Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hard data on network impact of the "Code Red" worm?

  • From: Christian Kuhtz
  • Date: Mon Jul 30 18:55:54 2001

On Mon, Jul 30, 2001 at 03:34:39PM -0700, Sean Donelan wrote:
[..]
> I agree, we were lucky on some things.  But predictions
> are always hard because we never completely understand
> the problem.
> 
> What natural limits (or predators) exist controlling
> the spread of the worm.  If the worm destroys the very
> infrastructure it needs to survive, it tends to be self-
> limiting.  

The worm doesn't destroy anything until typically many days after the
infection/propagation to prevent exactly what you described..  Most zombies,
virii etc destroyed their own infrastructure because there wasn't a delay 
trigger.  This time there is.

Evolution of sorts.  With a flaw, it can be detected from the outside. Truely
dormant zombies is what's worrysome.

> I suspect, but have no evidence, the worm can quickly spread
> through hundreds of thousands of machines, but then the worm's
> behavior tends to interfere with its ability to propagate.  If it
> attacts attention to itself, the system administrator may take
> action.  I know, later variants no longer change the web site. If
> the worm takes out DSL modems and other network infrastructure,
> machines behind DSL modem are isolated until a network operator
> can intervene.  If the site is on auto-pilot, this also limits
> the worm.

Your logic is flawed.  If this was true, zombie networks would be largely 
ineffective.  The current mutation is nothing more than an automated zombie
distribution network, with all fun options of current zombie networks such as
remote control, remote upgrades etc...

You may want to read up on the details of this one, like the presentation at
the bottom of http://www.digitalisland.net/codered/

> Several folks have sent me mail saying we should be worrying about
> the quiet zombie machines.  They feel there are far more of them
> on the net than the "code red" worm.  But the question is what are
> they waiting for?

For somebody to activate the zombie network whenever it pleases them.  It
could lay dormant for a long time.

The problem here isn't the worm itself, the problem is all the machines which 
aren't properly administrated.

-- 
Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm
Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S.
"I speak for myself only.""




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.