aleph1at_private wrote: > > Code Red II appears to have a high attack rate. A number of factors seem > to be contributing to the observed data. > > This worm spawn either 300 or 600 scanning threads. The original worm > and its variant only spawned 100. > > This worm uses non-blocking I/O during the connection phase. It will > skip over hosts that are unresponsive quickly. The original worm and > its variant would block until the connect either succeeds or timed-out. > > This worm display locality. Its more likely to attack machines near > itself in the IP address space. Since the IP address space is mostly > sparse with machines bunched in some areas this is a more effective > method of finding other vulnerable machines that uniformly and randomly > selecting IP address across all of the IP address space, the method > used by the original worm and its variant. > > Also, because of the locality it display the same IP addresses are > more likely to be attacked multiple times leading any single person > to see more attacks than normal if the worm has infected a machine > within its IP address space neighborhood. The flip side is that it > may take longer for the worm to jump from one IP address "island" > to another. Even with the higher attack rate I don't think that the overall spread will be that much faster simply because the pool of vulnerable systems hasn't changed significantly and the original has now been running for nearly six days on tens if not hundreds of thousands of systems. (Again, which methodology for determining infections is most accurate.) They have been able to scan a lot of other systems in that time. However, localized spread is much faster as we are seeing. Hosts on the cable modem and DSL networks that are infected will target systems a lot closer to home so there is a greater chance that those of us on such networks will see more propagation attempts than we did with original Code Red. [Yes, this repeats what Elias said but I posted this to a local mailing list I'm on before reading this thread.] There is a principle in processor/compiler/etc. design called "locality of reference". It states that if a particular memory location is accessed, then short-term future accesses are likely to be for adjacent memory locations. This leads to look ahead and other strategies used to improve performance. (Work loads can be designed or occur naturally that make these strategies perform miserably, but I digress.) Essentially, we may be coining a term called "locality of vulnerability" which means that if a system is vulnerable to a particular vulnerability it is likely that "adjacent" systems are also vulnerable. They will often have the same security implementation, policy and operational posture (which includes ad hoc or null approaches ;^) ). This is especially true of the cable modem and DSL networks and is also going to be true of any homogeneous hosting site. -paul ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:07:19 PDT