Hard data on network impact of the "Code Red" worm?
Hank Nussbacher
hank at att.net.il
Tue Jul 31 06:40:48 UTC 2001
At 16:29 30/07/01 -0700, Sean Donelan wrote:
>On Mon, 30 July 2001, Christian Kuhtz wrote:
> > Your logic is flawed. If this was true, zombie networks would be largely
> > ineffective. The current mutation is nothing more than an automated zombie
> > distribution network, with all fun options of current zombie networks
> such as
> > remote control, remote upgrades etc...
> >
> > You may want to read up on the details of this one, like the
> presentation at
> > the bottom of http://www.digitalisland.net/codered/
>
>If "code red" is nothing more than what we've been seeing for years,
>why the special CNN reports every half-hour, and the joint press
>conference with our fearless leaders today? What makes "code red"
>so extrodinary it merits this special response, when previous
>"zombie" networks didn't? I have a hard time seeing how "Code Red"
>will ever live up to the advance hype on August 1. Is Don King
>managing the pay-per-view for this event? Michelangelo Vs. Code Red.
In this case, IMO, the hype was warranted. If not for the 2 code errors in
Code Red, this worm, using 300K zombies at 50Mb/sec each would have hit the
Internet with about 15Tb/sec of aggregate traffic. The next time, we all
won't be so lucky.
>Why don't we just have an annual, lets update your Microsoft software
>patches day. Every year the press can get on the bandwagon and
>remind us about changing the batteries in our smoke detectors and
>downloading the latest patches.
>
>There are a lot of flawed systems out there. Downloading a couple
>of patches for "Code Red" isn't enough to protect your system from
>all the other things. I'm worried the joint press release is doing
>a disservice if people have a false sense of security because they
>protected themselves from "code red."
>
>On the other hand, will wednesday really be that much different from
>any other wednesday with the normal thousdand DDOS attacks happening,
>and normal spam, and normal e-mail/macro viruses, and normal zombies?
The Mafiaboy 100 zombies or recent IRC zombie-nets of 1800 zombies pall in
comparison to 300K infected systems. IRC zombie-nets target cable modem
and ADSL users. They typically can pump out 1Mb/sec of traffic. On the
other hand, your typical web server is usually situated on much more
bandwidth - typically FastEthernet. So targetting IIS servers is a sure
way of maximizing your zombie power (the only more powerful worm would be
an Apache zombie which has about 18M potential clients or a bind worm-zombie).
>I think its a bit premature to predict the end of the Internet on
>August 1.
It won't happen this time, but the next time, we may not be so lucky.
-Hank
More information about the NANOG
mailing list