Doing better than Andy

Less than a year ago, some of the Internet’s best researchers presented the provocatively titled paper How to 0wn the Internet in Your Spare Time at a security conference. The paper is a careful analysis of a number of Internet worms and their infection patterns, and shows how one could design a “Warhol Worm,” a worm that would be “capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes.”

But the recent MS-SQL Slammer worm showed that even these researchers were too conservative in their estimate of how quickly such a worm could spread.

There is quite a bit of talk about how to recognize when an Internet attack is under way and automatically do what is needed to keep it from propagating. Researchers Stuart Staniford, Vern Paxson and Nicholas Weaver showed in their paper, presented at last year’s Usenix Security Symposium, that it was not going to be easy to find ways to react fast enough to be useful.

Andy Warhol thought 15 minutes of fame was good enough for most people, and it seemed not out of the question that one could take over the Internet in 15 minutes. The researchers were met with some level of skepticism when the paper was published, but have been more than vindicated since.

These same researchers, along with a few others, now have published an analysis of Slammer. It is scary indeed. The infestation of this worm doubled in size every 8.5 seconds and had infected 90% of the vulnerable hosts (more than 75,000) within 10 minutes.

The full infection was completed before just about anyone knew it had started and all that was left for anyone to do was configure routers to block the probe traffic that was still trying to infect the already infected sites (after the first 10 minutes there were basically no machines that could be infected that had not already been infected).

In all likelihood, nothing was done by anyone that prevented a machine from being infected.

If Slammer had been a destructive virus, 75,000 hosts might have been toast in 10 minutes. This is a depressing realization.

The Slammer worm did have some special characteristics that meant that it propagated somewhat faster and was easier to block than a more fully formed (and potentially destructive) worm might have. But it is highly unlikely that effective action can be taken quickly enough after a well-designed attack starts, even if the response is highly automated, to make much of a difference.

Thus we all are the more dependent on Microsoft producing bug-free code and having a reliable and easy-to-use update process that people trust. This is a very depressing realization.

Disclaimer: Harvard does not have a clinical psychology program so I did not bother to ask if the university was depressed over this; I am though.