Okay, okay, I made a mistake, it's Robert not William, it was late when I searched my neural archive. However I was under the impression that it hit a lot more than 10% (6000 hosts) of the internet. It infected 10%, but caused a large amount of panic disconnections and gateway shutdowns, which only compounded the flow of fixes. It's hard to concieve that the shutdown of large numbers of gateways wouldn't 'hit' considerably more hosts that merely the ones that were infected... Anyway, my POINT was that it was done a long time ago (1988), and to quote SANS: "Could an incident like this occur today? If so, how much damage could it cause? The answer is unfortunately, yes it could happen." Dom -----Original Message----- From: Pete Sherwood [mailto:petersherwoodat_private] Sent: 25 July 2001 22:36 To: Dom De Vitto; Patrick Smallwood Cc: SECURITY-BASICSat_private; vuln-devat_private Subject: Re: A code red that could bring down the net? *** PGP Signature Status: unknown *** Signer: Unknown, Key ID = 0x2DC4B7EC *** Signed: 25/07/2001 22:35:14 *** Verified: 25/07/2001 23:42:56 *** BEGIN PGP VERIFIED MESSAGE *** [snip] > I give up...who is William T Morris? My G-Dads name is Morris Williams, > but he doesnt like the Internet, much less interested in a "Big DoS" of > it... [snip] > I think a guy called William 'T' Morris may have had this idea first. > Allegedly :-) Robert T. Morris! > History. History. History. OK. Here is one explanation: In 1988, the ARPANET had its first automated network security incident, usually referred to as "the Morris worm" (4). A student at Cornell University (Ithaca, NY), Robert T. Morris, wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that second computer, and begin to run the copy of itself at the new location. Both the original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPANET. This "self-replicating automated network attack tool" caused a geometric explosion of copies to be started at computers all around the ARPANET. The worm used so many system resources that the attacked computers could no longer function. As a result, 10% of the U.S. computers connected to the ARPANET effectively stopped at about the same time. See: http://www.cert.org/encyc_article/tocencyc.html > Dom Pete Sherwood 613-260-0612 (home/office) 613-591-8900 ext. 525 (voice-mail) PGP and Thawte digital keys available @ http://members.home.net/petersherwood/ *** END PGP VERIFIED MESSAGE ***
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 10:57:04 PDT