From: Michael J Cafarella (mjc@cs.washington.edu)
Date: Wed Dec 01 2004 - 02:27:12 PST
How to 0wn the Internet in Your Spare Time
By Staniford, Paxson, and Weaver
Review by Michael Cafarella
CSE561
December 1, 2004
The authors present data from recent worm attacks, along with modelling
and analysis of the worms' spread. Finally, they discuss various worm
tactics, and the potentially very dire consequences of a concerted worm
attack that uses those tactics.
The two Code Red worms and the Nimda worms all work by exploiting known IIS
and Windows vulnerabilities. After infection, they start to compute random
IP addresses in the search for new targets. Nimda also attempts other
exploits, such as sending itself as email to any addresses in finds on
infected computers. Code Red II hibernates for awhile, before waking up
at a later time to infect more machines. In addition, it tries to infect
local IP addresses first, before attacking randomly-generated targets.
The authors show that the growth characteristics depend a lot on the simple
rate of infection a single computer can induce. If this value is high, then
large numbers of machines can be infected very rapidly.
Beyond the innovations made by Code Red II and Nimda, future worms might:
-- Use hit-list scanning to find vulnerable hosts before the worm is
launched. By starting with a list of targets very vulnerable to infecion,
the worm could speed up its early slow-growth period.
-- Permutation scanning is a smart way for different worms to attack different
parts of the address space, avoiding reinfection attempts
-- Topological scanning uses locally-stored information to find likely
victim IP addresses
-- Precompute a massive list of every known host that is susceptible to
infection. This way, infection attempts never have to be wasted on
random targets. This is a hard task, but well within the powers of a
nation or large terrorist group.
I like this paper, because it succeeds wildly in painting a dramatic
doomsday scenario. I don't mean to imply that the authors are
exaggerating the threat; the paper is helpful because it analyzes the
problem with a good amount of rigor.
I might have liked more analysis of the various worm techniques. The models
for the various worm add-ons don't really seem all that complicated to me.
Further, I would have cut down the discussion of the suggested computer CDC.
It seems like a good idea given the paper's conclusions, but there's not
enough room to give a proper in-depth discussion. The CDC pages feel tacked-
on. They are far too casual about what should be a serious policy
discussion.
This archive was generated by hypermail 2.1.6 : Wed Dec 01 2004 - 02:27:13 PST