M wouldn't even cover the costs of hiring the ad agency.

Re:root cause nothing to do with credibility

[darkonc]

I can give you a list of worms that attack Microsoft products, but only Nimda and CodeRedII have displayed this behaviour. Hence the need for proper classification.

Not true. It simply happens that those were the two viruses that hit during the period what was being studied. If Code Red 1 had hit in the same period, it's might have had a similar effect). (though slightly less pronounced).

Their classification is worms. Their more specific classification is Microsoft worms. MS worms are going to continue to plague us -- both because MS Windows is so common, and because MS Windows is so much easier to exploit.

Re:Funny stuff!

[PolaRis75]

The reason for this is more than obvious. There are a lot of small ISPs and companies that do BGP over links as slow as T1s and fractional T1s. This recent M$ worm caused a lot of connectivity issues for a lot of people with links even faster than that. A company with just a few unpatched IIS boxes could easily produce more than 1.54 MB or traffic per second, which would cause massive latency and packet loss across their T1. This, in turn, would cause timeouts of TCP sessions like FTP downloads, web browsing, and yes, BGP sessions.

This would then cause the session to start flapping, the upstream provider to dampen the session and routes being advertised, and their address space being removed from the global routing table.

This doesn't mean that there was routing instability due to the worm, it just means that a lot of networks running unpatched IIS boxes became unreachable.

Fascinating... (Kill Whitey!)

[erroneus]

Okay, I just put the subject to troll for readership... Hehehe.

Actually, though there may be a direct connection between routing problems and Code Red/Nimda activities, it's still a routing problem and to my regret, I can't lay any direct blame on Microsoft for this one.

Okay, it only runs on Microsoft platforms... That's not enough. If the probes/propogation (as opposed to sheer traffic) are responsible for this then it's an issue that should be addressed with the router people. Clearly their firmware isn't written well enough and should be patched to handle this problem.

Additionally, ISPs should start cutting off infected users without hesitation now. The attacks are now more than simply annoying in the way it fills up my logs. They are now affecting the whole damned internet. This affects just every commercial interest and should be motivation enough I think... (complaints of the people are never enough, but start playing with or threatening money and you will get someone's attention eh?)

What are the positives surrounding Code Red/Nimda? Well, though they have managed to keep their sunglasses on it's still a black eye for Microsoft. And while the argument has been made that patches have been available long before this mess has started, blame can be placed on Microsoft for a different reason.

It's not the presence of patching that is at issue. Rather, it's about default configuration(s) at install time and Microsoft's neglect over issues of reasonable expectation that its users are smart enough to to know how to turn things off or even know they are running.

Microsoft's users, as Microsoft is aware, tend to install "everything" when installing their OS. Why? A number of reasons -- because they don't want to miss out on any cool toys or because if they need something later, they don't want to be forced to reboot to use it. Microsoft is aware of this.

Microsoft knows that a majority of its usership is not trained to understand the implications or potential problems of running services on the internet. These same users cannot be reasonably expected to understand beyond "if it ain't broke don't fix it." Unpatched, their servers appear to be working JUST FINE don't they? So the infected users probably don't believe they have a problem either because they don't see the symptoms or they don't realize they are running IIS at all.

Microsoft, as a mature and responsible technology company marketting to idiots must share more blame than they have been accepting at this time. This might be seen as Microsoft serving its "MS Coffee" too hot for its customers. (ref: the lawsuit where the woman sued McDonald's for serving coffee that was too hot and was negligent in affixing the lid on the container.) They have overestimated the intelligence of its usership for far too long and now this is the price we all pay.

Re:Fascinating... (Kill Whitey!)

[superdk]

Additionally, ISPs should start cutting off infected users without hesitation now.

Some ISPs do. I know because I get to cut them off after giving them a warning and ample time to fix the trouble. What's the problem with all of this?

Imagine the following...

Hi, this is Joe Tech from ISP X's Network center, we're seeing that your machine on x.x.x.x is infected with Nimda and this is affecting our network. Your service will be suspended if you don't take care of this.

Customer: uhhhh... how do I fix that? Will the guy at Dell fix it? Why can't you just fix my server and keep this from happening again?

My point, for every 10 business customer's I have only one of them knows A) they even have a web server on their connection B) they had their server's pants down to the whole world C) what nimda is.

besides, people paying business T1 prices don't like being shut off right or wrong.

Re:Fascinating... (Kill Whitey!)

[erroneus]

You have made my point BEAUTIFULLY. THIS is exactly why Microsoft should be held liable. Your company is blameless on this matter and they should be cut off regardless of their feelings.

Re:Fascinating... (Kill Whitey!)

[erroneus]

Oh yeah, on a side note, this is a business opportunity for me!

If any of your customers are in the Dallas/Ft. Worth area, my email address is:

fix-nimda@d-n-a.cc or fix-codered@d-n-a.cc

Have them send me an email and I'll take care of them for a fee! :)

Re:Fascinating... (Kill Whitey!)

[kimihia]

If they are that dumb, then they deserve it.

True, calls to the call center cost the ISP money. But so does rampant Microsoft worms.

What's more, one local ISP that offers colocation clearly states that if your machine goes and messes up the network (eg, it gets owned by Nimda and starts infecting the neighbours) you will be paying the ISP's engineer's paycheck for their trouble to disconnect you, as well as for all the havoc you caused.

You cause crap. You clean it up.

Pulling the plug is the easiest way to solve mad IIS servers.

SOMEONE WRITE AN ANTIBIOTIC WORM!!!!

[mallsop]

I had a stupid idea...write a worm enters a backdoor set by the code red and nimda worms that fixes all the code red and nimda boxes and then, after a few months, removes itself from the box it's on (to stop looking for infected boxes). Unfortunately I don't think I could write something like that anytime soon. Call it "Early Bird" since the Early bird gets the worm. he he.

Re:Antibiotic worm needed

[mallsop]

I had a stupid idea...write a worm that enters a backdoor set by the code red and nimda worms that fixes all the code red and nimda boxes and then, after a few months, removes itself from the box it's on (to stop looking for infected boxes). Unfortunately I don't think I could write something like that anytime soon. Call it "Early Bird".

Re:Idiot

[mallsop]

I think you need to rent a copy of American History X.

Finally -- Credit where it's due

Finally someone giving credit where it's due -- Virus credits should go to Microsoft and the brand of worms are termed "Microsoft Worms"...Bravo to ./ for finally getting it right.

AC

psytrance enlightenment :)

[a_hofmann]

...

Re:No: Microsoft worms are NOT "web/email viruses"

Hear hear!

I don't use IIS, so I can whine, can't I?

[jsveiga]

Our web site has a very low traffic (our market is very restrict).

On the last few months I got more requests from IIS worms than requests for my home page during the past year.

"Oh, I'm sorry, all TV sets we've produced were found to generate RF interference and degrade the signal on all the TV network. We made a circuit patch available on all our distributors. If you bought one of our TVs, please come get one and install it yourself. Now you are the one to blame."

yk /var/log/httpd # head -1 access_log
216.35.116.87 - - [22/Sep/2000:07:04:47 -0300] "GET /robots.txt HTTP/1.0"
yk /var/log/httpd # tail -1 access_log
216.201.108.18 - - [28/Sep/2001:12:19:38 -0300] "HEAD / HTTP/1.1"
yk /var/log/httpd # grep "GET / " access_log | wc -l
13395
yk /var/log/httpd # egrep "(Jul|Aug|Sep)/2001.+GET / " access_log | wc -l
4167
yk /var/log/httpd # egrep "(Jul|Aug|Sep)/2001.+GET /default.ida" access_log | wc -l
3281
yk /var/log/httpd # egrep "(Jul|Aug|Sep)/2001.+GET /scripts" access_log | wc -l
11765
(obs: no, I don't have a /scripts directory, although I sometimes have fun with a "default.ida" perl script)

WTF does BGP mean?

I'm kinda amazed I don't know what BGP means since everyone else seems to think it's so well known that they don't EVER bother explaining what the term might mean; kinda like ROM.

Note to Slashdot Editors: Guys, try making it a policy that when SOA (some obscure anacronym) is mentioned in the article that you parenthetically explain what it means the first time you use the SOA.

I saw this at ms downloads..

[Steveftoth]

The top ten downloads according to MS themself are......

Top Downloads
1. Internet Explorer 6
2. Internet Explorer 5.5 Service Pack 2
3. Windows Media Player 7.1
4. Internet Explorer Security Update: (IE 5.5 SP1 and Internet Tools)
5. DirectX for Windows 95, 98 and Windows Me
6. MSN Messenger Service
7. Internet Explorer 5.01 Service Pack 2
8. Internet Explorer Security Update: Late May 2001 5.5 SP1
9. Internet Explorer Security Update: (IE 5.01 SP1)
10. Office 2000 Service Release 1a (SR-1a) Update

Yes.. about half of this list comprises security updates to the MS browser.

Story not misleading

[Ungrounded+Lightning]

The story seems to imply that the works spread faster because of BGP instability ...

No.

The story says that the two are "correlated". That means they seem to occur at the same time and to the same degree.

This is a strong hint that one may cause the other or they both may be caused by a common third phenomenon. But it isn't difinitive. And the choice of which is stated first in the report of correlation is totally arbitrary.

Re:Story not misleading

[Ungrounded+Lightning]

"correlated" ... means they seem to occur at the same time and to the same degree.

Well, that's an oversimplified and slightly misleading characterization. But I don't remember the exact formula for correlation at the moment.

It's essentially a normalized measure of the product of the deviations from their individual means of measurements of two variables (typically the amount of two phenomena). Positive correlation implies that when one goes up the other also tends to be up (either more likely to be up or occasionally way up), negative means that one up implies the other tends down.

Re:Story not misleading

[Tony-A]

Correlation is the fraction of variance in one variable that is "explained" by knowing the other variable.

Sample Correlation coefficient
r = ( nSUM(xy) - SUM(x) SUM(y) )
/ ( SQRT( [nSUM(x^2)-(SUM(x))^2][nSUM(Y^2)-(SUM(Y)^2] ) )

We can start now, by not rebuilding the WTC

[alispguru]

Forty billion dollars has been allocated to the cause of chasing shadows, yet we know that shadows can never be caught. A mere four billion, on shining the light of information around the world, would have gone a long way to prevent the shadows from being there to start with.

People are proposing that the World Trade Center be rebuilt to "spit in the terrorists' eye". I suggest we take that money and put it into high-bandwidth networking infrastructure for a 100-mile radius of New York city. The vast majority of workers in the WTC were information workers - they didn't really need to be physically close to each other to do their jobs.

Let's spit in the terrorists' eye by presenting them with smaller targets, and doing business more efficiently to boot.

We're NOT talking about server admins

[MemeRot]

Very shortly after the beginning of Code Red this ceased to be about server admins. The boxes being infected by these viruses now are home or non-power business users who have IIS enabled by default. Why by default? Because MS doesn't care about security. Why not throw in features most users won't need by default? What's the harm? Oh, we're destroying the stability of global routing? Oopsie.

The majority of the IP addresses spreading these viruses show the default homepage if you go to them. Because the home or casual business users running these boxes DON'T KNOW what IIS is, or that they have it enabled, they DON'T KNOW that they're vulnerable or infected. These are the people that criticalupdate would reach. These are the people that need the patches. By NOT pushing this patch, MS is leaving the situation as it is, and it will never get better. To repeat - security conscious server admins are having their network hammered by this virus not because other server admins are lazy - but because many non server admins have operating systems with IIS enabled by default, and MS is making no attempt at all to reach those people despite the fact that the situation has not improved.

Re:We're NOT talking about server admins

The IIS patches eventually appeare on WindowsUpdate. Furthermore, Microsoft has made press statements notifying everyone to upgrade, and these were picked up by the major media. I don't know how they could push a "patch" any harder (well they could have BSA thugs hand it out).

Of course, the real problem is structural -- bad code, bad default config. If they forbade the use of DirectX on 'server' versions of Windows, the warez community would stop inadvertently running server software.

Class Action

[dickDragon]

Since IIS is responsible for installing these virii,
and Microsoft owns all copies of IIS,
Microsoft is liable for the costs.

Re:Class Action

[erroneus]

I'm all behind that notion. Just understand that people who have agreed to the EULA is inelligible to participate. The people who can sue are non-IIS users.

Re:Class Action

That is a wonderful idea: if someone else does all the work i will help eat the pie.

latency on the internet

[Alomex]

The article opens with: Many successful academic and commercial projects use direct traffic measurements (such as ping, traceroute, and web page access data) to study the structure and dynamics of the Internet. Such efforts are inherently limited by the locations of probe points required to 'cover' the Internet meaningfully. Compounding the problem, there are no effective shortcuts - simply placing agents throughout the Internet's core, as done by several commercial services, only builds up a picture of core-to-core traffic latencies and losses that has no power to predict the true "Internet weather" that end users actually experience at the network edge.

This is just plain wrong. It is quite easy to obtain latency measurements of the edge starting from the core.

Let E1 and E2 be points on the edge. If you have enough agents in the core, you will find an agent A in the path from E1 to E2. Then you can easily compute the latency from E1 to E2 by ping from A to E1 and from A to E2.

BRILLIANT!!

[MemeRot]

I never thought of that angle. Yes, people are talking about 'the customer needs to patch' - why? The customer doesn't own that copy of IIS. Microsoft does. I would soooooo like to be able to attach a downside to media/software companies maintaining 'ownership' of their products, and liability for their misuse would certainly be a good place to start. Similar to gun manufacturers maybe? If gun manufacturers can be held liable for misuse of their products (not my belief that it's right, but it has happened in court) when the customers own the product, imagine how much easier it should be to attach liability if the company retained ownership of the damaging product?

Thanks

[Uttles]

I appreciate the support.

Uh....no?

