From: Andrew Putnam (aputnam@cs.washington.edu)
Date: Thu Nov 25 2004 - 12:52:17 PST
How to 0wn the Internet in Your Spare Time
Stewart Staniford, Vern Paxson, and Nicholas Weaver
Summary: This paper examines some of the mechanisms by which recent
worms have spread over the Internet, as well as a number of mechanisms
that could potentially be used to increase the speed, efficiency, and
stealth of future worms. The authors recommend the establishment of a
national-level center for protecting the Internet from the threats
posed by malicious code.
The authors show how worms could infect an enormous number of
machines in a very short time span; possibly as short as 15 minutes.
The authors assume that this has not already been done, but I question
whether or not anyone would have noticed had this been done before.
Using the current detection techniques, which generally involved people
e-mailing each other and saying "Do you guys see this weird traffic
pattern?", it is unlikely that we would know whether or not this attack
has already occurred. There could already be worms on the Internet that
have propagated as quickly as the authors describe and we simply never
found it, especially if the worm targeted computers that are not
heavily monitored. This illustrates the need for the security community
to address the problems of detecting unwanted programs installed by
worms as well as simply stopping worm propagation.
An interesting statistic that is derived from the paper is that
nearly 40% of systems vulnerable to Code Red Iv2 were still vulnerable
one month later when the second outbreak occurred. Since Code Red
exploited the security vulnerability in Microsoft IIS, the vulnerable
systems tend not to be home systems with unknowledgable users, but
systems with lackadaisical system administrators. This further
illustrates the inadequacy of current techniques for dealing with
worms.
One very interesting observation the authors make is the potential
for rapid distribution of worms through P2P networks. The authors
identify a number of factors that are inherent in P2P networks that
allows them to spread worms rapidly. With such potential for malicious
code distribution, P2P protocols need to incorporate security measures
to prevent or at least mitigate these attacks.
While the frequent references to the terrorism threats posed by
worms is overstated (perhaps because this is DARPA funded), the authors
correctly point out both the breadth and severity of the problems that
worms cause and can potentially cause. More importantly, the authors
illustrate that our current mechanisms for dealing with such a serious
threat are grossly inadequate. In particular, the human-dependent
detection mechanisms are far too slow to counter near-term threats.
Even worse, the authors point out that the detection mechanism, the
security mailing list, is itself vulnerable to malicious behavior.
Whether or not their suggestion for an Internet-CDC is the best path,
the authors make it clear that the current mechanism for dealing with
these threats is inadequate and must be addressed.
One shortfall of the paper is that the mathematical model used to
"predict" the worm behavior. While the mathematical model for worm
propagation accurately fit the observed data, it did so through
adjusting the two "constants" in the model to achieve the best fit. For
the author's simplified model, the seemingly random choice of constant
values provides little insight into behavior of the worm and how that
behavior would differ given a different environment. For example, the
initial outbreak of the Code Red Iv2 worm data fits the curve with
K=1.8 and T=11.9. The re-emergence of Code Red a month later has K=0.7,
and an obviously different T value. Since this is the same worm, a
"constant" value should not change of the model is of any predictive
value. Instead, these variables that changed between the first and the
second outbreaks (such as the number of vulnerable systems) should be
factored out of K and made their own variable. That way, we can
actually make predictions using that model about how the worm would
have behaved in a different environment. As is, we can only dumbly
adjust constants until we get a pretty graph.
The authors also make an oversight in assessing the possibility of
combining some of the virus distribution techniques. Multi-vector worms
such as Nimda cannot use permutation scanning to coordinate attacks
since the machine could have been infected by methods other than an
infected machine finding that machine through IP address scanning. Some
of the virus distribution techniques cannot be mixed, so it may not be
necessary to have techniques for countering all of these methods
simultaneously.
This archive was generated by hypermail 2.1.6 : Thu Nov 25 2004 - 12:52:24 PST