How to Own the Internet In Your Spare Time

xenofile writes "A chilling paper has recently been posted analyzing the various threats worms pose to the Internet, and the relative ease of exploiting say the 30,000,000 Kazaa hosts to completely cripple large portions of the net." Lots of good stuff in this paper. It sorta combines many things you've probably read, and demonstrates how the net could be seriously taken by someone who wants it.

Abstract

To Appear in the Proceedings of the 11th USENIX Security Symposium (Security '02)

The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways.

We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from empirical data of the spread of Code Red I in July, 2001. We discuss techniques subsequently employed for achieving greater virulence by Code Red II and Nimda. In this context, we develop and evaluate several new, highly virulent possible techniques: hit-list scanning (which creates a Warhol worm), permutation scanning (which enables self-coordinating scanning), and use of Internet-sized hit-lists (which creates a flash worm).

We then turn to the to the threat of surreptitious worms that spread more slowly but in a much harder to detect "contagion" fashion. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 Internet hosts. We also consider robust mechanisms by which attackers can control and update deployed worms.

In conclusion, we argue for the pressing need to develop a "Center for Disease Control" analog for virus- and worm-based threats to national cybersecurity, and sketch some of the components that would go into such a Center.

Also in PDF optimized for reading online, PDF optimized for printing

Masters of the obvious

[wackybrit]

Wow, this paper really breaks new ground. Let's see:

If you can control a million hosts on the Internet, you can do enormous damage.

[..] you can access any sensitive information present on any of those million machines [..]

But for those who are truly thick and can't get the point:

In short, if you could control a million Internet hosts, the potential damage is truly immense [..]

It's good to see they're really targeting the 'brains' of the nation with these statements.

Luckily, things get a little more scientific as we move into the next section, but they actually say they're 'ignoring' certain important variables. Almost any mathetmatical theory works if you 'ignore' certain variables.

Perhaps papers like these should actually focus on the real reason that DOS attacks are so easy. Crappy code. Since when did Eudora or Pegasus start spreading viruses? It's all Outlook Express.

But what about system level DOS attacks, you say? Firewalls were invented to solve these problems. Of course, firewalls were only invented because the original net code in Linux/Windows/etc hadn't anticipated DOS attacks, and couldn't fend them off themselves. I mean.. in 1994, who was flooding servers with 64kB ping packets?

It's time to rewrite the netcode. DOS attacks aren't really any different to memory leaks in programs. They can be controlled and confined and cleaned up, if the code is good. How often do you get a 'Protection Error' in Linux these days? Hardly ever. It's time to apply all of the safeguards we use in regular programming to net code too!

And if you're scared of reinventing the wheel and writing new net code from scratch, then you have only yourself to blame.

Re:Wow

[SCHecklerX]

You miss the point. If the Internet gets congested with traffic, you will suffer too. Take, for example, the latency spike that occurred last monday around 2:00pm EST as the worm that attacked M$ SQL servers started doing its thing.

Interesting

[fusion812]

This, if anything, shows the need for (as stated in the paper) a need to have a central system for recovery and research of what was described. The obvious double edged sword of this document, and documents similar, in my opinion show the need for a head strong security movement. I, like many Linux users, are constantly amused and entertained by the 'average' individuals lack of know how in this field, however, I am not amused or entertained at their ignorance to security in general. It would seem that part of the blame could be the software companies lack of forwarding information to the customer on the issue, and part of the blame in the customers hands themselves. I am not pointing fingers or blame, just simply saying they are not educated enough to control the security of their own system(s). In my opinon, this is dangerous and there should be much more education given to the hands of the end user. Obviously an 80 year old woman with a background in knitting is not going to be able to secure her home PC, so I am not speaking of extreme change. However, I am speaking of individuals, who move from mom and pop stores to ecommerce means. So often I see individuals start an ecommerce site, and then are startled why their site was owned when they are using outdated forum software, cart software, or other software, and a password that consists of 'changeme'. Maybe a dumbed down security manual referred to by ecommerce providers would do the trick, maybe not. I don't know, I'm not a security executive, so I dont have the solution (...yet, lol). But just something, anything, to show the end user some basic means of boosting security and authentication may be enough to get the ball rolling. - Ross Smith

On why we aren't more scared.

[mindstrm]

Yes, it's possible to cause massive disruption. It has been for a long, long time.

I recall the FBI stating that it was not some ddos attack that scared them, but hte fact that so many young kids controlled so many computers and DIDN'T do anything with it.

So we ask ourselves, what if this were in the hands of someone who actively wanted to exploit it?

Who are we kidding? Most of the kids that control tons of computers for their ddos attacks for taking over irc servers are not geniuses. If someone had a reason to take over many, many cmoputers and use them for financial gain, they would do it. Plain and simple.

The fact is, owning tons of bandwidth and cycles for a brief amount of time (because that's all you are going to get) is not all that useful long term. How are you going to cash in on it?

And the payload (which is the really scary bit)???

Although the paper seems to be concerned about network loading as a problem, I feel this is only the tip of the iceberg. In summary what they are stating is that it would be possible to infect either most of the vulnerable servers or (even worse) most PC's running P2P software. With the latter case this covers many more machines and many of these machines contain *data* that is totally crucial to running their businesses, both small and huge.

I wonder how these people would feel if they found out after a little while that at some time in the past , a silent trojan had gone through their *.xls files and choosen 1% of the fields formatted as financial and not calculated (ie typed in values) and changed them by a random +/- 0->10%.After doing this the trojan removed all traces of itself? Whose company financial records would *you* trust??

Now I'm sure I'm not the first to think of this (and I'm sure there are other nasty things that can be done) but could someone please explain the flaws in the scenario? It's been bugging me for the last 8 years and I'd like some confidence it *can't* happen.