[iwar] Why Code Red is never going to Spread Exponentially

From: Gary Warner (gar@askgar.com)
Date: 2001-08-03 22:06:46 

Return-Path: <sentto-279987-1548-996894550-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 03 Aug 2001 20:11:20 -0700 (PDT)
Received: (qmail 17388 invoked by uid 510); 4 Aug 2001 02:11:28 -0000
Received: from n28.groups.yahoo.com (216.115.96.78) by 204.181.12.215 with SMTP; 4 Aug 2001 02:11:28 -0000
X-eGroups-Return: sentto-279987-1548-996894550-fc=all.net@returns.onelist.com
Received: from [10.1.4.54] by f19.egroups.com with NNFMP; 04 Aug 2001 03:09:10 -0000
X-Sender: gar@askgar.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_2_0); 4 Aug 2001 03:09:09 -0000
Received: (qmail 65268 invoked from network); 4 Aug 2001 03:09:08 -0000
Received: from unknown (10.1.10.142) by l8.egroups.com with QMQP; 4 Aug 2001 03:09:08 -0000
Received: from unknown (HELO granger.mail.mindspring.net) (207.69.200.148) by mta3 with SMTP; 4 Aug 2001 03:09:07 -0000
Received: from askgar.com (user-2injp8c.dialup.mindspring.com [165.121.229.12]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id XAA00662; Fri, 3 Aug 2001 23:09:04 -0400 (EDT)
Message-ID: <3B6B82E6.56CBAA39@askgar.com>
X-Mailer: Mozilla 4.73 [en] (Win98; U)
X-Accept-Language: en
To: iwar@yahoogroups.com, snort-users@lists.sourceforge.net, incidents@securityfocus.com
From: Gary Warner <gar@askgar.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 03 Aug 2001 22:06:46 -0700
Reply-To: iwar@yahoogroups.com
Subject: [iwar] Why Code Red is never going to Spread Exponentially
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

At my office we have a NAT environment, with only 13 IP addresses
exposed publicly.  We've settled in at between 8 and 12 per hour Code
Red hits bouncing off our firewall.  No biggee.  Some of my co-workers
were explaining that Code Red was going to grow exponentially and it
would eventually be a problem.

Here's the math problem I gave them with made up numbers.  
Make up your own numbers based on your best assumptions.  
I'll share the phony numbers I'm assuming.  

A - let A = the % of possible IP addresses that are in use.
B - let B = the % of possible IP addresses that are behind 
      a firewall which    blocks port 80
C - let C = the % of Internet attached machines which are web servers
D - let D = the % of web servers which run IIS
E - let E = the % of IIS servers vulnerable to the .IDQ overflow

Each Infected IIS server will attempt to infect 100 randomly selected IP
addresses.

Here are my "picked from the air" values:

A = 55%
B = 15%
C = 15%
D = 20%  (see http://www.netcraft.com/survey/ )
E = 50%  (domestics highly patched now, foreign still a big problem)

100 - A = 45     -- most of the IP addresses CodeRed attempts will be
duds
45 - B = 30      -- of the remainder, some will be behind firewalls
30 * C = 5 (round up!)  -- of the ones it hits, most will not be
webservers
5 * D = 1      -- of the webservers, most will not be IIS
1 * E = .5    -- of the IIS servers, some will be patched

So, based on my "phony" numbers, each infected machine has a 50/50
chance of going idle without infecting anybody, and then they only
infect 1.

Unfortunately, some machines get luckier than that, and some others have
various "bugs" which do not allow to stop infecting.  (Last go around, I
was helping a buddy who had IDS on 3 Class C networks.  We had most
"attackers" do a "double hit" and then we never heard from them again,
for the most part.  But there was this one IP that banged us every few
minutes for the entire duration.  We had over 700 probes from that
single machine!  (Code Red, random-style probes, hitting the same
addresses over and over...) One speculation was that, for instance, if
the IIS execute account has had access to the C:\ root directory
blocked, he can't write the file C:\NOWORM, and will therefore never
stop spreading the attack???

These few "bugged" machines are the only ones that make the spread of
the virus possible at all.

With a more optimistic set of numbers, its possible to come up with a
scenario where each machine actually does infect 1 other.

Work this equation with numbers closer to reality, and you will see
about what we are seeing at "incidents.org" and "yale.edu".

Yale is seeing between 50,000 and 55,000 attacks per hour
(see http://www.incidents.org/diary/diary.php )

As is http://www.digitalisland.net/codered/ .

My bet is it stays linear forever from here, until we begin to make
progress getting machines patched.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT