Re: Flash Worms

From: Michal Zalewski (lcamtufat_private)
Date: Fri Aug 17 2001 - 11:56:42 PDT

Next message: Stuart Staniford: "Re: Flash Worms"

Previous message: NESTING, DAVID M (SBCSI): "RE: Java 1.1.8 paired probes"
In reply to: Stuart Staniford: "Flash Worms"
Next in thread: Stuart Staniford: "Re: Flash Worms"
Reply: Stuart Staniford: "Re: Flash Worms"
Reply: Robert Graham: "Re: Flash Worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 16 Aug 2001, Stuart Staniford wrote:

> We argue that a well-prepared and well-designed worm could infect all
> vulnerable Internet servers in less than thirty seconds - something we
> are calling a Flash Worm.

While I'm impressed with publications like this, and I am sure we should
think seriously of scenarios described there, I hardly believe in "30
seconds" or "15 minutes" or any similar scenario for few reasons, that can
be summarized with one sentence: the Internet is not perfect. It is not
like we run nice LAN network of identical machines connected together with
links that never fail and always work as advertised. It is not like the
diversity and complexity of this network can be summarized by any
assumptions similar to "average Internet host has an uplink of xxx kB/s".

My guess is that you'd actually need much more than 30 seconds to reach
significant percentage of vulnerable machines at all, due to network
outages, overloaded links, and so on, and so on. Then, because both
network structure (firewalling, routing) and system configuration is, heh,
more than diverse, it significantly delimits number of "vulnerable hosts"
that can be automatically attacked and successfully exploited. I would
argue that it is not very likely for us to see a worm that reaches
"saturation level" in less than 10-20 hours, and that attacks more than
1,000,000 hosts, even according to very enthusiastic guesses (which are
probably at least 50% overestimated) in next two years. Of course, I won't
bet anything on that =)

Just my $.02.

-- 
_____________________________________________________
Michal Zalewski [lcamtufat_private] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Stuart Staniford: "Re: Flash Worms"
Previous message: NESTING, DAVID M (SBCSI): "RE: Java 1.1.8 paired probes"
In reply to: Stuart Staniford: "Flash Worms"
Next in thread: Stuart Staniford: "Re: Flash Worms"
Reply: Stuart Staniford: "Re: Flash Worms"
Reply: Robert Graham: "Re: Flash Worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 10:18:40 PDT