The following text is
copyright 2003 by Network World, permission is hearby given for reproduction,
as long as attribution is given and this notice is included.
Doing better than Andy
By Scott Bradner
It was less than a year ago that some of the Internet's best researchers presented the provocatively titled paper "How to Own the Internet in Your Spare Time" at an Internet security conference. The paper is a careful analysis of a number of Internet worms and their infection patterns. The paper shows how one could design a "Warhol Worm", a worm that would be "capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes." But the slammer worm showed that even these researchers were too conservative in their estimate on how quickly such a worm could spread.
There is quite a bit of talk on the need to figure out how to recognize when an Internet attack is underway and automatically do what is needed to keep it from propagating. Staniford, Paxson and Weaver showed in their paper, (http://www.icir.org/vern/papers/cdc-usenix-sec02/) presented at the USENIX Security Symposium last year, that it was not going to be easy to find ways to react fast enough to have a useful effect. Andy Warhol thought that fifteen minutes of fame was good enough for most people and it seemed not out of the question that one could take over the Internet is as little as 15 minutes. The authors were met with some level of skepticism when the paper was published but have been more than vindicated since then.
These same researchers, along a few others, have now published an analysis of the slammer worm. (http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html) It is scary indeed. The infestation of this worm doubled in size every 8.5 seconds and had infected 90% of the vulnerable hosts (over 75,000) within 10 minutes. This was a case where the full infection was completed before just about anyone knew it had started and all that was left for anyone to do was to configure routers to block the probe traffic that was still trying to infect the already infected sites. I.e., after the first 10 minutes there were basically no machines that could be infected that had not already been infected. In all likelihood nothing was done by anyone that prevented a machine from being infected. If slammer had been a destructive virus, 75,000 hosts might have been toast in 10 min. This is a depressing realization.
The slammer worm did have some special characteristics that meant that it propagated somewhat faster and was easier to block than a more fully formed (and potentially destructive) worm might have. But the importance of the realization is that it is highly unlikely that effective action can be taken quickly enough after an attack starts, even if the response is highly automated, to make much of a difference as a response to a well-designed attack. Thus we are all the more dependent on Microsoft producing bug-free code and having a reliable and easy to use update process that people trust. This is a very depressing realization.
disclaimer: Harvard does not have a clinical psychology program so I did not bother to ask if the University was depressed over this, I am though.