Return-Path: <sentto-279987-1548-996894550-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 03 Aug 2001 20:11:20 -0700 (PDT) Received: (qmail 17388 invoked by uid 510); 4 Aug 2001 02:11:28 -0000 Received: from n28.groups.yahoo.com (216.115.96.78) by 204.181.12.215 with SMTP; 4 Aug 2001 02:11:28 -0000 X-eGroups-Return: sentto-279987-1548-996894550-fc=all.net@returns.onelist.com Received: from [10.1.4.54] by f19.egroups.com with NNFMP; 04 Aug 2001 03:09:10 -0000 X-Sender: gar@askgar.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_2_0); 4 Aug 2001 03:09:09 -0000 Received: (qmail 65268 invoked from network); 4 Aug 2001 03:09:08 -0000 Received: from unknown (10.1.10.142) by l8.egroups.com with QMQP; 4 Aug 2001 03:09:08 -0000 Received: from unknown (HELO granger.mail.mindspring.net) (207.69.200.148) by mta3 with SMTP; 4 Aug 2001 03:09:07 -0000 Received: from askgar.com (user-2injp8c.dialup.mindspring.com [165.121.229.12]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id XAA00662; Fri, 3 Aug 2001 23:09:04 -0400 (EDT) Message-ID: <3B6B82E6.56CBAA39@askgar.com> X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en To: iwar@yahoogroups.com, snort-users@lists.sourceforge.net, incidents@securityfocus.com From: Gary Warner <gar@askgar.com> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 03 Aug 2001 22:06:46 -0700 Reply-To: iwar@yahoogroups.com Subject: [iwar] Why Code Red is never going to Spread Exponentially Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit At my office we have a NAT environment, with only 13 IP addresses exposed publicly. We've settled in at between 8 and 12 per hour Code Red hits bouncing off our firewall. No biggee. Some of my co-workers were explaining that Code Red was going to grow exponentially and it would eventually be a problem. Here's the math problem I gave them with made up numbers. Make up your own numbers based on your best assumptions. I'll share the phony numbers I'm assuming. A - let A = the % of possible IP addresses that are in use. B - let B = the % of possible IP addresses that are behind a firewall which blocks port 80 C - let C = the % of Internet attached machines which are web servers D - let D = the % of web servers which run IIS E - let E = the % of IIS servers vulnerable to the .IDQ overflow Each Infected IIS server will attempt to infect 100 randomly selected IP addresses. Here are my "picked from the air" values: A = 55% B = 15% C = 15% D = 20% (see http://www.netcraft.com/survey/ ) E = 50% (domestics highly patched now, foreign still a big problem) 100 - A = 45 -- most of the IP addresses CodeRed attempts will be duds 45 - B = 30 -- of the remainder, some will be behind firewalls 30 * C = 5 (round up!) -- of the ones it hits, most will not be webservers 5 * D = 1 -- of the webservers, most will not be IIS 1 * E = .5 -- of the IIS servers, some will be patched So, based on my "phony" numbers, each infected machine has a 50/50 chance of going idle without infecting anybody, and then they only infect 1. Unfortunately, some machines get luckier than that, and some others have various "bugs" which do not allow to stop infecting. (Last go around, I was helping a buddy who had IDS on 3 Class C networks. We had most "attackers" do a "double hit" and then we never heard from them again, for the most part. But there was this one IP that banged us every few minutes for the entire duration. We had over 700 probes from that single machine! (Code Red, random-style probes, hitting the same addresses over and over...) One speculation was that, for instance, if the IIS execute account has had access to the C:\ root directory blocked, he can't write the file C:\NOWORM, and will therefore never stop spreading the attack??? These few "bugged" machines are the only ones that make the spread of the virus possible at all. With a more optimistic set of numbers, its possible to come up with a scenario where each machine actually does infect 1 other. Work this equation with numbers closer to reality, and you will see about what we are seeing at "incidents.org" and "yale.edu". Yale is seeing between 50,000 and 55,000 attacks per hour (see http://www.incidents.org/diary/diary.php ) As is http://www.digitalisland.net/codered/ . My bet is it stays linear forever from here, until we begin to make progress getting machines patched. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Small business owners... Tell us what you think! http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT