Interesting People mailing list archives
IP: more on Mind-blowing-- How to own the Internet in yourspare time
From: Dave Farber <dave () farber net>
Date: Sun, 02 Jun 2002 08:48:04 +0900
------ Forwarded Message From: Vern Paxson <vern () icir org> Date: Fri, 31 May 2002 15:29:16 -0700 To: farber () cis upenn edu Cc: "Nicholas C. Weaver" <nweaver () CS Berkeley EDU>, stuart () silicondefense com Subject: Re: IP: more on Mind-blowing-- How to own the Internet in yourspare time [resending, in case this slipped between the cracks the first time] On Mon 27 May Mike Astle wrote:
The CDC part of this article just makes no sense. The authors spend the majority of the paper showing that a worm could infect the entire Internet in less than a minute. They then call for the creation of a body to combat infections which are by their own admission "so fast that no human-mediated counter-response is possible".
First, as the paper notes, the CDC section is "to spur further discussion of the issues within the community". However, our definition of the CDC does include the task of developing and coordinating automated defenses. This requires the correlation of distributed information. Many of these worms would have behavior that, although it may not be detectable on a single site in time to respond, does present Internet-wide anomalies which an automated system could respond to. (And, yes, automated response is *exceedingly* tricky - it's just very hard to see what else can be done.) We are actively working on research on automated worm responses, but it's premature for us to publish this. Similarly, an important part of recovering from an attack is understanding what the worm does and tries to accomplish, as well as a means of tracking the author. E.g., an understanding of the Code Red I DDoS module allowed whitehouse.gov to avoid a DDoS attack. But there is nobody who is accountable to the public for such analysis currently; it generally consists of voluntary efforts. A more complicated worm is unlikely to be analyzed in the current environment - for example, to the best of our knowledge, there has still been no full disassembly of Nimda, meaning that it's behavior may not be altogether known. And there is certainly nobody responsible for initiating any sort of proactive measures at an Internet level.
I am convinced that the creation and distribution of a super-virus is possible, but I agree with Sam that the virus as described in this paper depends on so many assumptions (all neatly stated and then overlooked) as to be unlikely.
This is not a useful comment without clarifying which assumptions we have overlooked.
It is unclear to me who might have an interest in releasing a truly destructive virus.
Unfortunately, there are far too many who may be interested. Since the discussion is lengthy, it's appended at the end. At a minimum, critical communication networks should be engineered such that they cannot be globally disrupted by small groups of amateurs. This is obvious. It isn't true of the Internet. ---- On Mon, 27 May 2002, Sam Bennett wrote:
I would find it very difficult to believe that the top dogs in the network security industries haven't spent a lot more time and money contemplating future exploits (obviously with the somewhat more realistic goal of stiffing businesses for as much money as they can) than this bunch.
We believe we are generally familiar both with the research literature and with the offerings of the security industry. There is only a small amount of research on worm spread prior to Code Red I. There is a lot more work happening now, and this paper is part of that thrust. Part of the issue within the commercial security community is that defending against known attacks, or human-mediated unknown attacks, is a common business, but the questions regarding how to defend against fast worms employing unknown exploits are very large, and *not* very commercial. The fact that large numbers of Code Red I infected hosts are still present indicate that the problem is not currently solved.
Nothing in the article has any real substance - the 'mathematical models' seem smugly self-serving, the anticipated propagation of a 'Warhol Worm' being the most indulgent. Who came up with THAT one? It's all approximated, estimated and assumed.
The mathematical model is important, because it is reasonably consistent with established behavior. Yes, the reality is that, for individual worms, the scanning rate varies widely, but a constant compromise rate ends up a decent approximation for observed behavior. Obviously, we cannot build and test such worms, and that's the only way to provide absolute proof. We think we've made a good case that worms much faster than Code Red are entirely plausible. We are happy to defend our assumptions, but would need a specific critique to know where to begin.
We're only titillated because the author throws some big numbers about. Surely, if a worm was very well written to exploit a vulnerability that no-one else had seen, and could infect a target server in one hit, that would be it. Game over. It wouldn't interest you, as the IT manager of the infected server to know that the virus had managed to discover and attack 100,000,000,000 other servers in the same 15 second slot. No, you'd be panicking because you couldn't log in as root anymore and the number of calls requesting files from last nights backup is going up by 10 every minute.
Actually, it does, for a couple reasons: The first is that, if you detect the worm on the Internet level, this would give time for many sites to initiate automated responses before the worm actually attacks. And the more vulnerable machines which exist, the faster a worm spreads. Secondly, much of the recovery procedures will require accessing patches and other information, of which the fast channels are all based on the Internet. How much more difficult will this be if the worm is DDoSing the major vendors and antivirus sites, and/or the root name service? How much more difficult still if there is a human controlling the worm, who adds new targets as mirrors are established? - Nicholas C. Weaver (nweaver () cs berkeley edu) - Vern Paxson (vern () icir org) - Stuart Staniford (stuart () silicondefense com) Appendix: Who might want to launch a destructive worm: a) Terrorists focusing on disruption rather than body count. Al Qaeda et al have been fixated on body count, but there have been other domestic and foreign groups that have focused on disruption instead, e.g. some of the ecoterrorist splinter groups and others. The ability for a very small group or even an individual to cause macroscopic economic disruption is significant. This is made worse as more and more services are growing to rely on both Internet connected communication channels and COTS software. b) Countries that would be happy to make life more difficult for the Internet-based economies emerging in developed nations, if they could do so in a nearly impossible to trace fashion. c) Economic manipulation. A controllable worm could target specific Internet-related companies. The rather mild "mafiaboy" attacks of February 2000 showed how easy it would be. d) "Theodore Kacyznski" - someone who is intelligent, meticulous, and patient. The actual resources are small, the skills are reasonably common, but the patience and testing need to be high. The US has had a long history of some strange internal, message based attackers in recent years (Kazynski, the recent "Happyface Mailbox Bomber" in the midwest, the Earth Liberation Front). They don't HAVE to use bombs to distribute a big message. e) Blackhat evolution: We have seen continual evolution in virus/mailworm writing (virus and mailworm toolkits, the Klez family of mail worms) and other areas (the DDoS toolkits, which have included updates, cryptographic control channels, stealthy control channels). Worm toolkits, which would facilitate arbitrary attack and payload modules, are a natural evolution. Indeed, this was the case for Code Red II: attackers would scan for infectedd hosts and use the root backdoor to launch DOS attacks. ------ End of Forwarded Message For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: more on Mind-blowing-- How to own the Internet in yourspare time Dave Farber (Jun 01)