RE: CRv2 August 1st dynamics

[Ken Williams <Kwilliams () ZELTECH com>]

Given two theories about the launch of Code Red:

1) Non-malicious (due to low-threat nature of payload) "wake-up call" by
some member of the Blue Force security crowd (us).

2) Feasibility test on spread rates, Blue Force response times, etc. by a
potential adversary,

have you considered modeling the spread over several months?  We will soon
have two data points.  Might be able to develop a predictor(s) of:

How long does it take for the total spread to decay to some "constant"
number of vulnerable machines (the 5% that NEVER get the word and apply the
patch)?  Is it 5% or some other number?  For a particular vulnerability,
will it ever approach zero, short of a new release of the product containing
the vulnerability that results in complete replacement of the offending
code?  What's the (probable vs emprically observed) shape of the decay curve
(over months), and can we draw any conclusions for future worms with cycles
shorter than monthly?  And, finally, does June see any directly comparable
mathematical models for spread, saturation, etc. im epidemiology - are these
virtually the same equations?

Ken Williams
Zel Technologies, LLC

  

-----Original Message-----
From: Stuart Staniford
To: incidents () securityfocus com; handler () incidents org; IAIPT;
cpc () schafercorp-ballston com
Sent: 8/1/01 9:06 PM
Subject: CRv2 August 1st dynamics

For the July 19th Code Red incident, I posted a theory of the worm that
said it
had random spread with a spread rate of about 1.8 hosts per hour, and
showed
this analytic model approximately accounted for the observed growth in
the worm
probe rate.

I applied the same model in a quick first-cut analysis to today's
events, and
again it seems to fit except with a lower spread rate of about 0.7 hosts
per
hour.  The worm has now pretty much saturated.  This suggests that there
were a
little less than half as many vulnerable hosts as last time.

This is an interesting way of working with these incidents, as I was
able to
estimate the spread rate fairly well before there was any sign of
saturation,
and thereby predict approximately when it would saturate, and
approximately how
many hosts would get compromised relative to last time.

The graphs are at

http://www.silicondefense.com/cr/aug.html

Stuart.

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart () silicondefense com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com