Re: [iwar] Why Code Red is never going to Spread Exponentially

• Next message: Fred Cohen: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Previous message: Gary Warner: "[iwar] Why Code Red is never going to Spread Exponentially"
• In reply to: Gary Warner: "[iwar] Why Code Red is never going to Spread Exponentially"
• Next in thread: Fred Cohen: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Reply: Fred Cohen: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Reply: Gary Warner: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Return-Path: <sentto-279987-1549-996904534-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 03 Aug 2001 22:56:13 -0700 (PDT)
Received: (qmail 20980 invoked by uid 510); 4 Aug 2001 04:57:52 -0000
Received: from n15.groups.yahoo.com (216.115.96.65) by 204.181.12.215 with SMTP; 4 Aug 2001 04:57:52 -0000
X-eGroups-Return: sentto-279987-1549-996904534-fc=all.net@returns.onelist.com
Received: from [10.1.4.54] by ml.egroups.com with NNFMP; 04 Aug 2001 05:55:34 -0000
X-Sender: fastflyer28@yahoo.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_2_0); 4 Aug 2001 05:55:33 -0000
Received: (qmail 44195 invoked from network); 4 Aug 2001 05:55:32 -0000
Received: from unknown (10.1.10.142) by l8.egroups.com with QMQP; 4 Aug 2001 05:55:32 -0000
Received: from unknown (HELO web14503.mail.yahoo.com) (216.136.224.66) by mta3 with SMTP; 4 Aug 2001 05:55:32 -0000
Message-ID: <20010804055522.20087.qmail@web14503.mail.yahoo.com>
Received: from [12.78.118.24] by web14503.mail.yahoo.com; Fri, 03 Aug 2001 22:55:22 PDT
To: iwar@yahoogroups.com
Cc: partners@7pillars.org
In-Reply-To: <3B6B82E6.56CBAA39@askgar.com>
From: "e.r." <fastflyer28@yahoo.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 3 Aug 2001 22:55:22 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: Re: [iwar] Why Code Red is never going to Spread Exponentially
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Nice to find another realist in the crowd.  Why have only a few people 
scoffed off China as the creators of Code Red; the"Mother of all
Viruses". I am not buying the idea that China did it, indigeniously. 
If the Chinese are that good, why is there OPSEC(operational security)
so bad. That is to say, if they were unaffected, and it was there bug,
they blew their own cover.  If it were there's, they needed to take
some hits-sound outraged at we "imperialist running dogs" for messing
with them.  Why didnt the Chinese engage in a small, but very effective
amount of "perception management".  I doubt it was because Jiang and
the boys were at a Yankees game in NYC.  ERGO, WHY and WHO remain
unanswered.  And, you won't find the answers in "big math".  Who dun
it? and why?  When the final repair bills are in, there will be lots of
zeros involved. Trival antics were not the point. Any ideas as to what
was?

e.r in DC
-------------------------------------------------------------------
--- Gary Warner <gar@askgar.com> wrote:
> At my office we have a NAT environment, with only 13 IP addresses
> exposed publicly.  We've settled in at between 8 and 12 per hour Code
> Red hits bouncing off our firewall.  No biggee.  Some of my
> co-workers
> were explaining that Code Red was going to grow exponentially and it
> would eventually be a problem.
> 
> Here's the math problem I gave them with made up numbers.  
> Make up your own numbers based on your best assumptions.  
> I'll share the phony numbers I'm assuming.  
> 
> A - let A = the % of possible IP addresses that are in use.
> B - let B = the % of possible IP addresses that are behind 
>       a firewall which    blocks port 80
> C - let C = the % of Internet attached machines which are web servers
> D - let D = the % of web servers which run IIS
> E - let E = the % of IIS servers vulnerable to the .IDQ overflow
> 
> Each Infected IIS server will attempt to infect 100 randomly selected
> IP
> addresses.
> 
> Here are my "picked from the air" values:
> 
> A = 55%
> B = 15%
> C = 15%
> D = 20%  (see http://www.netcraft.com/survey/ )
> E = 50%  (domestics highly patched now, foreign still a big problem)
> 
> 100 - A = 45     -- most of the IP addresses CodeRed attempts will be
> duds
> 45 - B = 30      -- of the remainder, some will be behind firewalls
> 30 * C = 5 (round up!)  -- of the ones it hits, most will not be
> webservers
> 5 * D = 1      -- of the webservers, most will not be IIS
> 1 * E = .5    -- of the IIS servers, some will be patched
> 
> So, based on my "phony" numbers, each infected machine has a 50/50
> chance of going idle without infecting anybody, and then they only
> infect 1.
> 
> Unfortunately, some machines get luckier than that, and some others
> have
> various "bugs" which do not allow to stop infecting.  (Last go
> around, I
> was helping a buddy who had IDS on 3 Class C networks.  We had most
> "attackers" do a "double hit" and then we never heard from them
> again,
> for the most part.  But there was this one IP that banged us every
> few
> minutes for the entire duration.  We had over 700 probes from that
> single machine!  (Code Red, random-style probes, hitting the same
> addresses over and over...) One speculation was that, for instance,
> if
> the IIS execute account has had access to the C:\ root directory
> blocked, he can't write the file C:\NOWORM, and will therefore never
> stop spreading the attack???
> 
> These few "bugged" machines are the only ones that make the spread of
> the virus possible at all.
> 
> With a more optimistic set of numbers, its possible to come up with a
> scenario where each machine actually does infect 1 other.
> 
> Work this equation with numbers closer to reality, and you will see
> about what we are seeing at "incidents.org" and "yale.edu".
> 
> Yale is seeing between 50,000 and 55,000 attacks per hour
> (see http://www.incidents.org/diary/diary.php )
> 
> As is http://www.digitalisland.net/codered/ .
> 
> My bet is it stays linear forever from here, until we begin to make
> progress getting machines patched.
> 


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

• Next message: Fred Cohen: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Previous message: Gary Warner: "[iwar] Why Code Red is never going to Spread Exponentially"
• In reply to: Gary Warner: "[iwar] Why Code Red is never going to Spread Exponentially"
• Next in thread: Fred Cohen: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Reply: Fred Cohen: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Reply: Gary Warner: "Re: [iwar] Why Code Red is never going to Spread Exponentially"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT