Slashdot Mirror
Microsoft Worms and Global Routing Instability
James Cowie writes: "Fresh analysis here indicates that worm propagation periods correlate very strongly with global BGP routing instability, as measured by sustained exponential increases in the number of prefix announcements and withdrawals seen in BGP message traces."
Top Most Bizarre/Disturbing Error Messages
Net instability can also be predicted if Slashdot links to a .... well anything.
I am Jack's HTTP Server
...is sad, but true:
Global Routing is dying.
Microsoft IIS Worms
Is the Worms cause or effect?
Is IIS the cause or effect?
If we shutdown one of them, net becomes stable?
Is it easier shutdown worms than IIS?
hmmm... it's a hard decision. Has anyone scanned Internet for viruses?
:-)
"Nobody is real - Powerman 5000"
Very fascinating read, with lots of graphs that really strike the message home. But what is the point? Anyone with an internet connection will have no doubt experienced the instability.
I've personally had a particularly poor router lossing my packets for the last week, and have been trace routing it from all over the country to triangulate the problem. Doing a tracert from Maine, California and Texas seems to provide a reasonable picture of what's going on with a specific router by triangulating in on the offending router... so I'm a bit unclear on why this study was called for, unless it's just to point fingers at microsoft...
of contributing to global worming. They need to cut back their toxic emissions immediately before it's too late to save the planet.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The worms produce just a kind of DDOS and routers are expected to take a hit. If there are a lot of IRCbots attacking randomly, you'll see the same.
¦ ©® ±
Consequently, since routes time out after a while (and get cached), the IP adress sweeping increases the necessity to figure out more seperate routes than usually (or FIFO caches are too small so routes get purged from the cache faster?).
This would logically increase the load on route discovery protocols such as BGP. A whole new class of DoS attacks...
Idempotent operation: Like MS software, wether you run it once or often, that doesn't make it any better.
OK, everyone knows that word association is a powerful marketing tool. Example: Microsoft Office. When you say "office suite of programs" to the average person, they automatically think Microsoft Office. Well this article sure gives us a great one:
In this online note, we summarize our preliminary analysis of the surprisingly strong impact of the Internet propagation of Microsoft worms (such as Code Red and Nimda) on the stability of the global routing system.
Look on AP, Yahoo, MSNBC, CNN, and you always see "the Nimda virus" or "the Code Red virus," but I prefer the way the article said it. So from now on in your conversations with others, refer to each virus in this category as a "Microsoft Virus" and hopefully by word of mouth word association we can sway public opinion away from this crappy MS software.
~ now you know
mirror at http://dangermouse.pod4.org/nimda/bgp_instability. html
"I'm tired of looking like an ass because of people's assumptions" - Dalvenjah Foxfire
I have followed this problem extensivly in my local area... When code red came out, mrtg and numerous sites around the city showed large spikes in bandwidth usage. I have discussed this with several large corporations (Nationwide, Bank-One.. and telecom's Time Warner and AT&T) and i have heard very little about how to approache what are Application layer exploits at layer 2 or 3...
I understand that to serve people, telecom and internal IT departments can't very well restrict ports and such based on response to each and every exploit that causes problems...
so what can telecoms and large corporations do to cut down on meaningless uses of bandwidth?
So...on a related note.
If it is true that viruses create BGP instability, one can extrapolate that this is a form of
terrorism, by disrupting international communications.
Now - as Microsoft has done almost nothing to effectively eliminate the threat of viruses, and
hence a form of terrorism, MS can then be seen as "harbouring terrorism".
Didn't George W himself say that those who harbour terrorists will receive the same fate?
It's therefore in the international communities best interests to destroy Microsoft!
Sparks:Gadget:Beer Maker
are you trying to tell me that microsoft is unstable and most likely carrying some form of a virus? thanks impossible!
I've put up a mirror (article there now, images should be up by the time you read this).
As for the article itself, this kind of published analysis is what makes the internet great - compare with the telephone system where each company keeps (more of) their analysis to themselves and engages in more finger-pointing.
I'd never have guessed.
Seriously, though, this does strongly suggest that merely using NAT and crude approximations of heirarchical routing are not enough. The networks aren't capable of tolerating the kinds of loads even a humble skript can put on them.
In short, we need a better routing system, better IP stacks, a more stream-lined structure, and better load-balancing. In short, we need IPv6, if we're to survive anything but these relatively feeble virus attacks.
(And they are feeble! In comparison to what could be done. The world is very, very lucky.)
Oh, and we also need a stronger backbone. T3's don't cut it, in a world where T4's are "standard items" and high-speed optics of up to 4 Tbs are potentially usable tomorrow.
When you start upping the bandwidth across the board by 2-3 orders of magnitude, the impact of a few flea-bag packets will not be noticable. For that matter, the impact of a major world event (such as the Starr Report, or the WTT disaster) would not bring the information infrastructure to its knees.
*Orator Mode On* Now, more than ever in the history of humanity, our society, our economy and our security depend on good lines of communication. No expense is too great, because the price of failure is greater still. This truth has tragically shown itself these past few weeks, and no amount of money can undo a single death, reverse a single bereavement, or heal a single injury.
Forty billion dollars has been allocated to the cause of chasing shadows, yet we know that shadows can never be caught. A mere four billion, on shining the light of information around the world, would have gone a long way to prevent the shadows from being there to start with.
Terror, fear - these are weapons that rely on ignorance and superstition. Without ignorance, terror has nothing to hold onto. Yet ours is a society that lives in ignorance. We have computers on our desks that are many hundreds of times more powerful than the ones used to put man on the moon. Yet those computers can be crippled by a simple forwarder virus, and the users of those computers do not wish to know. The dark is much more comforting than the light, even though it is the dark, not the light, that these viruses can grow in. Perhaps, because in the light, you do not need comforting. There is no fear to be comforted over.
Someday, maybe, people will become less frightened of living in understanding. When that day comes, the terrors of the night will no longer threaten.
*Orator mode off*
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...put him in a funny spot. He has publicly wowed to destroy those who harbour terrorists and also that MS is good for America. ;-D
So, does he go after the hand that fed him? Or will he leave MS alone and thereby in effect harbour someone who's harbouring terrorism. We all know what he promised to do to those
A communications disruption can mean only one thing: invasion.
"You can never have too many elephants on your team."
Heh, and then once MSGP is implemented, people could set their routers to drop all packets from MSGP sites, and eliminate the M$/IIS viruses/worms.
"If you insist on using Windoze you're on your own."
What we are seeing here is evolution happening on the internet. When we (humans) became the dominating species on earth, viruses started spreading amongst us. The same thing is happening among computers now!
We have two choices to fight this problem:
1: We can try to fight it using antivirus-programs, which is equivalent to using medicine to cure our viral diseaces. We already know that this means fighting an uphill-battle, because protection against the unknown is hard, if not impossible.
2: We can try to bring more diversity to the operatingsystems and programs we use. This would automatically decrease the viruspopulation, because a virus designed to infect more than one program/os/specie, would have to be far more advanced, and would thus lower the probability for it's existance. And in the case of computers, the bugs on one platform/program is rarely the same as the bugs on another.
Whats propaganda here? They are telling the truth. Those viruses only propagate and damage Microsoft systems. They are there because Microsoft systems are so vulnerable. If it weren't for IIS, Windows 2000 etc. those worms wouldn't exist. (And don't "but others would" me - I don't see any reason why Unices, Apache, etc. would be unsafer without Windows.)
Tell the truth. Don't hide behind words. That's a journalist's job, isn't it? And anyway, now with Microsoft distributing reports that claim Apache is also vulnerable, citing relatively harmless directory listing bugs from 1999, why should we not try to educate the public?
Home Page
The patches to prevent these worms were out for ages. It's just that system administrators and others never installed them. So Microsoft has quite an out there, and for some reason the businesses that whine about the costs of these worms never seem to be looking to their own admin staff and asking them why the hell those patches were never installed.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Whenever a popular product shows up on Windows, Microsoft usually ends up either buying the company or writing their own version which sucks for the first few versions. So when will we be seeing MS Worm Version 1.0?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
One of the inherent problems with all routing protocols is that rely on inband announcements and updates, and communciate state purely by reachability. This is clearly a flawed approached on heavily loaded links and routers. This problem has already been addressed worldwide on the telephone network with the introduction of SS7. One of the key aspects of SS7 is that it is transported over an Out of Band network (the actual transport may be on a dedicated timeslot on a SONET link, but the basis is that the link is dedictated to management).
