Hard data on network impact of the "Code Red" worm?

Sean_Donelan · July 30, 2001, 11:29pm

If "code red" is nothing more than what we've been seeing for years,
why the special CNN reports every half-hour, and the joint press
conference with our fearless leaders today? What makes "code red"
so extrodinary it merits this special response, when previous
"zombie" networks didn't? I have a hard time seeing how "Code Red"
will ever live up to the advance hype on August 1. Is Don King
managing the pay-per-view for this event? Michelangelo Vs. Code Red.

Why don't we just have an annual, lets update your Microsoft software
patches day. Every year the press can get on the bandwagon and
remind us about changing the batteries in our smoke detectors and
downloading the latest patches.

There are a lot of flawed systems out there. Downloading a couple
of patches for "Code Red" isn't enough to protect your system from
all the other things. I'm worried the joint press release is doing
a disservice if people have a false sense of security because they
protected themselves from "code red."

On the other hand, will wednesday really be that much different from
any other wednesday with the normal thousdand DDOS attacks happening,
and normal spam, and normal e-mail/macro viruses, and normal zombies?

I think its a bit premature to predict the end of the Internet on
August 1.

Christian_Kuhtz4 · July 30, 2001, 11:43pm

> Your logic is flawed. If this was true, zombie networks would be largely
> ineffective. The current mutation is nothing more than an automated zombie
> distribution network, with all fun options of current zombie networks such as
> remote control, remote upgrades etc...
>
> You may want to read up on the details of this one, like the presentation at
> the bottom of http://www.digitalisland.net/codered/

If "code red" is nothing more than what we've been seeing for years,
why the special CNN reports every half-hour, and the joint press
conference with our fearless leaders today?

I never said that the hype is justified.. Let's see here, commercial fear
mongering, gov't orgs fighting for funding, add your own favorite.

Besides, it's the summer hole, a monkey farting in the zoo gets front page
coverage.

What makes "code red"
so extrodinary it merits this special response, when previous
"zombie" networks didn't?

Zombie gatherings in the 100k's haven't been seen before, as far as I know. On
the upside, a simple reboot is all it takes to purge it.

I have a hard time seeing how "Code Red"
will ever live up to the advance hype on August 1. Is Don King
managing the pay-per-view for this event? Michelangelo Vs. Code Red.

Yup.

I think its a bit premature to predict the end of the Internet on
August 1.

Oh, Sean, I think you have it all wrong. First, the riders of the apocalypse
will be riding thru your bedroom, then it'll hail fire and brimstone from
the heavens right in the middle of breakfast.. bla bla bla..

Hopefully, we won't see the activation of the entire or portions of this
zombie network with this massive hype. (I suppose, in a way, the hype may
just have achieved its goal).

The problem of massive amounts of systems in desperate need of competent
administration, which is what cause the problem in the first place, won't go
away. In fact, I'd guess it will probably only get worse. So, it'll be just
a matter of time before we see somebody do real damage (or maybe they already
are, just so sophisticated that they're hard to detect?).

Cheers,
Chris

Hank_Nussbacher · July 31, 2001, 6:40am

> Your logic is flawed. If this was true, zombie networks would be largely
> ineffective. The current mutation is nothing more than an automated zombie
> distribution network, with all fun options of current zombie networks such as
> remote control, remote upgrades etc...
>
> You may want to read up on the details of this one, like the presentation at
> the bottom of http://www.digitalisland.net/codered/

If "code red" is nothing more than what we've been seeing for years,
why the special CNN reports every half-hour, and the joint press
conference with our fearless leaders today? What makes "code red"
so extrodinary it merits this special response, when previous
"zombie" networks didn't? I have a hard time seeing how "Code Red"
will ever live up to the advance hype on August 1. Is Don King
managing the pay-per-view for this event? Michelangelo Vs. Code Red.

In this case, IMO, the hype was warranted. If not for the 2 code errors in Code Red, this worm, using 300K zombies at 50Mb/sec each would have hit the Internet with about 15Tb/sec of aggregate traffic. The next time, we all won't be so lucky.

Why don't we just have an annual, lets update your Microsoft software
patches day. Every year the press can get on the bandwagon and
remind us about changing the batteries in our smoke detectors and
downloading the latest patches.

There are a lot of flawed systems out there. Downloading a couple
of patches for "Code Red" isn't enough to protect your system from
all the other things. I'm worried the joint press release is doing
a disservice if people have a false sense of security because they
protected themselves from "code red."

On the other hand, will wednesday really be that much different from
any other wednesday with the normal thousdand DDOS attacks happening,
and normal spam, and normal e-mail/macro viruses, and normal zombies?

The Mafiaboy 100 zombies or recent IRC zombie-nets of 1800 zombies pall in comparison to 300K infected systems. IRC zombie-nets target cable modem and ADSL users. They typically can pump out 1Mb/sec of traffic. On the other hand, your typical web server is usually situated on much more bandwidth - typically FastEthernet. So targetting IIS servers is a sure way of maximizing your zombie power (the only more powerful worm would be an Apache zombie which has about 18M potential clients or a bind worm-zombie).

I think its a bit premature to predict the end of the Internet on
August 1.

It won't happen this time, but the next time, we may not be so lucky.

-Hank

Valdis_Kletnieks · July 31, 2001, 6:33am

Umm.. Urp.

You think all those 300K zombies have 100baseT?

I don';t think any of the 48 victims at our site had it.

Vijay_Gill · July 31, 2001, 6:46am

In this case, IMO, the hype was warranted. If not for the 2 code errors
in Code Red, this worm, using 300K zombies at 50Mb/sec each would have
hit the Internet with about 15Tb/sec of aggregate traffic. The next
time, we all won't be so lucky.

So we get hit with another few Tb/sec attack. So what. Right now, traffic shouldn't
even appear on the radar for most NSPs insofar as things to worry about. In fact, I'd go so far to say that too much traffic is a problem most NSPs are "dying" to have, if I may be permitted a small bon-mot. Big NSPs got the big routers and the big pipes. The problem that most people really need to worry about are things that target the routers themselves. Those tend to fall over at the slightest provocation.

It won't happen this time, but the next time, we may not be so lucky.

As Chuck D would say

Troubles, not me, I don't mean to cause
But you took one look and began to pause
Didn't holler at the dollar we willin' to spend
But you took one look and wouldn't let our ass in

/vijay

James_Smallacombe · July 31, 2001, 1:20pm

The only two here that I know of where on 56k dialups...with about
26.4kbps worth of outbound each.

James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am