From: Ethan Phelps-Goodman (ethanpg@cs.washington.edu)
Date: Tue Nov 30 2004 - 18:13:03 PST
How To Own The Internet
Staniford et. al.
This paper is divided into three components: an analysis of the spread of
several recent worms, a discussion of ways that worms could potentially be
made to spread far more rapidly, and a call for the creation of a Center for
Disease Control analogue for the Internet.
The worms analyzed are Code Red I, Code Red II, and Nimda, all released in
2001. They show that the spread of these worms closely matches existing
theoretical models of epidemics. Particularly interesting and dangerous is
the fact that the proportion of nodes infected over time depends only on the
rate of spread, not on the number of nodes in the network. It is this fact
that makes it theoretically possible for millions of machines to be
compromised in a matter of seconds.
The worms examined here reached saturation relatively quickly--a matter of
hours--but better worm design could lead to saturation in a matter of
seconds. Their first observation is that exponential growth curve of the
infection means that a disproportionate amount of time is spent in the
initial stages of infection. If the virus writer can bootstrap the process
with a list of known vulnerable hosts (which appears reasonable in practice)
then the infection proceeds at a far higher rate. A second advance is to
target hosts using a random permutation of the address space rather than a
series of random points. A consistent permutation across infected hosts
means that the space will be completely explored, and resources won't be
wasted on already explored addresses. Combining an initial hit-list of
10,000 nodes with permutation scanning, their simulation decreased the
infection time by about a factor of 4, down to 15 minutes for 300,000 nodes.
Taking this a step further, they show how if an attacker can pre-scan the
entire Internet (which is feasible for a government or large organization,)
then the worm can use a divide and conquer strategy to infect the entire
Internet in under a minute.
Finally, call for a CDC-like body to protect and monitor pathogens on the
Internet. The responsibilities would include detecting, analyzing and
fighting infections, and devising new protections for future threats. The
actually work they advocate is mainly the promotion of more research, and
the sharing of response information. These are both very important goals. It
isn't clear that a central body is the best way to achieve these goals.
Ethan
This archive was generated by hypermail 2.1.6 : Tue Nov 30 2004 - 18:13:09 PST