« More Zotob Removal Tools | Main | EpiGrass: a simulator of epidemics over networks »
Jose Nazario discusses worms
At the risk of looking like I'm just tooting my own horn, I'll make mention of a recent interview I had about the worm problem. In a recent SecurityFocus interview, I spoke at length about the worm problem. The interview focused mostly on counterworms, a subject which comes up here from time to time. Here's an excerpt:It's tempting to think about fighting fire with fire when a worm hits -- launching a counterworm to stop the worm. The most natural thing to do is to deliver a counterworm with a payload that contains the patch for the security vulnerability exploited by the worm, which would prevent its spread.Source: Jose Nazario discusses worms, an interview by Federico Biancuzzi, posted on 2005-08-16 at SecurityFocus.However, remember the following things. Even if you knew instantly what vulnerabilities the worm was exploiting and how to prevent its use of that hole, how would you prepare a worm with the patch payload in time to launch it in a meaningful time period? How would you outpace the worm (in about 6 hours, Blaster had reached it's peak propagation speed; SQLSlammer reached that speed in a matter of a few minutes; Witty hit that point in a matter of minutes, too)?
August 23, 2005 in counterworms, editorial, media | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
Not only that, but any worm infecting a single threaded Server (eg, Slammer, Blaster, etc) will lock the server unless it forks off, effectively immunizing against counterattack on the same vulnerability without any explicit action at all.
Oh, Witty took 45 minutes, but it did hitlist. However, since the bulk of the hitlist (perhaps all) was targeted at a single site, the hitlist wouldn't have affected propagation time by much.
Posted by: Nicholas Weaver | Aug 23, 2005 12:50:18 PM
