Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Bug

Code Red Goes The Way Of Y2K 407

Posted by timothy from the code-blue dept.
beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?
This discussion has been archived. No new comments can be posted.

Code Red Goes The Way Of Y2K More

Code Red Goes The Way Of Y2K

Comments Filter:

  • Not Quite (Score:2, Informative)

    by espo812 ( 261758 )
    incidents.org [incidents.org] is tracking the spread. It still looks to be on its exponental path to death and destruction of the Internet (sarcasm included.) As of this post, incidents reports 22,000 infected (up from ~13500 an hour earlier.) It's too early yet to tell how this will pan out.

  • Darn, I was sorta hoping it would so I could take the day off and go fishing.

    Well, depending on where you live, and what job you do - you still have a chance! Today is personal freedom day... personalfreedomday.com [personalfreedomday.com]

  • I didn't get my daily feed of juicy documents from that Sircam newsgroup I somehow seem to have joined - maybe its because the Code Red worm has knocked out all of the poster's Exchange servers...

  • Worm Author's Restraint (Score:5, Interesting)

    by Travis Fisher ( 141842 ) on Wednesday August 01, 2001 @02:51PM (#3627)
    Has anyone stopped to notice how much restraint the worm writer is showing? Think a second. The person writing this thing was not an idiot. It required serious technical skills and probably a large investment of time and energy. Anyone who says "Oh, the worm author was so stupid for using a hard-coded IP addresss for whitehouse.gov" or "They must have been dumb to forget to seed their random number generator" is not looking carefully. The worm has always been carefully, purposefully shackled by its creator not to do too much harm. Did you read the eEye analysis [eeye.com]? Or the CAIDA [caida.org] or Staniford [silicondefense.com] stastical studies of the worm's spread? Some facts:
    • The first version of the worm appeared on July 13 or so.
      • It had an unseeded random number generator, so the IP's it scanned were a fixed sequence -- BUT it contained the code to seed the random number generator; this code was disabled.(*)
      • Its DoS attack was set to bomb a particular fixed IP address, AND not even send the bomb packets if that IP could not be reached
      • It contained code to deface web pages served making its presence very visable well before the bombing attack was scheduled to take place
      • It contained code to deactivate its spread if a particular file (c:\notworm) was present.
      • It contained code to deactivate its spread after the "attack phase" began
    • On July 19, a second version was introduced.
      • The second version re-enabled the random number generating seed but was otherwise no less shackled than the first version.
      • This version spread exponentially, with growth finally being limited by the number of susceptible servers connected to the internet and the fact that it reached the time of the "attack phase"
      • This version infected over 359,000 hosts in under 14 hours.
    (*)I read this somewhere but can't relocate that source right now. The rest of the info comes directly from the sources linked above.

    The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com [slashdot.org], there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.

  • ...the Code REd worm, the poster of this story would know that there was no threat of it bringing the net to a standstill today. The real killer day will be on the 20th of this month, when the worm goes from infection mode to DDoS mode. And with 18 MORE days of infection than the one last month (with 300000+ servers compromised) had, I think it is generally assured that the net will slow it's ass down. If the DDoS attack is pointed at a valid target this time...
  • The reasons the media likes to hype Code Red and not Sicrcam are:
    1. The Name: "Code Red" sounds menacing, while "Sircam" sounds like a new pop star.
    2. The Target: Sircam has no target (other than the poor schmuck who's machine is infected). Code Red attacks a target that you can send a reporter out to (yes, the web servers for the White House aren't at the White house, but that doesn't matter).

    Remember, the media wants stories to be as dirt stupid simple as possible: They don't want "Boy finds girl, boy loses girl, boy finds girl again", they want "boy finds girl". "Code Red Worm ATTACKS WHITEHOUSE" is an attention getting headline. "Sircam forwards private documents" isn't.

    So remember 5|<r!P7|<!dd!3Z, if you want your worm to be successful, attack a high-profile target, and make sure your worm gets a menacing name.
  • For the plot at incidents.org, the last four hourly reports show a pretty clean geometric growth, with the hourly multiplier varying only between 1.63x and 1.68x (it was a bit higher for the earlier reports).

    I wouldn't go so far as to predict a continuation, but the numbers are still kind of fun. A 1.6x per hour for 24 hours would give 79,228x. With a basis of 22,001 reporting right now, that would give 1.74 million infections at this time tomorrow.

    Surely this one will saturate its niche long before then, if only because of all the repairs that were made a couple of weeks ago. But it gives a hint about what's going to happen when The Big One (tm) comes along.

    And the viruses seem to be getting smarter lately. I would guess that TBO will come along by the end of the year, or surely no later than the middle of next year.

    Get to work on those disaster recovery plans, folks.