By implementing a low throughput (say 64K -256K - this requires more analysis) management network, the ISPs could be certain that the state of the BGP peering sessions and the integrity of the UPDATE messages are always intact.
One of the key aspects/benefits of BGP is that unlike other routing protocols it does not advertise routes in the simple - "here's my routing table" messages that protocols such as RIP and while less so, but similarly, OSPF and ISIS use. BGP relies on TCP sessions between peers. On connection the entire known (or filtered via policies) short test path routing table is exchanged. After this the link stays idle, with the exception of TCP keepalives, until an UPDATE message is sent to communicate that a new route is added or an existing route is removed from that peer's routing table. Also BGP does not assign any significance to the port that receives the information - merely the peer. This all makes BGP inherent scaleable, stable and reliable - unless resources are not available (CPU, memory, buffers or links). TCP is the reliability mechanism here. The presence of the TCP session validates all the routes learned via that session. The absence of the TCP session invalidates all the routes and causes them to be withdrawn for that TCP session.
Maintenance of the TCP session stability is key to the stability of the routing table. With over 80,000 routes on any BGP full update, the processing needed to cope with multiple TCP sessions failing or starting is immense (and probably better servered by a UNIX platform than by a router to be honest).
SS7 uses a mechanism whereby UNIX servers process the routing information and create the core routing table - note: table is the key - it is not the path the data or calls follow. Building a similar architecture within the Internet would allow routers to have one or two TCP sessions to BGP servers (a concept already grasped with route reflector servers) and dedicate their CPU to forwarding packets etc. The dedicated servers never need to see a packet to be forwarded - it's just not that important to BGP, so they have no need to be on the same physical cables/links as user packets. This architecture would take some rethinking but not would not be outside the plans of most ISPs, and definitively not outside the skillsets.
Clearly the next problem then becomes low speed customer connections. Again the Telco industry has addressed this problem with ISDN - with the B channels. For these lower speed connections, there is no need to change the existing model. Losing one customer here or there is nothing (UPDATEs on BGP are typically well over 100 a second at NAPs) and would be catered for simply.
The NAPs could merely serve as routing table peering points, and not data transfer points - again another area of congestion.
The Internet is proving to be reliable and a trustworthy international communications medium, the next step is to make it even more robust, and truly scalable. Using OOB management is the obvious next step to this goal.
GMPLS is being touted as the next step for ISPs in terms of exchanging routing information in an OOB network. This is only one aspect of the work that is being done there.
Calling it a Microsoft worm is really a distortion, and it's the kind of thing that can damage the credibility of the author.
And what is being distorted ? Truth ?
Until worms start to propagate efficiently on other platforms, this problem is strictly limited to Microsoft products and calling it "Microsoft worm" is a reflection of reality.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Today windowsupdate told me to install a patch to resolve the "Malformed Data Frame Sent to a Windows 2000 Computer Through an Infrared Port Causes Stop Error". Great. Of course my computer doesn't HAVE an ir port. But MS is pushing this patch. And NOT pushing the limited patches they have for the iis vulnerability that Code Red and others exploited.
Explain please how that makes sense?
Nope, sorry a tabbaco virus is a tobbaco virus because it destroys tobbaco crops. These worms are MS worms because they destroy MS boxes which then attempt to destroy everything. It's time the world knew about it.
You won't hear the popular press refering to "another MS worm", however. They would not risk losing their piece of the $1,000,000 advert budget MS has for XP. As you see, "professionals", and those writing formal papers are free to call the thing what it is and should. The popular press will get it sooner or later.
You and I should not censor our own speech for MS and their sloppy wares.
Friends don't help friends install M$ junk.
The reason for this is more than obvious. There are a lot of small ISPs and companies that do BGP over links as slow as T1s and fractional T1s. This recent M$ worm caused a lot of connectivity issues for a lot of people with links even faster than that. A company with just a few unpatched IIS boxes could easily produce more than 1.54 MB or traffic per second, which would cause massive latency and packet loss across their T1. This, in turn, would cause timeouts of TCP sessions like FTP downloads, web browsing, and yes, BGP sessions.
