Please don't think I suddenly succumbed to sensationalism fever. But consider what happened last Monday, on October 21. An electronic attack successfully put to halt nine of the thirteen root servers which manage the worldwide Internet traffic for one hour.
For details, check the Associated Press story reported by Wired News under the title "Servers Bounce Back From E-Attack."
So it seems appropriate to talk today about Internet security.
Three researchers recently published a paper about worms: "How to Own the Internet in Your Spare Time." Here are a few words from the abstract.
The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways.
We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from empirical data of the spread of Code Red I in July, 2001. We discuss techniques subsequently employed for achieving greater virulence by Code Red II and Nimda. In this context, we develop and evaluate several new, highly virulent possible techniques: hit-list scanning (which creates a Warhol worm), permutation scanning (which enables self-coordinating scanning), and use of Internet-sized hit-lists (which creates a flash worm).
We then turn to the to the threat of surreptitious worms that spread more slowly but in a much harder to detect "contagion" fashion. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 Internet hosts. We also consider robust mechanisms by which attackers can control and update deployed worms.
As you can see, it's written in academia language. Furthermore, it's a 31-page report. Fortunately, Ellen Messmer gives us a shorter analysis of the research paper.
Computer science researchers are predicting new types of dangerous worms that would be able to infect Web servers, browsers and other software so quickly that the working Internet itself could be taken over in a matter of minutes.
The three authors of the research, published two months ago, present a future where worm-based attacks use "hit lists" to target vulnerable Internet hosts and equipment, such as routers, rather than scanning aimlessly as the last mammoth worm outbreaks, Nimda and Code Red, did last year. And this new breed of worms will carry dangerous payloads to allow automated denial-of-service and file destruction through remote control.
[One of the co-author of the research paper,] Stuart Staniford, president of Silicon Defense, says they tested the paper's thesis in a lab simulation of a computer worm designed to subvert 10 million Internet hosts over both low-speed and high-speed lines. Supplied with its own "hit list" of IP addresses and vulnerabilities gained through prior scanning, the theoretical worm could infect more than nine million servers in a quarter hour or so.
Is it really possible to "own" the Internet? Some say yes.
A U.S. government official, Bob Dacey, director of information security issues at the U.S. General Accounting Office, said of the theoretical worms: "The risk is there, though I can't speak to the 15 minutes. When you look at Nimda and Code Red, you see greatly developed delivery mechanisms."
To date, the Internet hasn't seen a worm with a really dangerous payload to destroy systems combined with rapid delivery but it certainly might be out there in the future, said Dacey, who's in charge of overseeing vulnerability-testing of federal agencies' networks.
"We haven't seen a 'Flash' worm yet, but now that there's a paper on it, we probably will," says Mikko Hyponnen, manager of anti-virus research at F-Secure.
Many others disagree, like security companies Avert Labs, Network Associates research division, or Trend Micro.
So will we see such an attack someday? Place your bets.
Source: Ellen Messmer, Network World Fusion, October 21, 2002
6:03:51 PM Permalink
|
|