    • Finally got Incidents.org to respond, they posted new data (looks like the hours shifted though):
      • 11AM - 22,001
      • 12PM - 32,502
      • 1PM - 41,968

      SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same

      • I find it interesting that I've been scanned once already on my home dialup. As I'm paying UK connection charges and I'm rather broke at present (see .sig) I tend to go online for short periods, collect/send mail and grab a ton of pages for offline reading. (I'm even writing this offline in emacs.) If I'm getting hit during those very narrow windows of opportunity, it implies there's a rather large number of scans taking place.

        OTOH, when Incidents [incidents.org] isn't Slashdotted, it looks like the curve is flattening out at around 25% of the total infected last time - about 60,000 +/- 5000 is my guess. The question is, is that enough infected hosts to cause enough ARP floods to impact global connectivity. So far connectivity has been patchy for me - jobserve was down all afternoon, a couple of other sites were patchy, everything else was OK. Same as normal, in other words.

      • OK - I'm confused. Incidents.org is finally recovering from teh /.ing it got this morning. The data on top tracking by hour now says there were 48,489 infected hosts from 1-2 EDT (up from 41,968 the hour before) But the 'Total Infections Today' in teh tabel below says 99,716. So what gives. If the upper table is showing how many infections happened in a given hour (ie the total isn't 48K, but 48K NEW infections happened), it still doesn't add up. Adding all the hourly totals gives you 177,591 infected hosts, not 99,716. It doesn't make sense....

  • Oh, but the price! (Score:2, Insightful)

    by haapi ( 16700 )
    I kind of have to quibble about the 1.2 Billion dollar "price-tag" attributed to Code Red. Any money spent patching software is money that was required to be spent ANYWAY. If your server maintenance is out-sourced, it is that company's responsibility to patch 'em, and then bill you for it, and you pay it because that is what it takes to put a server on the Internet. 'Nuff said.
  • When I woke up today my DSL connection wasn't working. My first reaction was to think of what could possibly have happened to cause it to go down and after about a few seconds I thought "oh crap, Code Red did succeed in grinding the internet to a halt." I was about to be very angry at Microsoft for ruining the net for those of us who don't even use IIS until I tried my dial-up connection and it worked fine. So it was just a local DSL issue (which is fixed now - thankfully, as I was beginning to go through withdrawal).
    • Was it a Cisco 67x? Qwest DSL perhaps?

      If so, telnet to it, enter password, enable, enter password, then:
      set web disable
      write
      reboot

      Best to update to CBOS 2.4.1.

      BTW, I've been hit 51 times today (one machine covering 16 IP addresses). No effect, of course, but it is funny to see in the logs. Almost 400 hits in one day last month.

  • Misunderstanding of the behavior of the worm... (Score:5, Informative)

    by igjeff ( 15314 ) on Wednesday August 01, 2001 @11:30AM (#7733)
    The trick is that so many of the so-called experts mis-understood the nature of the worm.

    Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.

    What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.

    So Cringley was somewhat right...while the systems with their clocks set wrong aren't inherently any greater of a danger than any other...they did allow the worm to go back into spread mode and become widespread again.

    Jeff
  • It seems to be growing at about 70% an hour, but it is slowly leveling off. Anyone care to do the Calculus and plot the curve?

    I'm going to put the number of infections at 6 - 8 PM a 250,000 - 450,000 hosts just by running some rough numbers in my head and taking into account whether or not pathces where applied. Thats a lot ...
    -----
    • You can't accurately predict the curve if you don't know the size of the vulnerable population. It will tail off at some point, I expect quite a bit lower than the 359,000 infected hosts previously. If we're starting a pool, sign me up for 178,901 infected hosts.
  • After a few weeks with none, I'm starting to see an increasing number of attempts on my HTTP port. I believe this is the port Code Red goes after on unpatched MS IIS boxes

    date,time,source,transport
    2001/08/01,00:39:43 EDT,64.224.192.128:4482,80,TCP (flags:S)
    2001/08/01,09:29:53 EDT,203.239.44.55:2464,80,TCP (flags:S)
    2001/08/01,09:43:29 EDT,61.157.184.52:4273,80,TCP (flags:S)
    2001/08/01,11:25:13 EDT,217.126.188.106:53726,80,TCP (flags:S)
    2001/08/01,11:54:00 EDT,193.70.29.42:2668,80,TCP (flags:S)
    2001/08/01,11:56:41 EDT,210.119.9.196:4754,80,TCP (flags:S)
    2001/08/01,12:22:11 EDT,64.81.148.7:3924,80,TCP (flags:S)
    2001/08/01,12:29:15 EDT,61.144.181.223:1319,80,TCP (flags:S)

    I admit that's it's not exactly Internet-stopping volume, but if everyone is getting this, that's bound to be a lot of traffic. And note that if I was running an unpatched IIS, I'd be Code Red's bitch by now. (Or somebody's bitch if my ports 111, 139, 515, 31337, etc were open to exploits.)
  • For me it actually felt the opposite of y2k.. With y2k all the media was "it's the end of the wold!! we were right, those damn computers are evil!!!", and I was "no big deal, just add some bytes".

