From: Tom Christiansen (tomchr@ee.washington.edu)
Date: Wed Dec 01 2004 - 00:03:02 PST
This is an odd paper. It starts out as a measurement paper where the
propagation time for different worms is shown and modeled. Then it
continues on about how to improve worms to make them spread faster... (!!)
Finally, the authors suggest forming a world-wide network of national
"centers for decease control" to identify new virus/worm outbreaks,
analyzing their behavior, and providing data and/or algorithms to limit the
impact of future viruses/worms.
It is fairly obvious, that by using a worm to gain control of vulnerable
network hosts, one can hijack the Internet. Examples of such hijackings
range from distributed denial of service attacks to breaking into and
searching personal and corporate computers for passwords, credit card
information, etc.
Based on data collected during recent releases of the Code Red, and Nimda
worms, analytical models for the propagation time was developed.
Simulations show the worms spreading from 0 % infected hosts to near 100 %
of vulnerable hosts infected on a time scale on the order of half a day.
This is interesting to note as this means manufacturers of anti-virus/worm
software have roughly 8-12 hours from the initial release of the worm to
update their anti-virus/worm profiles. - In addition, users of the
anti-virus software should check for new updates several times per day in
order to get full protection against virus/worm attacks. This shows the
importance of keeping your OS patched and your anti-virus software
up-to-date. It also shows the near impossible task of insuring network
security against worms/viruses. I suspect many users aren't even aware that
their software should be updated on a regular basis.
I find the second part of the article kind of provocative. "How to improve
your worms in three easy steps..." As worms typically propagate
exponentially they will spread like wildfire once they have spread onto a
large enough number of machines. According to the simulations in the
article, it takes roughly 8-10 hours for the worm to spread onto 10,000
hosts. But from there to 500,000 hosts takes about 2-3 hours. This,
obviously, is horribly inefficient, so the authors suggest some other
schemes to bring the incubation time down to 15-30 minutes. This is done
through different scanning methods to find vulnerable hosts and a divide
and conquer scheme. Another method suggested is that rather than selecting
hosts to attack randomly during the propagation phase of the worm, a list
of vulnerable hosts could be made ahead of time via a port scan. Using a
fast Internet connection (and some optimistic, unstated assumptions about
available network bandwidth, zero latency, no routing delay, etc.) the
authors claim to be able to scan the entire Internet address space in a few
hours. This list of hosts to exploit is then used in a flash worm attack.
What a concept... ;-)
The article concludes with a nice, lofty goal: Let's establish a cyber
center for decease control. It works in biology so it must work in cyber
space... The idea is to have a central, national agency who identifies new
worms, comes up with an antidote, and more importantly, tries to anticipate
new strands of the same worm as well an new worms in general. This is not a
bad idea at all. However, the authors conveniently avoid the discussion
about who should pay for this, the political issues involved with
establishing such a center, etc.
A different, maybe more realistic approach would be to focus on limiting
the effect of a worm infection rather than to focus entirely on how to
prevent the worm from getting into the network. Yet another approach would
be to focus on improving software/OS security. It's somewhat shocking with
the mention of a back door in KaZaA.
From the amount of worms spread over the recent years it seems fairly
apparent that the effects of having more private users on broadband
connections makes it much easier to spread a worm. As mentioned in the
article: More bandwidth is better...
The morale of this article is: Install a firewall. Keep it updated. Use
anti-virus software. Keep it updated. Keep your OS updated.
This archive was generated by hypermail 2.1.6 : Wed Dec 01 2004 - 00:03:15 PST