« Last-mile vs First-mile | Main | Mitnick revisited »
February 03, 2003
Sapphire worm post-mortem
CAIDA has released a preliminary report on the Sapphire worm event of Jan 24. There will be plenty more discussion about this, and I'm sure the cracker community will be quick to remind us how easy it is to cause these problems.
Some very concerning observations about Sapphire:
- This worm was widely predicted in presentations and papers such as "How to 0wn the Internet in Your Spare Time". The vulnerability was there, it was only a short time before someone tried it out.
- Sapphire is a quantum leap (2 orders of magitude faster) from CodeRed, in less than 18 months (Code Red happened Aug 1, 2001)
- The worm took only 3 minutes to reach it's peak scanning rate, and only 30 minutes to infect 75,000 machines world-wide. The majority (90%) of machines were compromised in the first 10 minutes.
- In the first minute, the number of compromised machines doubled every 8.5 seconds (by comparison, Code Red doubled every 37 minutes)
- The worm affected banking systems, airlines, government institutions. And that was late on a Friday night (at least in the US). Imagine what a 30-minute melt-down followed by 4-8-hour recovery would have done on a weekday.
- Sapphire was it's own undoing. It scanned so aggressively that after 30 minutes it completely overwhelmed the networks connecting compromised machines to the rest of the world. It could have reached Code Red numbers in only a few more minutes had that not been the case.
The ominous conclusion sets out our tasks as IT professionals:
Formerly, small populations (<20,000 machines or less on the Internet) were not viewed as particularly vulnerable to worms, as the probability of finding a susceptible machine in any given scan is quite low. However, a worm which can infect a population of 75,000 hosts in 10 minutes can similarly infect a population of 20,000 hosts in under an hour. Thus, exploits for less popular software present a viable breeding ground for new worms.
Since high-speed worms are no longer simply a theoretical threat, worm defenses need to be automatic; there is no conceivable way for system administrators to respond to threats of this speed. Human-mediated filtering provides no benefit for actually limiting the number of infected machines. While the filtering may mitigate the overhead of the worm's continuing scan traffic, a more sophisticated worm might have stopped scanning once the entire susceptible population was infected, leaving itself dormant on over 75,000 machines to do harm at some future point. Had the worm's propagation lasted only 10 minutes, it would likely take hours or days of effort simply to identify the attack, and many compromised machines could never be identified.
The work to go from Code Red to Sapphire was significant. The effort required to modify Sapphire to be more damaging to the network and to vulnerable machines is incremental and in most cases trivial.
Network and IT infrastructure is so vulnerable right now, I think it unlikely that any significant changes to protect it can happen fast enough. Many of the changes require rethinking and redesigning products, software, and social systems. It is just too appealing and too trivial to not take advantage of the situation. I think we will get to know flash worms really well in the coming months.
Posted by pete at February 3, 2003 05:02 PM
Trackback Pings
TrackBack URL for this entry: