North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Hard data on network impact of the "Code Red" worm?
- From: Christian Kuhtz
- Date: Mon Jul 30 18:55:54 2001
On Mon, Jul 30, 2001 at 03:34:39PM -0700, Sean Donelan wrote:
> I agree, we were lucky on some things. But predictions
> are always hard because we never completely understand
> the problem.
> What natural limits (or predators) exist controlling
> the spread of the worm. If the worm destroys the very
> infrastructure it needs to survive, it tends to be self-
The worm doesn't destroy anything until typically many days after the
infection/propagation to prevent exactly what you described.. Most zombies,
virii etc destroyed their own infrastructure because there wasn't a delay
trigger. This time there is.
Evolution of sorts. With a flaw, it can be detected from the outside. Truely
dormant zombies is what's worrysome.
> I suspect, but have no evidence, the worm can quickly spread
> through hundreds of thousands of machines, but then the worm's
> behavior tends to interfere with its ability to propagate. If it
> attacts attention to itself, the system administrator may take
> action. I know, later variants no longer change the web site. If
> the worm takes out DSL modems and other network infrastructure,
> machines behind DSL modem are isolated until a network operator
> can intervene. If the site is on auto-pilot, this also limits
> the worm.
Your logic is flawed. If this was true, zombie networks would be largely
ineffective. The current mutation is nothing more than an automated zombie
distribution network, with all fun options of current zombie networks such as
remote control, remote upgrades etc...
You may want to read up on the details of this one, like the presentation at
the bottom of http://www.digitalisland.net/codered/
> Several folks have sent me mail saying we should be worrying about
> the quiet zombie machines. They feel there are far more of them
> on the net than the "code red" worm. But the question is what are
> they waiting for?
For somebody to activate the zombie network whenever it pleases them. It
could lay dormant for a long time.
The problem here isn't the worm itself, the problem is all the machines which
aren't properly administrated.
Christian Kuhtz <email@example.com> -wk, <firstname.lastname@example.org> -hm
Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S.
"I speak for myself only.""