Slashdot Mirror
How to Own the Internet In Your Spare Time
xenofile writes "A chilling paper has recently been posted analyzing the various threats worms pose to the Internet, and the relative ease of exploiting say the 30,000,000 Kazaa hosts to completely cripple large portions of the net."
Lots of good stuff in this paper. It sorta combines many things you've probably
read, and demonstrates how the net could be seriously taken by someone who wants
it.
Wow, this paper really breaks new ground. Let's see:
If you can control a million hosts on the Internet, you can do enormous damage.
[..] you can access any sensitive information present on any of those million machines [..]
But for those who are truly thick and can't get the point:
In short, if you could control a million Internet hosts, the potential damage is truly immense [..]
It's good to see they're really targeting the 'brains' of the nation with these statements.
Luckily, things get a little more scientific as we move into the next section, but they actually say they're 'ignoring' certain important variables. Almost any mathetmatical theory works if you 'ignore' certain variables.
Perhaps papers like these should actually focus on the real reason that DOS attacks are so easy. Crappy code. Since when did Eudora or Pegasus start spreading viruses? It's all Outlook Express.
But what about system level DOS attacks, you say? Firewalls were invented to solve these problems. Of course, firewalls were only invented because the original net code in Linux/Windows/etc hadn't anticipated DOS attacks, and couldn't fend them off themselves. I mean.. in 1994, who was flooding servers with 64kB ping packets?
It's time to rewrite the netcode. DOS attacks aren't really any different to memory leaks in programs. They can be controlled and confined and cleaned up, if the code is good. How often do you get a 'Protection Error' in Linux these days? Hardly ever. It's time to apply all of the safeguards we use in regular programming to net code too!
And if you're scared of reinventing the wheel and writing new net code from scratch, then you have only yourself to blame.
mogorific carpentry experiments
Want to be a Supervillian?
Don't have the body to fit in a costume?
Too out of shape to battle Superheros all over Champion City?
Think being a Supervillian is out of your reach?
Not anymore! Just like millions of other americans, the Internet has changed lives. Let it do the same...for YOU! With the "Rule the Internet like an Evil Overlord" plan, you can learn how to take advantage of this exciting new medium to spread choas and terror into the people the world around! Now you can work to inspire fear from the comfort of your own home!
It's illegal to distribute virusses. People can go to jail for spreading them. So, why worry. We're safe.
DNA is the ultimate spaghetti code.
Very nice paper from Paxson.
On angle he neglects to mention is that the worm could only be the first wave of attack. The machines rapidly infected by a flash virus could easily be transformed into a massively parallel computing platform, into which a seconday attack program could be distributed in a matter of seconds. Such programs could then be used, for instance, to crack entry into strategically important machines that do not exhibit vulnerabilities directly exploitable by the first stage virus.
Scary. I've been wondering why someone hasn't done it yet.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
You miss the point. If the Internet gets congested with traffic, you will suffer too. Take, for example, the latency spike that occurred last monday around 2:00pm EST as the worm that attacked M$ SQL servers started doing its thing.
Yes. And in business, we aren't all that trusting, so we have laws to regulate business behavior in order to improve or, at least, enforce the trustworthiness between business players. Do we need/want the same practices applied to the Internet? I say no, but I have this awful feeling of gloom. I think that, within 10 or 15 years (maybe even less) the business interests in the net will have convinced the lawmakers that we need to boost the trustworthiness of the net... by regulating the hell out of it.
I think we, as the techical force behind the net, can and must resolve the major issues that make the businesses nervous. If they can trundle blithely forward, enjoying the net without too many major hitches, they'll continue to pay our salaries and let us run it. One or two major exploits or outages with mega/giga dollar associated losses, and the lawmakers will clamp right down. Bye bye net, as we know (and love) it.
Quality takes time, money, and good people. All scarce resources.
Or put another way:
a) Cheap
b) Fast
c) Good
Pick any two.
It was already pretty bad, and it isn't going to get better soon. Now that the bubble has burst for finding capital, try this:
Cheap [selected]
b) Fast
c) Good
Pick one.
Since everyone want to be the first to market, try this:
Cheap [selected]
Fast [selected]
c) Good
ERROR: Sorry, your choices are up.
Some people have a way with words, and some people, um, thingy.
The whole point behind Windows is to make a computer usable and useful to someone who doesn't understand how a computer works. If the user needs to understand how the computer works just to read his email, he might as well learn to use the command line for everything. Such a requirement is simply too much to ask of the average user.
Also, keep in mind that it isn't enough for the user to understand how a computer works. The user could know everything about the computer, and it wouldn't help him, because he still wouldn't know which of his helper/viewer apps contain security holes which can be exploited by email attachments -- he can't know, because he doesn't have the source code to them.
The only conclusion is: if attachments cannot be made safe, then they should not be made easy to open. The best solution would be to run attachments in some sort of 'sandbox' (Java style) so that they literally cannot do any damage to the machine. The next best (and still not very good) solution would be to put a big fat "WARNING -- VIRUS HAZARD" notice up whenever the user tries to open an attachment; one that is very hard to get past without reading it.
I don't care if it's 90,000 hectares. That lake was not my doing.
The obvious solution:
Many sysadmins understand that they need to put their servers behind a firewall, protecting the servers from malicious inbound traffic from the internet. Now is the time to educate these sysadmins that they need to configure the firewalls to also block outbound access from the servers to the internet.
For instance, a web server don't need outbound access to the internet at all, you are not going to use the server to browse the internet, so please block all outbound traffic from the web server. If this server get infected by a new worm, the worm can't spread to other hosts trough http. Simple.
I have read a lot about firewalls lately, most focus on securing the inbound traffic, a few talks about egress filtering to stop address spoofing, but none writes about blocking outbound access from the servers, to stop worms from spreading from your server.
RFC1925
Yes, it's possible to cause massive disruption. It has been for a long, long time.
I recall the FBI stating that it was not some ddos attack that scared them, but hte fact that so many young kids controlled so many computers and DIDN'T do anything with it.
So we ask ourselves, what if this were in the hands of someone who actively wanted to exploit it?
Who are we kidding? Most of the kids that control tons of computers for their ddos attacks for taking over irc servers are not geniuses. If someone had a reason to take over many, many cmoputers and use them for financial gain, they would do it. Plain and simple.
The fact is, owning tons of bandwidth and cycles for a brief amount of time (because that's all you are going to get) is not all that useful long term. How are you going to cash in on it?