Hard data on network impact of the "Code Red" worm? (fwd)

Larry Sheldon lsheldon at creighton.edu
Tue Jul 31 15:13:42 UTC 2001

>  : >NTBUGTRAQ is carrying informatiion that says that is not right.
>  : >
>  : >They say that currently extant copies of the thing will sleep forever,
>  : >or until the host is re-booted--at which time the thing ceases to exist.
>  : 
>  : There seems to be some disagreement about this point.  CERT, in fact,
>  : notes that explicitly (http://www.cert.org/advisories/CA-2001-23.html).
>  : They also claim that enough infected machines have their clocks set 
>  : wrong that there may be a new outbreak tonight (EDT) -- that one 
>  : strikes me as less plausible.
> Less plausible in the (statistical) abstract... however as CERT also
> points out (emphasis mine):
> 	"Our analysis estimates that starting with a *SINGLE* infected
> 	host, the time required to infect *ALL* vulnerable IIS servers 
> 	with this worm could be less than 18 hours. "
> It only takes one. 

Well, some of us think it take vulnerable IIS servers too.  Some of us think
we listened to the wake-up call and have plugged some of the holes, learned
how to detect the occurrence of un-plugged holes and so on.

Some of us are wrong.

>  : >The hazard tomorrow is the introduction of new copies of the thing.
>  : >
>  : 
>  : That hazard isn't specific to August 1.
> Well... maybe... but suppose July was just practice? Another worm with
> the same time-pattern encoded, but with different targeting and/or
> capabilities.  Clever malice trumps predictability any day...

Well... maybe... but suppose the sky really is falling, or that some 
completely unrealted vermin has been released, or that my "atheletes foot"
really isn't cured.

Can't deal with most of the 'sposes--not able to handle all of the "is"'s.

If ordinary diligence, prudence, care, craftsmanship and skill don't
do it, then the bad guys have won, and we will (probably) rethink how
we use wires.

More information about the NANOG mailing list