nanog mailing list archives
Re: Hard data on network impact of the "Code Red" worm?
From: Christian Kuhtz <ck () arch bellsouth net>
Date: Mon, 30 Jul 2001 18:53:46 -0400
On Mon, Jul 30, 2001 at 03:34:39PM -0700, Sean Donelan wrote: [..]
I agree, we were lucky on some things. But predictions are always hard because we never completely understand the problem. What natural limits (or predators) exist controlling the spread of the worm. If the worm destroys the very infrastructure it needs to survive, it tends to be self- limiting.
The worm doesn't destroy anything until typically many days after the infection/propagation to prevent exactly what you described.. Most zombies, virii etc destroyed their own infrastructure because there wasn't a delay trigger. This time there is. Evolution of sorts. With a flaw, it can be detected from the outside. Truely dormant zombies is what's worrysome.
I suspect, but have no evidence, the worm can quickly spread through hundreds of thousands of machines, but then the worm's behavior tends to interfere with its ability to propagate. If it attacts attention to itself, the system administrator may take action. I know, later variants no longer change the web site. If the worm takes out DSL modems and other network infrastructure, machines behind DSL modem are isolated until a network operator can intervene. If the site is on auto-pilot, this also limits the worm.
Your logic is flawed. If this was true, zombie networks would be largely ineffective. The current mutation is nothing more than an automated zombie distribution network, with all fun options of current zombie networks such as remote control, remote upgrades etc... You may want to read up on the details of this one, like the presentation at the bottom of http://www.digitalisland.net/codered/
Several folks have sent me mail saying we should be worrying about the quiet zombie machines. They feel there are far more of them on the net than the "code red" worm. But the question is what are they waiting for?
For somebody to activate the zombie network whenever it pleases them. It could lay dormant for a long time. The problem here isn't the worm itself, the problem is all the machines which aren't properly administrated. -- Christian Kuhtz <ck () arch bellsouth net> -wk, <ck () gnu org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only.""
Current thread:
- Re: Hard data on network impact of the "Code Red" worm?, (continued)
- Re: Hard data on network impact of the "Code Red" worm? Wojtek Zlobicki (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Rafi Sadowsky (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Sean Donelan (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Sean Donelan (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Wojtek Zlobicki (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Larry Sheldon (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? k claffy (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Mike Trest (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Steven M. Bellovin (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Sean Donelan (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Christian Kuhtz (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Larry Sheldon (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Sean Donelan (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Christian Kuhtz (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Hank Nussbacher (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? Valdis . Kletnieks (Jul 30)
- Re: Hard data on network impact of the "Code Red" worm? up (Jul 31)
- Re: Hard data on network impact of the "Code Red" worm? Vijay Gill (Jul 30)
- RE: Hard data on network impact of the "Code Red" worm? Roeland Meyer (Jul 31)
- telnet vs ssh on Core equipment , looking for reasons why ? Mr. James W. Laferriere (Jul 31)
- Re: telnet vs ssh on Core equipment , looking for reasons why ? fingers (Jul 31)
- telnet vs ssh on Core equipment , looking for reasons why ? Mr. James W. Laferriere (Jul 31)