North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hard data on network impact of the "Code Red" worm?

  • From: k claffy
  • Date: Mon Jul 30 15:39:26 2001



In-Reply-To: <20010730111612.2308.cpmta@c011.sfo.cp.net>; from sean@donelan.com
on Mon, Jul 30, 2001 at 04:16:12AM -0700

    As several government agencies gear up today to get additional funding,
    what hard data about the impact of the code read worm on the Internet
    exists?  CAIDA posted some data about the speed of infection.  But I
    was looking at overall Internet performance during the time period.

actually we did see some difference in macroscopic
performance from the skitter topology data,
we're still writing that up but are a little more
concerned with tracking the patching of systems
at the moment
(any grad students free, there are a few
theses lurking in this data...)

    The worm tended to revisit the same systems over, and over again, so
    I would agree those people may have been severely affected.  But 350,000
    hosts isn't that big of a number any more.  The Morris Internet Worm
    infected an estimated 10% of the internet hosts of the day.

  What do you think had more world-wide impact on the Internet?

     1. The train accident in Baltimore
     2. The "code red" worm

am a little more concerned about the latter
since i don't think the train accident is
programmed to recur this tuesday,
and the survey i mentioned caida is doing suggests 
that the patch rate is as slow as we feared

so, 1 aug midnite GMT (tomorrow 17:00 in california),
codered goes back into 'spread' mode.
within a few hours, we'll have 100,000-300,000
globally infected machines again.
and presumably they won't stop at the
end of the day to start phase two this time.
(remember CRv2 only had a day before it
went into phase two the first time)

the peak of infection will not hit until
after normal business hours (in the US).
note that even if you've patched, it may affect you
(printers, routers, web load balancers, dsl modems,
general 0.5-1.5 Tbps bandwidth that will be consumed, etc).

do operators have some contigency plans?
if everyone fiercely encouraging their customers to patch?
do operators have an AUP that would allow
them to filter port 80 (in this case) to 
hosts that are verified to be vulnerable?
(mixed strategy since then that machine 
can't download the patch...)


do you (nanog) want caida to provide a web page
of stats of patched/unpatched systems by AS?
in particular we find a LOT of unpatched
systems behind cable modem providers (home.com, rr.com)...
we don't really have time to email each AS poc individually...
but we don't want to upset the community either.

   http://worm-security-survey.caida.org/

also, we do expect that someone is writing a strain of it
that will actually do 'g.c.f.' damage, yes?

scary.
really scary.

k