What, Me Worry About Warhol Worms?

[InfoSec News <isn () c4i org>]

Forwarded from: "Jay D. Dyson" <jdyson () treachery net>


-----BEGIN PGP SIGNED MESSAGE-----

Hi folks,

        I've seen this fly across a number of lists lately:

        Warhol Worms: The Potential for Very Fast Internet Plagues
        http://www.cs.berkeley.edu/~nweaver/warhol.html

        While Mr. Weaver does raise some compelling points about the
possibility of a Warhol Worm (catchy term!), there are some problems with
the model he presents.

        1.      Connection timeout:
                Not every IP on the 'net is alive.  And some that are
                alive don't respond to pings or vanilla TCP scans.

        2.      Firewalls:
                Not every system behind a firewall is NAT'd.  Some systems
                have routable IPs behind those firewalls (don't ask me
                why).

        3.      Typical congestion:
                Not every system on the 'net is a turbo-charged Sun
                Microsystems Enterprise 10,000.  A number of systems are
                Linux or BSD boxes running on a P200 or slower.  (Shoot,
                one of my boxes running Linux would be a P166 if the
                motherboard hadn't shelled out at the last minute.)

        4.      Honeypots:
                HIDS configured to bind to ports typically used by known
                vulnerable services.  The worm "crawls in," but it won't
                crawl out.

        5.      Human error:
                As every worm released thus far shows, we're only human.
                Every worm from the Morris worm of the '80s to the Code
                Red have suffered from programmatic mistakes.  It's just
                the nature of the beast.

        6.      Hurry Up and Wait:
                If such a worm were to start propagating at such prodigous
                speeds, it would ultimate start tripping over itself.  The
                first network that would be a victim of it would likely
                suffer network saturation.  This would in turn slow the
                propagation to other networks significantly.

        All these factors taken together will greatly increase -- by at
least an order of magnitude -- the purported Warholian window.  

        Sure, the notion of a fast-moving worm seems scary on the face. 
There is admittedly no effective human response to it...but when you get
right down to it, the same is true for the slow-as-molasses-in-January
worms. 

        With all of that in mind, the timeframe of spread isn't the
alarming part.  The alarming part is that most vendors and admins are
still sitting on their thumb when it comes to sound security practices. 
*That* is truly the cause for alarm here. 

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-------- Real men prefer full disclosure. --------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO3vXeLlDRyqRQ2a9AQHHOgQAjfElFRq/0oq11OVxcDCPQciCJITYnmR0
N5Hk6DS4QqPaqgxYPUGYY7ixWM9Dl4nBjTXOwkLQNIaq5B7+ZUQL9MUfZWULchLC
rUmYbPImzn3WQv5y22hjs3mE4l+/Y+lNdiSD4Cp41QmQO7oMKi0w2DdCjTqkFkps
N6+GMBUEUYU=
=B4e0
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.