North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Hard data on network impact of the "Code Red" worm?
- From: Sean Donelan
- Date: Mon Jul 30 18:37:14 2001
On Mon, 30 July 2001, k claffy wrote:
> so, 1 aug midnite GMT (tomorrow 17:00 in california),
> codered goes back into 'spread' mode.
> within a few hours, we'll have 100,000-300,000
> globally infected machines again.
> and presumably they won't stop at the
> end of the day to start phase two this time.
> (remember CRv2 only had a day before it
> went into phase two the first time)
I agree, we were lucky on some things. But predictions
are always hard because we never completely understand
What natural limits (or predators) exist controlling
the spread of the worm. If the worm destroys the very
infrastructure it needs to survive, it tends to be self-
limiting. If the worm keeps re-infecting the same machines,
they tend to die and stop spreading. Custodians (i.e. system
and network administrators) have shown the ability to adapt,
and respond if the worm is too slow.
I suspect, but have no evidence, the worm can quickly spread
through hundreds of thousands of machines, but then the worm's
behavior tends to interfere with its ability to propagate. If it
attacts attention to itself, the system administrator may take
action. I know, later variants no longer change the web site. If
the worm takes out DSL modems and other network infrastructure,
machines behind DSL modem are isolated until a network operator
can intervene. If the site is on auto-pilot, this also limits
Several folks have sent me mail saying we should be worrying about
the quiet zombie machines. They feel there are far more of them
on the net than the "code red" worm. But the question is what are
they waiting for?
Argh, this is why I got out of security. Too many twisty passages.
It is dark. You have been eaten by a Grue.