Slashdot Mirror
How to Own the Internet In Your Spare Time
xenofile writes "A chilling paper has recently been posted analyzing the various threats worms pose to the Internet, and the relative ease of exploiting say the 30,000,000 Kazaa hosts to completely cripple large portions of the net."
Lots of good stuff in this paper. It sorta combines many things you've probably
read, and demonstrates how the net could be seriously taken by someone who wants
it.
the net, like business or anything else in society is based on trust.
With the speed the RIAA gets these sharing networks to hunker down, perhaps the problem will go away on it's own...
On the other hand, perhaps pigs will fly, and a certain redmond company will once and for all wisen up and ensure their OS'es not by default make the world a happy place for worm writers..
Venlig Hilsen / Regards
John Hinge - shayera /
"Buffy I love you... Please God No!" S
another tool for budding mad scientists around the world. arghhhhh.
"It is a greater offense to steal men's labor, than their clothes"
To Appear in the Proceedings of the 11th USENIX Security Symposium (Security '02)
The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways.
We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from empirical data of the spread of Code Red I in July, 2001. We discuss techniques subsequently employed for achieving greater virulence by Code Red II and Nimda. In this context, we develop and evaluate several new, highly virulent possible techniques: hit-list scanning (which creates a Warhol worm), permutation scanning (which enables self-coordinating scanning), and use of Internet-sized hit-lists (which creates a flash worm).
We then turn to the to the threat of surreptitious worms that spread more slowly but in a much harder to detect "contagion" fashion. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 Internet hosts. We also consider robust mechanisms by which attackers can control and update deployed worms.
In conclusion, we argue for the pressing need to develop a "Center for Disease Control" analog for virus- and worm-based threats to national cybersecurity, and sketch some of the components that would go into such a Center.
Also in PDF optimized for reading online, PDF optimized for printing
I got scared for a second, then did a google search for identified linux worms, thought about how many times I've never caught one, and promptly became glad my OS isn't mainstream.
Wow, this paper really breaks new ground. Let's see:
If you can control a million hosts on the Internet, you can do enormous damage.
[..] you can access any sensitive information present on any of those million machines [..]
But for those who are truly thick and can't get the point:
In short, if you could control a million Internet hosts, the potential damage is truly immense [..]
It's good to see they're really targeting the 'brains' of the nation with these statements.
Luckily, things get a little more scientific as we move into the next section, but they actually say they're 'ignoring' certain important variables. Almost any mathetmatical theory works if you 'ignore' certain variables.
Perhaps papers like these should actually focus on the real reason that DOS attacks are so easy. Crappy code. Since when did Eudora or Pegasus start spreading viruses? It's all Outlook Express.
But what about system level DOS attacks, you say? Firewalls were invented to solve these problems. Of course, firewalls were only invented because the original net code in Linux/Windows/etc hadn't anticipated DOS attacks, and couldn't fend them off themselves. I mean.. in 1994, who was flooding servers with 64kB ping packets?
It's time to rewrite the netcode. DOS attacks aren't really any different to memory leaks in programs. They can be controlled and confined and cleaned up, if the code is good. How often do you get a 'Protection Error' in Linux these days? Hardly ever. It's time to apply all of the safeguards we use in regular programming to net code too!
And if you're scared of reinventing the wheel and writing new net code from scratch, then you have only yourself to blame.
mogorific carpentry experiments
Alot of these virus authors do it for exposure. The more the issue is pushed to the fore the more rewarding it is to do it.... Why not focus on "how to secure the internet in your spare time"?
"The saddest words of mice and men, are not those which were, but should have been."
Want to be a Supervillian?
Don't have the body to fit in a costume?
Too out of shape to battle Superheros all over Champion City?
Think being a Supervillian is out of your reach?
Not anymore! Just like millions of other americans, the Internet has changed lives. Let it do the same...for YOU! With the "Rule the Internet like an Evil Overlord" plan, you can learn how to take advantage of this exciting new medium to spread choas and terror into the people the world around! Now you can work to inspire fear from the comfort of your own home!
It's illegal to distribute virusses. People can go to jail for spreading them. So, why worry. We're safe.
DNA is the ultimate spaghetti code.
30,000,000 Kazaa hosts
Jippity! That's a lotta users... more than 25 times the entire population of the state I live in!
Very nice paper from Paxson.
