Re: Hard data on network impact of the "Code Red" worm?
On Mon, 30 July 2001, Christian Kuhtz wrote:
Your logic is flawed. If this was true, zombie networks would be largely ineffective. The current mutation is nothing more than an automated zombie distribution network, with all fun options of current zombie networks such as remote control, remote upgrades etc...
You may want to read up on the details of this one, like the presentation at the bottom of http://www.digitalisland.net/codered/
If "code red" is nothing more than what we've been seeing for years, why the special CNN reports every half-hour, and the joint press conference with our fearless leaders today? What makes "code red" so extrodinary it merits this special response, when previous "zombie" networks didn't? I have a hard time seeing how "Code Red" will ever live up to the advance hype on August 1. Is Don King managing the pay-per-view for this event? Michelangelo Vs. Code Red. Why don't we just have an annual, lets update your Microsoft software patches day. Every year the press can get on the bandwagon and remind us about changing the batteries in our smoke detectors and downloading the latest patches. There are a lot of flawed systems out there. Downloading a couple of patches for "Code Red" isn't enough to protect your system from all the other things. I'm worried the joint press release is doing a disservice if people have a false sense of security because they protected themselves from "code red." On the other hand, will wednesday really be that much different from any other wednesday with the normal thousdand DDOS attacks happening, and normal spam, and normal e-mail/macro viruses, and normal zombies? I think its a bit premature to predict the end of the Internet on August 1.
On Mon, Jul 30, 2001 at 04:29:53PM -0700, Sean Donelan wrote:
On Mon, 30 July 2001, Christian Kuhtz wrote:
Your logic is flawed. If this was true, zombie networks would be largely ineffective. The current mutation is nothing more than an automated zombie distribution network, with all fun options of current zombie networks such as remote control, remote upgrades etc...
You may want to read up on the details of this one, like the presentation at the bottom of http://www.digitalisland.net/codered/
If "code red" is nothing more than what we've been seeing for years, why the special CNN reports every half-hour, and the joint press conference with our fearless leaders today?
I never said that the hype is justified.. Let's see here, commercial fear mongering, gov't orgs fighting for funding, add your own favorite. Besides, it's the summer hole, a monkey farting in the zoo gets front page coverage.
What makes "code red" so extrodinary it merits this special response, when previous "zombie" networks didn't?
Zombie gatherings in the 100k's haven't been seen before, as far as I know. On the upside, a simple reboot is all it takes to purge it.
I have a hard time seeing how "Code Red" will ever live up to the advance hype on August 1. Is Don King managing the pay-per-view for this event? Michelangelo Vs. Code Red.
Yup.
I think its a bit premature to predict the end of the Internet on August 1.
Oh, Sean, I think you have it all wrong. First, the riders of the apocalypse will be riding thru your bedroom, then it'll hail fire and brimstone from the heavens right in the middle of breakfast.. bla bla bla.. Hopefully, we won't see the activation of the entire or portions of this zombie network with this massive hype. (I suppose, in a way, the hype may just have achieved its goal). The problem of massive amounts of systems in desperate need of competent administration, which is what cause the problem in the first place, won't go away. In fact, I'd guess it will probably only get worse. So, it'll be just a matter of time before we see somebody do real damage (or maybe they already are, just so sophisticated that they're hard to detect?). Cheers, Chris -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only.""
At 16:29 30/07/01 -0700, Sean Donelan wrote:
Your logic is flawed. If this was true, zombie networks would be largely ineffective. The current mutation is nothing more than an automated zombie distribution network, with all fun options of current zombie networks such as remote control, remote upgrades etc...
You may want to read up on the details of this one, like the
On Mon, 30 July 2001, Christian Kuhtz wrote: presentation at
the bottom of http://www.digitalisland.net/codered/
If "code red" is nothing more than what we've been seeing for years, why the special CNN reports every half-hour, and the joint press conference with our fearless leaders today? What makes "code red" so extrodinary it merits this special response, when previous "zombie" networks didn't? I have a hard time seeing how "Code Red" will ever live up to the advance hype on August 1. Is Don King managing the pay-per-view for this event? Michelangelo Vs. Code Red.
