Re: Hard data on network impact of the "Code Red" worm?
In-Reply-To: <20010730111612.2308.cpmta@c011.sfo.cp.net>; from sean@donelan.com on Mon, Jul 30, 2001 at 04:16:12AM -0700 As several government agencies gear up today to get additional funding, what hard data about the impact of the code read worm on the Internet exists? CAIDA posted some data about the speed of infection. But I was looking at overall Internet performance during the time period. actually we did see some difference in macroscopic performance from the skitter topology data, we're still writing that up but are a little more concerned with tracking the patching of systems at the moment (any grad students free, there are a few theses lurking in this data...) The worm tended to revisit the same systems over, and over again, so I would agree those people may have been severely affected. But 350,000 hosts isn't that big of a number any more. The Morris Internet Worm infected an estimated 10% of the internet hosts of the day. What do you think had more world-wide impact on the Internet? 1. The train accident in Baltimore 2. The "code red" worm am a little more concerned about the latter since i don't think the train accident is programmed to recur this tuesday, and the survey i mentioned caida is doing suggests that the patch rate is as slow as we feared so, 1 aug midnite GMT (tomorrow 17:00 in california), codered goes back into 'spread' mode. within a few hours, we'll have 100,000-300,000 globally infected machines again. and presumably they won't stop at the end of the day to start phase two this time. (remember CRv2 only had a day before it went into phase two the first time) the peak of infection will not hit until after normal business hours (in the US). note that even if you've patched, it may affect you (printers, routers, web load balancers, dsl modems, general 0.5-1.5 Tbps bandwidth that will be consumed, etc). do operators have some contigency plans? if everyone fiercely encouraging their customers to patch? do operators have an AUP that would allow them to filter port 80 (in this case) to hosts that are verified to be vulnerable? (mixed strategy since then that machine can't download the patch...) do you (nanog) want caida to provide a web page of stats of patched/unpatched systems by AS? in particular we find a LOT of unpatched systems behind cable modem providers (home.com, rr.com)... we don't really have time to email each AS poc individually... but we don't want to upset the community either. http://worm-security-survey.caida.org/ also, we do expect that someone is writing a strain of it that will actually do 'g.c.f.' damage, yes? scary. really scary. k
scary. really scary. k
As usual k, understated simplicity!
do you (nanog) want caida to provide a web page of stats of patched/unpatched systems by AS?
CAIDA is an excellent place (i.e. not part of commercial infrastructure operators, not part of server writing organization, and well respected observer of the general state of the net) to conduct this study and maintain a useful page of data on this. YES, GO FOR IT NOW! ..mike..
participants (2)
-
k claffy
-
Mike Trest