This would then cause the session to start flapping, the upstream provider to dampen the session and routes being advertised, and their address space being removed from the global routing table.
This doesn't mean that there was routing instability due to the worm, it just means that a lot of networks running unpatched IIS boxes became unreachable.
Okay, I just put the subject to troll for readership... Hehehe.
Actually, though there may be a direct connection between routing problems and Code Red/Nimda activities, it's still a routing problem and to my regret, I can't lay any direct blame on Microsoft for this one.
Okay, it only runs on Microsoft platforms... That's not enough. If the probes/propogation (as opposed to sheer traffic) are responsible for this then it's an issue that should be addressed with the router people. Clearly their firmware isn't written well enough and should be patched to handle this problem.
Additionally, ISPs should start cutting off infected users without hesitation now. The attacks are now more than simply annoying in the way it fills up my logs. They are now affecting the whole damned internet. This affects just every commercial interest and should be motivation enough I think... (complaints of the people are never enough, but start playing with or threatening money and you will get someone's attention eh?)
What are the positives surrounding Code Red/Nimda? Well, though they have managed to keep their sunglasses on it's still a black eye for Microsoft. And while the argument has been made that patches have been available long before this mess has started, blame can be placed on Microsoft for a different reason.
It's not the presence of patching that is at issue. Rather, it's about default configuration(s) at install time and Microsoft's neglect over issues of reasonable expectation that its users are smart enough to to know how to turn things off or even know they are running.
Microsoft's users, as Microsoft is aware, tend to install "everything" when installing their OS. Why? A number of reasons -- because they don't want to miss out on any cool toys or because if they need something later, they don't want to be forced to reboot to use it. Microsoft is aware of this.
Microsoft knows that a majority of its usership is not trained to understand the implications or potential problems of running services on the internet. These same users cannot be reasonably expected to understand beyond "if it ain't broke don't fix it." Unpatched, their servers appear to be working JUST FINE don't they? So the infected users probably don't believe they have a problem either because they don't see the symptoms or they don't realize they are running IIS at all.
Microsoft, as a mature and responsible technology company marketting to idiots must share more blame than they have been accepting at this time. This might be seen as Microsoft serving its "MS Coffee" too hot for its customers. (ref: the lawsuit where the woman sued McDonald's for serving coffee that was too hot and was negligent in affixing the lid on the container.) They have overestimated the intelligence of its usership for far too long and now this is the price we all pay.
Fortunately, Apache is immune, and I haven't had any real problems. But with Nimda, and to a lesser extent, CR, I have to lose email service for about an hour a day while the error reports clog my inbox.
I want the logs to give to our ISP (since most of the top probers are on our subnet) but I'm thinking I may have to compromise my IDS to cut out some of the crap...
GTRacer
- Apache on WinNT...Mmmm!
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
Our web site has a very low traffic (our market is very restrict).
/var/log/httpd # head -1 access_log
/robots.txt HTTP/1.0"
/var/log/httpd # tail -1 access_log
/var/log/httpd # grep "GET / " access_log | wc -l
/var/log/httpd # egrep "(Jul|Aug|Sep)/2001.+GET / " access_log | wc -l
/var/log/httpd # egrep "(Jul|Aug|Sep)/2001.+GET /default.ida" access_log | wc -l
/var/log/httpd # egrep "(Jul|Aug|Sep)/2001.+GET /scripts" access_log | wc -l
/scripts directory, although I sometimes have fun with a "default.ida" perl script)
On the last few months I got more requests from IIS worms than requests for my home page during the past year.
"Oh, I'm sorry, all TV sets we've produced were found to generate RF interference and degrade the signal on all the TV network. We made a circuit patch available on all our distributors. If you bought one of our TVs, please come get one and install it yourself. Now you are the one to blame."
yk
216.35.116.87 - - [22/Sep/2000:07:04:47 -0300] "GET
yk
216.201.108.18 - - [28/Sep/2001:12:19:38 -0300] "HEAD / HTTP/1.1"
yk
13395
yk
4167
yk
3281
yk
11765
(obs: no, I don't have a
The top ten downloads according to MS themself are......