On angle he neglects to mention is that the worm could only be the first wave of attack. The machines rapidly infected by a flash virus could easily be transformed into a massively parallel computing platform, into which a seconday attack program could be distributed in a matter of seconds. Such programs could then be used, for instance, to crack entry into strategically important machines that do not exhibit vulnerabilities directly exploitable by the first stage virus.
Scary. I've been wondering why someone hasn't done it yet.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
Personally, I think that Darwinism will rear its head in this case. Those that don't appreciate what it is or what it takes to run a computer safely and successfully will be subject to the bugs and malware of others that they blindly accept.
Caveat emptor, and this is no exception.
Rule #1 -- Politics always trumps technology.
and hasn't it always been this way? Zillions of insecure routers, servers and hosts out there for the taking? Only difference is that now there's less diversity than ever before. In ye olden days there were so many different architectures/os-en/programs that causing serious damage to the 'net by subverting one or two was pretty impossible. Now we have massive networks of nodes running on identical code ('doze, kazaa, even redhat in the linux world) - enough identical nodes for worms to do serious damage.
So whats the way forward? Having software thats popular with the unwashed masses *and* secure just isn't going to happen (unclued users, no incentive for authors, etc etc)...
Perhaps the only solution is liability - lets hold commercial entities responsible when their buggy code wreaks havoc on the net.
Hah. yeahright, like thats ever going to happen.
The really scary thing is that somebody may try this. If you're objective is just to cause disruption and panic, why go through all of the trouble of sneaking past the INS, paying for flight school, buying expensive GPS receivers and losing 19 believers in your cause? Why not just hire some 31337 geeks, preferably young teenagers who want to show off their skillz without caring about what happens, to shut down the e-mail and telephone systems in your favorite target country. You can be at home drinking at MaiTai instead of getting your hands dirty.
Are we scared now? We should be.
I am curious..
What year, level, or course is the technique of avoiding buffer voerflows in C, C++, Java, or C# taught?
How many times is MS going to get caught on buffer overflow erros on its production servers before admitting that its programmers are fragged?
Would you trust a new P2P applicaiton from MS? Search on theri research lab site..its there but has not been released as a commercial product.
Don't Tread on OpenSource
So, would owning the net mean that my ISP would be obliged to give me some sort of discount on what I'm paying them every month?
Odd... They don't mention Pitr Cola once in the whole paper. Are they overlooking the obvious?
1. Insert Linux Boot CD, Install.
2. Begin Install
3. Delete all NTFS, Fat32, FAT partitions
4. Continue install. Set up firewall and normal Linux security stuff.
Like magic, the whole internet becomes more secure.
It's called the normal distribution. The worst programmers can't write networking code at all. Normal programmers write crappy code and the best coders get all frothy about all the crappy code out there.
Sad but true. Quality takes time, money, and good people. All scarce resources.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
I can see commercial interests taking priority over those of the internet at large. Could there also be in increase in complacency amongst users to not use appropriate system security or anti-virus measures if they think there's a "control centre" waiting to bail them out from any misfortune they experience as a result of their own failures?
The idea seems attractive, I'm just unsure about the other implications.
Yes, many of you will say "duh!" when it comes to the conclusions of this paper, but what is great about this study is that it provides empirical evidence for the stuff that we've "known" for some time. In particular, look at the graph of Code Red Iv2 traffic. Even after all the hubbub, it comes back every month. Moreover, this paper gives some very good models for showing how these things spread.
OK, I know that security through obscurity sucks but is anyone else worried that right now thousands of script kiddies and black hat crackers are hard at work making the suggestions from that document a reality? I know if I was a worm author I would be treating the information in that document as a gold mine - it describes in pretty comprehensive terms some very effective ways of writing worms that can quickly grab a large number of hosts.
Click here or here.
I'm not going to wait until they get me, I'm disconnecting righ-
You mean, so the world has to wait even LONGER for pages to load because their browsers try contacting doubleclick.net for 30 seconds or so on every page with DC banners? Excellent idea!
I hope you don't actually think all 30,000,000 hosts are online at the same time?
That's actually pretty damn funny. But I'm accessing it fine, and it hasn't been down for ages. I do not run the server though, my ISP does.
However, my ISP has major DNS issues and many ISPs cannot see any of the hosts on it.
mogorific carpentry experiments
You don't need any worm, just post the URL to Slashdot :-)))
if someone is stupid enough to open "myNakedWife.bmp.exe"
Except that Windows by default hides the extension, so the user really sees "myNakedWife.bmp". And pictures are safe, right?
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
then the user should be smart enough to say "hey wait a minute?! normally I don't see any extensions, hocome I'm seeing one here? and why does it have another icon?"