In this case, IMO, the hype was warranted. If not for the 2 code errors in Code Red, this worm, using 300K zombies at 50Mb/sec each would have hit the Internet with about 15Tb/sec of aggregate traffic. The next time, we all won't be so lucky.
Why don't we just have an annual, lets update your Microsoft software patches day. Every year the press can get on the bandwagon and remind us about changing the batteries in our smoke detectors and downloading the latest patches.
There are a lot of flawed systems out there. Downloading a couple of patches for "Code Red" isn't enough to protect your system from all the other things. I'm worried the joint press release is doing a disservice if people have a false sense of security because they protected themselves from "code red."
On the other hand, will wednesday really be that much different from any other wednesday with the normal thousdand DDOS attacks happening, and normal spam, and normal e-mail/macro viruses, and normal zombies?
The Mafiaboy 100 zombies or recent IRC zombie-nets of 1800 zombies pall in comparison to 300K infected systems. IRC zombie-nets target cable modem and ADSL users. They typically can pump out 1Mb/sec of traffic. On the other hand, your typical web server is usually situated on much more bandwidth - typically FastEthernet. So targetting IIS servers is a sure way of maximizing your zombie power (the only more powerful worm would be an Apache zombie which has about 18M potential clients or a bind worm-zombie).
I think its a bit premature to predict the end of the Internet on August 1.
It won't happen this time, but the next time, we may not be so lucky. -Hank
On Tue, 31 Jul 2001 08:40:48 +0200, Hank Nussbacher said:
In this case, IMO, the hype was warranted. If not for the 2 code errors in Code Red, this worm, using 300K zombies at 50Mb/sec each would have hit the Internet with about 15Tb/sec of aggregate traffic. The next time, we all won't be so lucky.
Umm.. Urp. You think all those 300K zombies have 100baseT? I don';t think any of the 48 victims at our site had it. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Tue, 31 Jul 2001 Valdis.Kletnieks@vt.edu wrote:
On Tue, 31 Jul 2001 08:40:48 +0200, Hank Nussbacher said:
In this case, IMO, the hype was warranted. If not for the 2 code errors in Code Red, this worm, using 300K zombies at 50Mb/sec each would have hit the Internet with about 15Tb/sec of aggregate traffic. The next time, we all won't be so lucky.
Umm.. Urp.
You think all those 300K zombies have 100baseT?
I don';t think any of the 48 victims at our site had it.
The only two here that I know of where on 56k dialups...with about 26.4kbps worth of outbound each. James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
--On Tuesday, July 31, 2001 08:40 +0200 Hank Nussbacher <hank@att.net.il> wrote:
In this case, IMO, the hype was warranted. If not for the 2 code errors in Code Red, this worm, using 300K zombies at 50Mb/sec each would have hit the Internet with about 15Tb/sec of aggregate traffic. The next time, we all won't be so lucky.
So we get hit with another few Tb/sec attack. So what. Right now, traffic shouldn't even appear on the radar for most NSPs insofar as things to worry about. In fact, I'd go so far to say that too much traffic is a problem most NSPs are "dying" to have, if I may be permitted a small bon-mot. Big NSPs got the big routers and the big pipes. The problem that most people really need to worry about are things that target the routers themselves. Those tend to fall over at the slightest provocation.
It won't happen this time, but the next time, we may not be so lucky.
As Chuck D would say Troubles, not me, I don't mean to cause But you took one look and began to pause Didn't holler at the dollar we willin' to spend But you took one look and wouldn't let our ass in /vijay
participants (6)
-
Christian Kuhtz -
Hank Nussbacher -
Sean Donelan -
up@3.am -
Valdis.Kletnieks@vt.edu -
Vijay Gill