Top Downloads
1. Internet Explorer 6
2. Internet Explorer 5.5 Service Pack 2
3. Windows Media Player 7.1
4. Internet Explorer Security Update: (IE 5.5 SP1 and Internet Tools)
5. DirectX for Windows 95, 98 and Windows Me
6. MSN Messenger Service
7. Internet Explorer 5.01 Service Pack 2
8. Internet Explorer Security Update: Late May 2001 5.5 SP1
9. Internet Explorer Security Update: (IE 5.01 SP1)
10. Office 2000 Service Release 1a (SR-1a) Update
Yes.. about half of this list comprises security updates to the MS browser.
"correlated" ... means they seem to occur at the same time and to the same degree.
Well, that's an oversimplified and slightly misleading characterization. But I don't remember the exact formula for correlation at the moment.
It's essentially a normalized measure of the product of the deviations from their individual means of measurements of two variables (typically the amount of two phenomena). Positive correlation implies that when one goes up the other also tends to be up (either more likely to be up or occasionally way up), negative means that one up implies the other tends down.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Let's spit in the terrorists' eye by presenting them with smaller targets, and doing business more efficiently to boot.
To a Lisp hacker, XML is S-expressions in drag.
Very shortly after the beginning of Code Red this ceased to be about server admins. The boxes being infected by these viruses now are home or non-power business users who have IIS enabled by default. Why by default? Because MS doesn't care about security. Why not throw in features most users won't need by default? What's the harm? Oh, we're destroying the stability of global routing? Oopsie.
The majority of the IP addresses spreading these viruses show the default homepage if you go to them. Because the home or casual business users running these boxes DON'T KNOW what IIS is, or that they have it enabled, they DON'T KNOW that they're vulnerable or infected. These are the people that criticalupdate would reach. These are the people that need the patches. By NOT pushing this patch, MS is leaving the situation as it is, and it will never get better. To repeat - security conscious server admins are having their network hammered by this virus not because other server admins are lazy - but because many non server admins have operating systems with IIS enabled by default, and MS is making no attempt at all to reach those people despite the fact that the situation has not improved.
The article opens with: Many successful academic and commercial projects use direct traffic measurements (such as ping, traceroute, and web page access data) to study the structure and dynamics of the Internet. Such efforts are inherently limited by the locations of probe points required to 'cover' the Internet meaningfully. Compounding the problem, there are no effective shortcuts - simply placing agents throughout the Internet's core, as done by several commercial services, only builds up a picture of core-to-core traffic latencies and losses that has no power to predict the true "Internet weather" that end users actually experience at the network edge.
This is just plain wrong. It is quite easy to obtain latency measurements of the edge starting from the core.
Let E1 and E2 be points on the edge. If you have enough agents in the core, you will find an agent A in the path from E1 to E2. Then you can easily compute the latency from E1 to E2 by ping from A to E1 and from A to E2.
I never thought of that angle. Yes, people are talking about 'the customer needs to patch' - why? The customer doesn't own that copy of IIS. Microsoft does. I would soooooo like to be able to attach a downside to media/software companies maintaining 'ownership' of their products, and liability for their misuse would certainly be a good place to start. Similar to gun manufacturers maybe? If gun manufacturers can be held liable for misuse of their products (not my belief that it's right, but it has happened in court) when the customers own the product, imagine how much easier it should be to attach liability if the company retained ownership of the damaging product?
I'm all behind that notion. Just understand that people who have agreed to the EULA is inelligible to participate. The people who can sue are non-IIS users.
I've never seen anything like that on windowsupdate. Microsoft made statements that 'millions were unnecessarily downloading' the patch. I've seen nothing since then on the news from them.
Can you provide some sources?
So, if there was only one Microsoft Worm you'd be willing to call attention to the fact that it only affects Microsoft boxes, but because there are lots of them we should obscure the fact by calling them by made up names like Alto-Muffy and PeachFuzz-37?
-- MarkusQ
Besides: If someone blows up your house with a bomb, they usually call it a bomb attack, not a house attack.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.