[MemeRot]

I've never seen anything like that on windowsupdate. Microsoft made statements that 'millions were unnecessarily downloading' the patch. I've seen nothing since then on the news from them.

Can you provide some sources?

Re:Uh....no?

This is from my windowsupdate on W2K Server:

Security Update, August 17, 2001 (Already Installed)
2189 KB/ Download Time: 2 min
This cumulative security update includes every update released for Internet Information Server (IIS) 5.0, and is discussed in Microsoft Security Bulletin MS01-044. Download now to keep IIS 5.0 updated with the latest security fixes.

It superceedes a previous update on 3-Aug-01, although I was already hotfixed and WU is unable to detect that.

Logic alert!

[MarkusQ]

A tobacco virus attacks tobacco plants, sure, but if I was examing how two similar tobacco viruses worked, I wouldn't refer to them as tobacco viruses, I'd refer to their particular classification

So, if there was only one Microsoft Worm you'd be willing to call attention to the fact that it only affects Microsoft boxes, but because there are lots of them we should obscure the fact by calling them by made up names like Alto-Muffy and PeachFuzz-37?

-- MarkusQ

Re:Logic alert!

[ectoraige]

Don't be silly.

I'm not attempting to obscure the fact that Microsoft make crap software. That fact is irrelevant in the context of this discussion. An apache worm could strike tomorrow, with the same effect. If it does, then at least we know more about how the internet may react to it.

There's no place for gain-saying in science.

FBI

Its your fucking pr0n clogging up all our sniffers!!

Death of the 'net predicted.

[dbirchall]

Film at 11. (In Windows Media format, of course.)

mean one billion dollars

[twitter]

1,000,000,000

it's hard to think of that many zeros, thanks for pointing it out =:>

Re:No: Microsoft worms are NOT "web/email viruses"

[sledd_1]

The entire intent of the article is that state the the virus harms systems that are NOT from Microsoft.
This article describes a flaw/backdoor in our global internet.

Re:No: Microsoft worms are NOT "web/email viruses"

[darkonc]

No. It doesn't describe a flaw/backdoor. The article uses BGP logs of a specific (and known) feature of BGP to track wha's happening when. The MS worms hit that feature in an uncommon way that can exacerbate the problem, but the source if the problem is the Microsoft worm.

Besides: If someone blows up your house with a bomb, they usually call it a bomb attack, not a house attack.

whoa..heavy

Umm, thats because BGP is not like your average
link-state, or vector based routing protocol,
it is the result of static definitions AND dynamic information.
Just like a redundant topology: ospf and static
backups, where some abr's die, area 0 is hit hard,
and the static backup default goes down-i think
the performance will be minimal unless there are multiple redundant routes and hsrp analagous prov-
isions in place.
I've always though that BGP was fragile, here's proof.

yep

i admin a middling sized net for k12 and we have
to get url filtering in place:we have to get some-
body elses list and trust that the categories we
check are actually doing what we want..i don't know how many times i ended up doing custom permits before applying a new list because somebody forgot to dblcheck an url and on application we couldn't go where we needed to be...

very true

you see one hell of a lot of arp who has's with
this worm-thank god we only have 126 addresses
or we would be really screwed.

Re:I have a very short attention span

If you want to read something informative, check THIS POST [slashdot.org] out - it's the only post so far with any information.

Unfortunately, I don't have a CCIE number, so I'm not qualified to read or understand that post. Also, I have this habit of spitting on people who talk down at me. Understand, it's just a bad habit. I could break myself of it if I wanted to.

BGP is:

[darkonc]

Border Gateway Protocol (a routing protocol, if it's not obvious by now.)

An active member of the SAT*
* Society Against TLAs**
** Three Letter Aronyms

Sources of correlation ?

[petchema]

Is the instability caused by the increase of bandwidth usage, or by the use of random target IPs (that must certainly include unallocated IPs, seldom used IPs, and even some non routable IPs, not seen in "normal" traffic) ?

listen up

if you were to come into a forum and attempt to discuss something and (heaven forbid) make a mistake (let's pretend that you'd join in a conversation that you couldn't master, I know it's unlikely, but bear with me), would you like some self-proclaimed god insulting everyone and yourself, or would you try to educate people even with a hint of sarcasm? You, my friend, must have a slight ego problem, and poor social skills. In short, you sound like a myopic arrogant little prick, and I am assuming that you know little besides the few ususal geek habits and hobbies. Sorry, can't seem to find my cisco brand at this time.

Ever Notice..

[webworkz]

Has everyone ever noticed that almost all major bugs/worms/viruses start with Microsoft or an entity of M$?... and most of these contribute to large-scale problems.

............. Yet: "Linux is a cancer."

Ballmer: Take the first 4 letters of your name, append an 's', and you have exactly what I'm going to kick you in... jackass.