1 + 1 = 2
malicoous code + stupid user = bad
"The majority is always sane, Louis." -- Nessus
http://slashdot.jp
Rubbish.
Any decent mail attachment worm executes as soon as you look at the text of the email, you don't have to run an executable attachment.
Also, this article isn't primarily about mail virii, but server exploits that could be used be a worm.
Finally, if the whole net get ddos'd due to a worm, you won't be feeling quite so smug and intelligent when you can't read your email.
here's a challenge for you: show me what safeguards used in regular programming that will make my TCP/IP stack immune to being pounded by a million "flood agents". (since you are obviously not a technical person we will ignore the fact that the link will be saturated for now and assume a pipe of infinite bandwidth to the machine in question).
My my, seems someone got out of the wrong side of bed this morning. I'm guessing you're not au fait with IPv6 which solves many of these DOS problems.
You're assuming that routers are not configured to detect misuse. In the 'ideal world' I've described (and, indeed, in an IPv6 environment), routers would manage data more effectively. TCP was developed to ensure packets get from one place to another without fail, but this isn't always practical.
Sure, a million clients connecting to a server can bring it down. But many connections != DOS attack. Google accepts millions of connections a day, but it has the power and bandwidth to deal with them. In the main, a DOS attack is when someone/something makes a server deal with more information than it is meant to. Decent netcode and firewalling can solve this problem.
A common exploit is to send packets to a machine, that make the machine respond with more packets than were sent (commonly used tactic on IRC, with CTCP floods). Intelligent netcode would not generate more data than it could handle, and it would also recognise where the data is coming from, what format it is in, and would 'ignore' it for a certain amount of time. It's called dynamic firewalling.
Yes, I might be living in a bit of an idealistic fantasy world. But why shouldn't I? Protected Mode is meant to solve memory sharing problems, yet.. Windows still comes up with 'Protection Error' every now and then. Why? Cuz of crappy code. In an ideal world with perfect code, everything would work perfectly. I think the only way to go forward is to improve our code, and that's all I suggested in my post.. (This is exactly what happens in Linux kernel development)
I don't think the article was aimed at people like you. I think it was aimed at people with at least some technical background.
I'd say 'Touché' but my whole point is that the article is scant on technical details and instead focuses on pointless mathematical theories.
(I hope you get your superiority complex sorted out soon, kthxbi. Oh, and post your newlines properly in future..)
mogorific carpentry experiments
There were 5,800 distinct university KaZaA hosts during this time.
A typical large U.S. university has a student + faculy + staff population of 50,000 to 100,000. This suggests that 5 to 10 percent of university people are into file (music?) sharing.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
Maybe Kazaa was developed by a terrorist organization to cripple weak american minds and destroy our computers...
100% Insightful
This, if anything, shows the need for (as stated in the paper) a need to have a central system for recovery and research of what was described. The obvious double edged sword of this document, and documents similar, in my opinion show the need for a head strong security movement. I, like many Linux users, are constantly amused and entertained by the 'average' individuals lack of know how in this field, however, I am not amused or entertained at their ignorance to security in general. It would seem that part of the blame could be the software companies lack of forwarding information to the customer on the issue, and part of the blame in the customers hands themselves. I am not pointing fingers or blame, just simply saying they are not educated enough to control the security of their own system(s). In my opinon, this is dangerous and there should be much more education given to the hands of the end user. Obviously an 80 year old woman with a background in knitting is not going to be able to secure her home PC, so I am not speaking of extreme change. However, I am speaking of individuals, who move from mom and pop stores to ecommerce means. So often I see individuals start an ecommerce site, and then are startled why their site was owned when they are using outdated forum software, cart software, or other software, and a password that consists of 'changeme'. Maybe a dumbed down security manual referred to by ecommerce providers would do the trick, maybe not. I don't know, I'm not a security executive, so I dont have the solution (...yet, lol). But just something, anything, to show the end user some basic means of boosting security and authentication may be enough to get the ball rolling. - Ross Smith
Well, I disagree. It IS the users fault they clicked on okay. It is the user who is in control of the machine, and the user who is responsible for what they do. When you click on something, you are allowing something to happen.
Yes, some worms spread automatically, wihtout user intervention, via holes in OE. I daresay these same holes could have been exploited by a slightly modified worm for Eudora. Eudora uses the MS viewer by default.. exactly the same thing OE uses.
