Security Incidents mailing list archives

Re: Flash Worms

From: Stuart Staniford <stuart () silicondefense com>
Date: Wed, 22 Aug 2001 11:57:15 -0700



Michal Zalewski wrote:


On Fri, 17 Aug 2001, Stuart Staniford wrote:

Agreed - we're only talking about saturation of the hosts that can
actually be attacked from the Internet, are vulnerable to whatever
exploit the worm has, are currently connected to the Internet, and
have publically routable static Internet addresses.  What we're
arguing is that the worm can reach all of those hosts that it's going
to reach in O(30secs) if it's small and uses the kind of strategies we
discuss.


There's a huge network in Poland, called Polpak, connected to the
Internet. It makes a part of it. It connects dozens, if not hundreds, of
thousands of computers. It has very centralized structure, built around
the capital of this country. It has very poor international uplinks,
heavily overloaded, with packet loss ratio around 50-60% in peak hours.

You can't ignore networks like that around the globe, they make a
significant percent of overall host count. The Internet is not made only
of US hosts in metropolitan areas, that can interact and exchange
information in fast and reliable way.


You are right.  Hosts on networks that are so poorly connected will not get
infected very quickly.

However, it may be much quicker than you think because the flash worm can
use address space locality.  Once a worm or two is into that section of the
address space, most of the rest of it will be compromised quickly.

Stuart.


-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart () silicondefense com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Flash Worms Stuart Staniford (Aug 17)
- Re: Flash Worms Michal Zalewski (Aug 18)
  - Re: Flash Worms Stuart Staniford (Aug 18)
    - Re: Flash Worms Michal Zalewski (Aug 18)
    - Re: Flash Worms jaywhy (Aug 18)
    - Re: Flash Worms Dragos Ruiu (Aug 19)
    - Re: Flash Worms Shoten (Aug 23)
    - Re: Flash Worms Kevin Reardon (Aug 24)
    - Re: Flash Worms Stuart Staniford (Aug 22)
    - Re: Flash Worms Bruno Treguier (Aug 21)
    - Re: Flash Worms Kevin Reardon (Aug 22)
  - Re: Flash Worms Robert Graham (Aug 18)
    - Re: Flash Worms Jose Nazario (Aug 19)
    - Flash Worms and congestion Stuart Staniford (Aug 22)
- <Possible follow-ups>
- Re: Flash Worms Vern Paxson (Aug 22)