Snort mailing list archives
Why Code Red is never going to Spread Exponentially
From: Gary Warner <gar () askgar com>
Date: Fri, 03 Aug 2001 22:06:46 -0700
At my office we have a NAT environment, with only 13 IP addresses exposed publicly. We've settled in at between 8 and 12 per hour Code Red hits bouncing off our firewall. No biggee. Some of my co-workers were explaining that Code Red was going to grow exponentially and it would eventually be a problem. Here's the math problem I gave them with made up numbers. Make up your own numbers based on your best assumptions. I'll share the phony numbers I'm assuming. A - let A = the % of possible IP addresses that are in use. B - let B = the % of possible IP addresses that are behind a firewall which blocks port 80 C - let C = the % of Internet attached machines which are web servers D - let D = the % of web servers which run IIS E - let E = the % of IIS servers vulnerable to the .IDQ overflow Each Infected IIS server will attempt to infect 100 randomly selected IP addresses. Here are my "picked from the air" values: A = 55% B = 15% C = 15% D = 20% (see http://www.netcraft.com/survey/ ) E = 50% (domestics highly patched now, foreign still a big problem) 100 - A = 45 -- most of the IP addresses CodeRed attempts will be duds 45 - B = 30 -- of the remainder, some will be behind firewalls 30 * C = 5 (round up!) -- of the ones it hits, most will not be webservers 5 * D = 1 -- of the webservers, most will not be IIS 1 * E = .5 -- of the IIS servers, some will be patched So, based on my "phony" numbers, each infected machine has a 50/50 chance of going idle without infecting anybody, and then they only infect 1. Unfortunately, some machines get luckier than that, and some others have various "bugs" which do not allow to stop infecting. (Last go around, I was helping a buddy who had IDS on 3 Class C networks. We had most "attackers" do a "double hit" and then we never heard from them again, for the most part. But there was this one IP that banged us every few minutes for the entire duration. We had over 700 probes from that single machine! (Code Red, random-style probes, hitting the same addresses over and over...) One speculation was that, for instance, if the IIS execute account has had access to the C:\ root directory blocked, he can't write the file C:\NOWORM, and will therefore never stop spreading the attack??? These few "bugged" machines are the only ones that make the spread of the virus possible at all. With a more optimistic set of numbers, its possible to come up with a scenario where each machine actually does infect 1 other. Work this equation with numbers closer to reality, and you will see about what we are seeing at "incidents.org" and "yale.edu". Yale is seeing between 50,000 and 55,000 attacks per hour (see http://www.incidents.org/diary/diary.php ) As is http://www.digitalisland.net/codered/ . My bet is it stays linear forever from here, until we begin to make progress getting machines patched. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why Code Red is never going to Spread Exponentially Gary Warner (Aug 03)