North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Internet vulnerabilities

  • From: Sandy Harris
  • Date: Thu Jul 04 19:37:06 2002

Phil Rosenthal wrote:

> Also, say someone from a moderately fast internet connection (OC-3) ran
> nmap across the entire internet on ports like 21,22,53,80,443,3306.  In
> one day, they can probably have a list of every server answering those
> ports, and the versions of the daemons on them.

Given the ability (which anyone can have with a few downloaded scripts)
to subvert poorly secured machines on cable or DSL links and make them
do the work, you could do this without a fast connection, and without
being obvious enough to raise major alarms from intrusion detection
systems. It might take a few weeks or even months.

For some types of target, you may not even need nmap. Look at MX
records, or at mail headers, to find mail servers, at news headers
to find Usenet servers. Use a web crawler, or an existing index, to
find web and FTP servers. Or write a little program that searches the
DNS for names with leftmost element ftp, mail, pop, smpt, www, ns,
dns, ... These won't get you a full list, but perhaps enough.
 
> Next, just wait for an wide enough exploit to come out, and then write a
> Trojan that has a list of every other server vulnerable,

You don't need them all, just a few 1000 with good net conections to get
things rolling. Once you have those infected, it doesn't matter if your
method of spreading further is inefficient; you'll get everything anyway.

Also, you may not need a new exploit. Many systems are not patched 
against the old ones, and it is certainly possible to try multiple
exploits in a single worm. 

> and on every hack, it splits the list in 2, and roots another box and
> gives it the 2nd half of the list.

Better, give it the whole list and have each instance start at a random
point in the list. That way, even if some instances are caught and
killed, you still get the whole list.
 
> I estimate that with a wide enough exploit (eg apache or openssh), you
> could probably compromise 20% of the servers on the net within 1 hour,

For better estimates and detailed discussion of worm design, see:
http://www.cs.berkeley.edu/~nweaver/warhol.html

> and then have them all begin a ping flood of something "far away"
> network wise (meaning a box in NYC would flood a box in SJC, a box in
> SJC would flood a box in Japan, etc... Trying to have as much bit
> distance as possible).

Why futz with a ping flood? If the objective is to take down the net,
you want to attack infrastructure -- nameservers, routers, ... 

>From that viewpoint, the ideal worm would use whatever it needed to 
become widespread, but would switch attacks once it had spread, trying
for known holes in things like BIND or IOS, or just flooding the root
name servers.

> Damn scary, but I believe if someone was determined enough, they could
> take down the whole 'net within one hour of pressing "enter".