Familiar welcome to the new year

We did not get all that far into the new year before the inevitable happened. Yet another fast-spreading worm struck a Microsoft product, bogging down big chunks of the Internet and taking a few tens of thousands of servers off the ‘Net.

We did not get all that far into the new year before the inevitable happened. Yet another fast-spreading worm struck a Microsoft product, bogging down big chunks of the Internet and taking a few tens of thousands of servers off the ‘Net. Like the last few times, this attack would have been prevented if managers of Microsoft systems had only kept them up to date by applying the latest security fixes.

It only took 20 minutes after the attack started about at 12:30 a.m. EST Saturday, Jan. 25, for the first message about it to show up on the North American Network Operators Group mailing list. At 1:28 a.m., the fact that the attack abused User Datagram Protocol (UDP) Port 1434 was posted, which was enough information for most network operators to know what to do to block the impact.

The notification came too late to have much of an effect on propagation because most of the worldwide spread seemed to happen within the first few minutes. The information about the attack and how to fight it did not propagate as fast as the attack, but was available long before most network managers woke up and figured out they were under attack.

This worm’s propagation speed was a testament to Microsoft’s success in the marketplace and a poster child for the fact that there is no reason to be sanguine about the ability of the Internet or, more particularly, the systems on ‘Net to resist a concerted attack. The software monoculture of today’s Internet and the unwillingness of system operators to do what is needed to keep their systems up to date securitywise mean that this is far from the last successful attack we will see.

System operator unwillingness seems to be the result of a number of factors: the frequency of updates; the difficulty of knowing when an update is needed; an assumption that updates should not be done when they come out because they might introduce more bugs than they fix; and the disruption required when an update is done.

In the spectrum of attacks, this was quite benign. Installing the patch you already should have installed and rebooting did the trick; no rebuilding disks from scratch and hoping that the backups would work. So whoever launched this worm was after disruption, not destruction. Someone with a touch more malice in his heart would have made for a very bad weekend for a whole lot of people.

One real puzzle about the attack has not been resolved as I write this. It seems that 13,000 or so of Bank of America’s automated teller machines went down during the attack. The puzzle is why? If the bank is putting its ATM machines directly on the Internet, it is demonstrating a confidence in the ‘Net that few other folks do. If it was because of a leak though a firewall that hit some Microsoft server that ran the ATM network, then the bank needs better firewall folk. But we might never know – the answer might just be too embarrassing.

Disclaimer: Causing embarrassment sometimes seems to be a Harvard mission, but I did not ask the university about this case – it’s all my own puzzlement.