Forwarded from: "Jay D. Dyson" <jdysonat_private> -----BEGIN PGP SIGNED MESSAGE----- Hi folks, I've seen this fly across a number of lists lately: Warhol Worms: The Potential for Very Fast Internet Plagues http://www.cs.berkeley.edu/~nweaver/warhol.html While Mr. Weaver does raise some compelling points about the possibility of a Warhol Worm (catchy term!), there are some problems with the model he presents. 1. Connection timeout: Not every IP on the 'net is alive. And some that are alive don't respond to pings or vanilla TCP scans. 2. Firewalls: Not every system behind a firewall is NAT'd. Some systems have routable IPs behind those firewalls (don't ask me why). 3. Typical congestion: Not every system on the 'net is a turbo-charged Sun Microsystems Enterprise 10,000. A number of systems are Linux or BSD boxes running on a P200 or slower. (Shoot, one of my boxes running Linux would be a P166 if the motherboard hadn't shelled out at the last minute.) 4. Honeypots: HIDS configured to bind to ports typically used by known vulnerable services. The worm "crawls in," but it won't crawl out. 5. Human error: As every worm released thus far shows, we're only human. Every worm from the Morris worm of the '80s to the Code Red have suffered from programmatic mistakes. It's just the nature of the beast. 6. Hurry Up and Wait: If such a worm were to start propagating at such prodigous speeds, it would ultimate start tripping over itself. The first network that would be a victim of it would likely suffer network saturation. This would in turn slow the propagation to other networks significantly. All these factors taken together will greatly increase -- by at least an order of magnitude -- the purported Warholian window. Sure, the notion of a fast-moving worm seems scary on the face. There is admittedly no effective human response to it...but when you get right down to it, the same is true for the slow-as-molasses-in-January worms. With all of that in mind, the timeframe of spread isn't the alarming part. The alarming part is that most vendors and admins are still sitting on their thumb when it comes to sound security practices. *That* is truly the cause for alarm here. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' `--' `--' `-------- Real men prefer full disclosure. --------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO3vXeLlDRyqRQ2a9AQHHOgQAjfElFRq/0oq11OVxcDCPQciCJITYnmR0 N5Hk6DS4QqPaqgxYPUGYY7ixWM9Dl4nBjTXOwkLQNIaq5B7+ZUQL9MUfZWULchLC rUmYbPImzn3WQv5y22hjs3mE4l+/Y+lNdiSD4Cp41QmQO7oMKi0w2DdCjTqkFkps N6+GMBUEUYU= =B4e0 -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 06:12:54 PDT