The number of worms that spread because morons click on an attachment to open it even though they have been told DIRECTLY, a HALF DOZEN TIMES, NOT TO OPEN ATTACHMENTS IF YOU DONT KNOW WHAT THEY ARE is staggering. This, by far, is where the vast majority of worms come from.
Now.. I don't want to believe all these people are that stupid.. it's just a fundamental lack of understanding about how a computer works.
Perhaps papers like these should actually focus on the real reason that DOS attacks are so easy. Crappy code. Since when did Eudora or Pegasus start spreading viruses? It's all Outlook Express.
----
They should just rename VB Support HIV, same effect on a computer immune system.
Oh come on now, I think the benefits of being able to embed an Active X control in an email message and have it automatically run when the recipient views it MORE than outweigh the negative consequences... How else would we be able to send cutesy little Flash animated greeting cards to everyone we know??
> In essence it really isn't the bad or buggy OS you run or how good your damn anti-virus software is. It all comes down to
> the end-user: if someone is stupid enough to open "myNakedWife.bmp.exe" they kinda deserve being bitraped by a damn
> virus or a worm.
And will you still think this if it happens to you or someone you care about?
Something like this happened to my wife: she received an email with an image attatchment with a return address from someone she knew. She tried to open the attachment, found nothing there, thought it was odd.
Her acquaintence was online later, & several people asked her about this email. ``What email?" At that point my wife called on me.
(Note: yes my wife runs Win98. That's because she's an accountant & uses a lot of software that runs on Windows.)
We downloaded a virus checker, & I sweated while I waited for it to do it's thing: I knew just how easily her system could get corrupted by a virus, & that we'd have to wipe & reinstall her system -- & spend hours reconfiguring it. Fortunately I insisted on her using Eudora as her mail client for this very reason, & the virus she had recieved was inert.
In short, the viruses are getting ever craftier, & even knowledgeable Windows users are getting bit. Unless you're willing to argue that anyone using Microsoft software deserves this result for selecting inferior software, you can't dump the entire responsibility onto the end users.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
We had better keep this little tid bit under raps, me thinks Pitr from http://www.userfriendly.org may use it to his diabolic desires.
It's bad enough he took over both the Pepsi and Coca Cola corporations.
Pitr Cola, it just feels right.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
trust in computing
a bit more about me http://www.advogato.org/person/trelane/ or my private page http://trelane.net
The simple flood always works
Not always. There are systems that implement a process that I call 'dynamic firewalling' (if someone knows the real name, let me know!).. which means if they receive too many packets (or irrelevant packets) in a certain amount of time, they block that host for a while.
'But(!)', you say, 'that doesn't mean the data isn't still coming down your pipe and sucking up your downstream bandwidth!' This is true, but I have seen routers that also implement similar systems.. so if all routers had dynamic firewalling, packets would be blocked right back from the source router, meaning the Internet, as a whole, does not suffer from an attempted attack.
mogorific carpentry experiments
... to appear in new show about crazy new networking concept, that really isn't that crazy. Very simple exploits are to be dramatized in doomsday like scenario were by Napster-like pier-2-pier program owned by big ass corporation will threaten the existence of humanity. Millions of ignorant people will then associate hackers with crackers all over again spreading Fear-Uncertainty and Disinformation about MP3 sharing criminals and the record companies will be able to maintain their iron grip on the distribution of artistic expression. ... End sarcasm rant.
'In pusuit of the greater good!
So what would happen if someone managed to maintain a DDOS attack from say 10 million compromised systems against the root name servers? Would all the caches eventually go bad and get wiped, so nobody could connect to any hosts and the net was dead? Or would the cached data stick around, so that people could still connect to existing systems, but updates would no longer propagate? Or something else? Thanks!
He allready owns the internet. he carries it arround on a floppy disk in has back pocket.
He had an IT guy download it last week for him.
(its a joke, laugh)
I remember someone's wise answer to why time-travel to the past will be impossible: If it was possible, we would have millions of time-travellers snapping billions of holo-photos of our parking lots.
And if anyone could 'own' the internet if they wanted to, they would have done it. Sure, most of those who could take out the net wouldn't, but all it takes is one, and I don't see the entire internet failing all that often, you?
-twb
The obvious solution:
Many sysadmins understand that they need to put their servers behind a firewall, protecting the servers from malicious inbound traffic from the internet. Now is the time to educate these sysadmins that they need to configure the firewalls to also block outbound access from the servers to the internet.
For instance, a web server don't need outbound access to the internet at all, you are not going to use the server to browse the internet, so please block all outbound traffic from the web server. If this server get infected by a new worm, the worm can't spread to other hosts trough http. Simple.
