Given two theories about the launch of Code Red: 1) Non-malicious (due to low-threat nature of payload) "wake-up call" by some member of the Blue Force security crowd (us). 2) Feasibility test on spread rates, Blue Force response times, etc. by a potential adversary, have you considered modeling the spread over several months? We will soon have two data points. Might be able to develop a predictor(s) of: How long does it take for the total spread to decay to some "constant" number of vulnerable machines (the 5% that NEVER get the word and apply the patch)? Is it 5% or some other number? For a particular vulnerability, will it ever approach zero, short of a new release of the product containing the vulnerability that results in complete replacement of the offending code? What's the (probable vs emprically observed) shape of the decay curve (over months), and can we draw any conclusions for future worms with cycles shorter than monthly? And, finally, does June see any directly comparable mathematical models for spread, saturation, etc. im epidemiology - are these virtually the same equations? Ken Williams Zel Technologies, LLC -----Original Message----- From: Stuart Staniford To: incidentsat_private; handlerat_private; IAIPT; cpc@schafercorp-ballston.com Sent: 8/1/01 9:06 PM Subject: CRv2 August 1st dynamics For the July 19th Code Red incident, I posted a theory of the worm that said it had random spread with a spread rate of about 1.8 hosts per hour, and showed this analytic model approximately accounted for the observed growth in the worm probe rate. I applied the same model in a quick first-cut analysis to today's events, and again it seems to fit except with a lower spread rate of about 0.7 hosts per hour. The worm has now pretty much saturated. This suggests that there were a little less than half as many vulnerable hosts as last time. This is an interesting way of working with these incidents, as I was able to estimate the spread rate fairly well before there was any sign of saturation, and thereby predict approximately when it would saturate, and approximately how many hosts would get compromised relative to last time. The graphs are at http://www.silicondefense.com/cr/aug.html Stuart. -- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuartat_private http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 14:50:13 PDT