IP: more on Mind-blowing-- How to own the Internet in yourspare time

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Vern Paxson <vern () icir org>
Date: Fri, 31 May 2002 15:29:16 -0700
To: farber () cis upenn edu
Cc: "Nicholas C. Weaver" <nweaver () CS Berkeley EDU>,
stuart () silicondefense com
Subject: Re: IP: more on Mind-blowing-- How to own the Internet in yourspare
time 

[resending, in case this slipped between the cracks the first time]

On Mon 27 May Mike Astle wrote:

> The CDC part of this article just makes no sense.  The authors spend the
> majority of the paper showing that a worm could infect the entire
> Internet
> in less than a minute.  They then call for the creation of a body to
> combat infections which are by their own admission "so fast that no
> human-mediated counter-response is possible".

First, as the paper notes, the CDC section is "to spur further discussion
of the issues within the community".

However, our definition of the CDC does include the task of developing
and coordinating automated defenses.  This requires the correlation of
distributed information.  Many of these worms would have behavior that,
although it may not be detectable on a single site in time to respond,
does present Internet-wide anomalies which an automated system could respond
to.  (And, yes, automated response is *exceedingly* tricky - it's just very
hard to see what else can be done.)  We are actively working on research
on automated worm responses, but it's premature for us to publish this.

Similarly, an important part of recovering from an attack is understanding
what the worm does and tries to accomplish, as well as a means of tracking
the author.  E.g., an understanding of the Code Red I DDoS module allowed
whitehouse.gov to avoid a DDoS attack.

But there is nobody who is accountable to the public for such analysis
currently; it generally consists of voluntary efforts.  A more complicated
worm is unlikely to be analyzed in the current environment - for example,
to the best of our knowledge, there has still been no full disassembly of
Nimda, meaning that it's behavior may not be altogether known.  And there
is certainly nobody responsible for initiating any sort of proactive
measures
at an Internet level.

> I am convinced that the creation and distribution of a super-virus is
> possible, but I agree with Sam that the virus as described in this paper
> depends on so many assumptions (all neatly stated and then overlooked)
> as to be unlikely.

This is not a useful comment without clarifying which assumptions we
have overlooked.

> It is unclear to me who might have an interest in releasing a truly
> destructive virus.

Unfortunately, there are far too many who may be interested.  Since
the discussion is lengthy, it's appended at the end.  At a minimum,
critical communication networks should be engineered such that they
cannot be globally disrupted by small groups of amateurs.  This is
obvious.  It isn't true of the Internet.

----

On Mon, 27 May 2002, Sam Bennett wrote:

> I would find it very difficult to believe that the top dogs in the
> network security industries haven't spent a lot more time and money
> contemplating future exploits (obviously with the somewhat more
> realistic goal of stiffing businesses for as much money as they can)
> than this bunch.

We believe we are generally familiar both with the research literature
and with the offerings of the security industry.  There is only a
small amount of research on worm spread prior to Code Red I.  There is
a lot more work happening now, and this paper is part of that thrust.

Part of the issue within the commercial security community is that
defending against known attacks, or human-mediated unknown attacks, is
a common business, but the questions regarding how to defend against
fast worms employing unknown exploits are very large, and *not* very
commercial.  The fact that large numbers of Code Red I infected hosts
are still present indicate that the problem is not currently solved.

> Nothing in the article has any real substance - the
> 'mathematical models' seem smugly self-serving, the anticipated
> propagation of a 'Warhol Worm' being the most indulgent.  Who
> came up with THAT one? It's all approximated, estimated and
> assumed.

The mathematical model is important, because it is reasonably
consistent with established behavior.  Yes, the reality is that, for
individual worms, the scanning rate varies widely, but a constant
compromise rate ends up a decent approximation for observed behavior.

Obviously, we cannot build and test such worms, and that's the only
way to provide absolute proof.  We think we've made a good case that
worms much faster than Code Red are entirely plausible.  We are happy
to defend our assumptions, but would need a specific critique to know
where to begin.

> We're only titillated because the author throws some big numbers
> about.  Surely, if a worm was very well written to exploit a
> vulnerability that no-one else had seen, and could infect a
> target server in one hit, that would be it. Game over. It
> wouldn't interest you, as the IT manager of the infected server
> to know that the virus had managed to discover and attack
> 100,000,000,000 other servers in the same 15 second slot.  No,
> you'd be panicking because you couldn't log in as root anymore
> and the number of calls requesting files from last nights backup
> is going up by 10 every minute.

Actually, it does, for a couple reasons:

The first is that, if you detect the worm on the Internet level, this
would give time for many sites to initiate automated responses before
the worm actually attacks.  And the more vulnerable machines which
exist, the faster a worm spreads.

Secondly, much of the recovery procedures will require accessing
patches and other information, of which the fast channels are all
based on the Internet.  How much more difficult will this be if the
worm is DDoSing the major vendors and antivirus sites, and/or the root
name service?  How much more difficult still if there is a human
controlling the worm, who adds new targets as mirrors are established?

- Nicholas C. Weaver (nweaver () cs berkeley edu)
- Vern Paxson (vern () icir org)
- Stuart Staniford (stuart () silicondefense com)


Appendix: Who might want to launch a destructive worm:

a) Terrorists focusing on disruption rather than body count.  Al Qaeda
   et al have been fixated on body count, but there have been other
   domestic and foreign groups that have focused on disruption instead,
   e.g. some of the ecoterrorist splinter groups and others.  The ability
   for a very small group or even an individual to cause macroscopic
   economic disruption is significant.

   This is made worse as more and more services are growing to rely on
   both Internet connected communication channels and COTS software.

b) Countries that would be happy to make life more difficult for the
   Internet-based economies emerging in developed nations, if they could
   do so in a nearly impossible to trace fashion.

c) Economic manipulation.  A controllable worm could target specific
   Internet-related companies.  The rather mild "mafiaboy" attacks of
   February 2000 showed how easy it would be.

d) "Theodore Kacyznski" - someone who is intelligent, meticulous, and
   patient.  The actual resources are small, the skills are reasonably
   common, but the patience and testing need to be high.  The US has had
   a long history of some strange internal, message based attackers in
   recent years (Kazynski, the recent "Happyface Mailbox Bomber" in the
   midwest, the Earth Liberation Front).  They don't HAVE to use bombs to
   distribute a big message.

e) Blackhat evolution: We have seen continual evolution in
   virus/mailworm writing (virus and mailworm toolkits, the Klez family
   of mail worms) and other areas (the DDoS toolkits, which have included
   updates, cryptographic control channels, stealthy control channels).
   Worm toolkits, which would facilitate arbitrary attack and payload
   modules, are a natural evolution.  Indeed, this was the case for Code
   Red II: attackers would scan for infectedd hosts and use the root
   backdoor to launch DOS attacks.


------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/