I have read a lot about firewalls lately, most focus on securing the inbound traffic, a few talks about egress filtering to stop address spoofing, but none writes about blocking outbound access from the servers, to stop worms from spreading from your server.
RFC1925
Yes, it's possible to cause massive disruption. It has been for a long, long time.
I recall the FBI stating that it was not some ddos attack that scared them, but hte fact that so many young kids controlled so many computers and DIDN'T do anything with it.
So we ask ourselves, what if this were in the hands of someone who actively wanted to exploit it?
Who are we kidding? Most of the kids that control tons of computers for their ddos attacks for taking over irc servers are not geniuses. If someone had a reason to take over many, many cmoputers and use them for financial gain, they would do it. Plain and simple.
The fact is, owning tons of bandwidth and cycles for a brief amount of time (because that's all you are going to get) is not all that useful long term. How are you going to cash in on it?
Although the paper seems to be concerned about network loading as a problem, I feel this is only the tip of the iceberg. In summary what they are stating is that it would be possible to infect either most of the vulnerable servers or (even worse) most PC's running P2P software. With the latter case this covers many more machines and many of these machines contain *data* that is totally crucial to running their businesses, both small and huge.
I wonder how these people would feel if they found out after a little while that at some time in the past , a silent trojan had gone through their *.xls files and choosen 1% of the fields formatted as financial and not calculated (ie typed in values) and changed them by a random +/- 0->10%.After doing this the trojan removed all traces of itself? Whose company financial records would *you* trust??
Now I'm sure I'm not the first to think of this (and I'm sure there are other nasty things that can be done) but could someone please explain the flaws in the scenario? It's been bugging me for the last 8 years and I'd like some confidence it *can't* happen.
The ability for large net damage to be caused is hardly new, every day new threats metabolize and get ready to fight their damage. Worms can be fixed, holes can be patched. Life will continue.
No thanks. Watching you get pissed off over something that doesn't even matter is entertainment enough! :-)
actually coming up with a real and working solution is pretty hard and *way* beyond what you seem capable of.
Actually it's beyond what the best programming brains in the world have been able to come up with too.. so I don't think I'm doing so bad.
mogorific carpentry experiments
I think we are reinventing the weel. Windows was based not only on the idea that a computer should be usable by Joe and Jane but also on the premise that it should be admninistered by those Joe and Jane's.
It think that was a wrong choice. To make the choice worst, they decided that it should allow you to do everything easily (no learing neeeded) and if something was a bit complicated, then it should be stripped off.
The day they realize things should be "owned" and "permisioned" we'd be ok. I don't fear executing whatever in my linux, as long as i use a non important account to execute it (you also need to have all the permisions right or...).
Everyone should be able to use computers, administering is another thing. They can provide a default install that is ok and secure. Of course, there will be some things Joe will not be able to do. And that's a good thing (he can learn a bit if he really wants to change them).
unfinished: (adj.)
I'll venture out on a limb by mentioning that "denial of usage" is far from "owning" or "taking" the net. This worm is just the product of someone with way too much spare time on his hands (or on the RIAA payroll as somebody mentioned). Actually, these fools are useful. Somebody described these idiots as being similar to the way the body fights off an infection-- A virus pops up, the community adapts and puts it down before before it becomes life-threatening. That way when the real shit hits the fan (say, the first real internet war), the community will be able to combat it... Hopefully.
You need a FREE iPod Nano
at least you seem to have understood that your original posting was clueless. that at least is an improvement.
What if microsoft wrote worms to close security holes in their software?
...)
They could write a worm like they can write a service pack, but with the advantage that people who don't frequently check for service packs, also are protected against future attacks.
The worm's instructions could be:
- download security patch (however this could take down the security-patch-server)
- apply security patch
- spread
- kill self (after some time, or after all possible ip's are scanned, or
While it is the system administrator's duty to keep the server secure, this method could secure the server when he is getting a nap, or some coffee. Especially since the paper describes attacks in less than 15 minutes.
It could be implemented using a "yes, I want that service"-box, so that one who doesn't like this can opt out of the security check.
Also, one could use some registration check, so that only people that payed for it, can get this service.
I see you're still struggling with the concept of proposing an idea and actually implementing it. Go learn about IPv6. Most of my points are catered to within the IPv6 standard.
Anyway, I've gotta keep you talking.. I might double the teeny amount of posts you've made to Slashdot if I keep going.
mogorific carpentry experiments