'we should all be uncomfortable with the extent to which luck..'

k claffy kc at ipn.caida.org
Wed Jul 25 05:35:37 UTC 2001

david moore's analysis of code red: episode 0/1 is at

[funded by DARPA's ITO office NGI/NMS programs,
NSF ANIR, and CAIDA members, david a caida PI]
definitely check out jeff brown's animation at bottom; 
watch carefully around 15:00 for pretty ominous elbow 
in infection rate (get an epidemiologist to look at it 
without telling them what it is...)

360,000 machines (well, IP addresses) infected
in under 14 hours.

from conclusion:

	..in the final analysis, we should all 
	be uncomfortable with the extent to which luck, 
	rather than proactive diligence, maintains the 
	stability of the Internet infrastructure. 

it goes without saying that many hosts are still vulnerable.  
and will likely remain so (to this or the next poison)
until our luck runs out.   do we expect the next version 
to have the two weaknesses christopher pointed out today?  
do we expect the next version won't clear every 3rd bit on 
the hard drive?

almost makes me wonder if some white hat might (should?) have 
been behind CodeRed as some 'vaccination' attempt.

	"The bad news is, nobody will do anything about 
	 critical infrastructure protection until there's 
	 a global catastrophic failure," said Rasch.
  	 The good news is, there will be a global catastrophic failure."

	   -- http://www.nando.net/technology/story/44887p-694372c.html

the worse news is: protecting 'critical infrastructure'
is far from enough.  again from 

	This assault also demonstrates that machines operated by home
	users or small businesses (hosts less likely to be maintained
	by a professional sysadmin) are integral to the robustness of
        the global Internet. As is the case with biologically active
        pathogens, vulnerable hosts can and do put everyone at risk,
        regardless of the significance of their role in the population.

fwiw, caida trying to do gentle survey of patching speed,
see http://worm-security-survey.caida.org/


ps:  john maddog hall (linux int'l) had a great slide a
     few months ago at UCSD talk; upshot something like


     	+ 20 million linux systems
     	+ 450 million gates licenses
        ==>  4.4 - 6.6 % of the population total

     ... world population: ~6B

     ==>  5.4 billion people haven't selected an OS yet

[k: maybe we can get them on OS-antioxidants
before it's too late]

More information about the NANOG mailing list