North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hard data on network impact of the "Code Red" worm?

  • From: Hank Nussbacher
  • Date: Tue Jul 31 01:44:20 2001

At 16:29 30/07/01 -0700, Sean Donelan wrote:

On Mon, 30 July 2001, Christian Kuhtz wrote:
> Your logic is flawed. If this was true, zombie networks would be largely
> ineffective. The current mutation is nothing more than an automated zombie
> distribution network, with all fun options of current zombie networks such as
> remote control, remote upgrades etc...
>
> You may want to read up on the details of this one, like the presentation at
> the bottom of http://www.digitalisland.net/codered/

If "code red" is nothing more than what we've been seeing for years,
why the special CNN reports every half-hour, and the joint press
conference with our fearless leaders today? What makes "code red"
so extrodinary it merits this special response, when previous
"zombie" networks didn't? I have a hard time seeing how "Code Red"
will ever live up to the advance hype on August 1. Is Don King
managing the pay-per-view for this event? Michelangelo Vs. Code Red.
In this case, IMO, the hype was warranted. If not for the 2 code errors in Code Red, this worm, using 300K zombies at 50Mb/sec each would have hit the Internet with about 15Tb/sec of aggregate traffic. The next time, we all won't be so lucky.


Why don't we just have an annual, lets update your Microsoft software
patches day.  Every year the press can get on the bandwagon and
remind us about changing the batteries in our smoke detectors and
downloading the latest patches.

There are a lot of flawed systems out there.  Downloading a couple
of patches for "Code Red" isn't enough to protect your system from
all the other things.  I'm worried the joint press release is doing
a disservice if people have a false sense of security because they
protected themselves from "code red."

On the other hand, will wednesday really be that much different from
any other wednesday with the normal thousdand DDOS attacks happening,
and normal spam, and normal e-mail/macro viruses, and normal zombies?
The Mafiaboy 100 zombies or recent IRC zombie-nets of 1800 zombies pall in comparison to 300K infected systems. IRC zombie-nets target cable modem and ADSL users. They typically can pump out 1Mb/sec of traffic. On the other hand, your typical web server is usually situated on much more bandwidth - typically FastEthernet. So targetting IIS servers is a sure way of maximizing your zombie power (the only more powerful worm would be an Apache zombie which has about 18M potential clients or a bind worm-zombie).


I think its a bit premature to predict the end of the Internet on
August 1.
It won't happen this time, but the next time, we may not be so lucky.

-Hank