    With red code, I was 'microsoft is going down!! yeah!', but I didn't see much 'media inpact' (who won the 'predict the headlines' contest).

    Nothing happened, but this time I was dissapointed. ;)

  • Code Red gone? Errhm, not really. I got 4 hits on my webserver at home this afternoon, 2 and a school I help administrating, 1 at another school, 3 at our Linux club's computers, and 2 more at another computer of the club. Whereas we didn't get any hits on any of these sites the first time around (mid July). It's alive, and kicking! Rumors are also that www.java.sun.com's outage today might have been due to Code Red, but don't ask me how. Sun hopefully isn't running IIS, or are they? Or maybe it just knocked out one of their Cisco routers...

  • The reason is simple. Everyone wants to get potentially damning documents from anyone. If the internet grinds to a halt then you would't be able to get that information from SirCam.

    --
    .sig seperator
    --
  • incidents.org will soon be reporting how quickly they were personally attacked by the SlashDot worm (in a nice pretty 3d line graph). That's something I would like to see.
  • It only takes ONE infected system to kick it all off!

    It has most DEFINITELY kicked off again - logs on my primary server indicate at least one hundred hits from this bug.

    Already, that's almost as many as last time, and there are 18 more days of this.

    For me, it's almost like watching a violent, firey thunderstorm. Sure, it'd suck if lightning actually HIT me, but I'm quite safe.

    Kinda sick, isn't it?

  • But my connection SUCKS today.

    I was thinking it was related to the worm.

    But remember, the last time it struck, it grew exponentially for 7 days until it really hit its stride.
    • I also had an incredibly slow ping time and loss rate to yahoo.com about 9.00 BST (8.00 GMT, 3.00 EST) today - 380 ms pings, and 60% loss rates. Normally I get 180ms pings to yahoo.com and almost no packet loss, so something was definitely happening. Local UK sites were OK, and it wasn't my provider according to a traceroute (I have an ADSL line).

      So maybe something did happen - however, the various survey sites report that nothing really major happened, so this was probably just a coincidence (maybe too many people hitting yahoo.com at the same to see if it was still up?)...
    • I dunno about you, but my connection ALWAYS sucks. American Residential Internet: when it goes down, there is almost never a logical explanation. (i.e. a train crashed in baltimore and melted a fiberoptic cable, bringing down my internet 200 miles away)
      • It looks (from the Incidents graph, at about 2035 UTC Wednesday) like it'll top out at about 60,000 known infected hosts;
      • If nothing happens, it could just mean (as with Y2K) that the hype was justified, because everything got fixed, which is why nothing happened;
      • To the people saying "yeah, MAE-east is screwed" etc - look at the average response time charts [internettr...report.com] Nothing very dramatic there...
      • Er, we were all right about this. Even the trolls ;)

  • A solution to the problem? (Score:3, Interesting)

    by pongo000 ( 97357 ) on Wednesday August 01, 2001 @11:31AM (#19977)
    For years, virii in the medical industry have been associated with people or places. So, the poor town of Coxsackie, NY has its place in history as the origin of the Coxsackie (hand-and-foot) virus. Drs. Epstein and Barr will forever be associated with the virulent virus that bears their name. Why not name computer viruses/worms/self-propagators after the systems for which they are targeted?

    We could talk about the Microsoft Sircam virus, or the Microsoft CodeRed worm, or even the Linux Ramen worm. Forever sear into the minds of the ever-forgetful public the platform which fell victim, PR which most companies and organizations will try valiantly to avoid.

  • Just so we can all prepare for the next time this happens, what's the proper way to pronounce "IIS"?
    ( ) "aye-aye-ess"
    ( ) "two-ess"
    ( ) "aye-ayes"
    ( ) "aye-iz"

    (Of course I don't know how to say it! I run Apache/Linux and Apache/Mac OS X.)
  • On two local news channels last night they gave the helpful tip of "If your system seems slow and infected, just reboot and it'll be fixed, but you can download this patch if you really feel like it..." ... Argh, is it that much to ask for the news channels to get it right for once? We don't need to keep this up every month.

  • It's obvious (Score:2, Interesting)

    by cnkeller ( 181482 )
    Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

    Because Code Red dealt with the White House, which is a national symbol and easily recognized by all the world. Never mind the fact that the white house web site was never in any danger of being taken off-line. Joe & Billy Bob don't know no stinking eye-pee addressess are. High profile attacks get the news...not that secret memo detailing a new flavor of Tang....

  • Yep. Gone with a whimper. (Score:3, Interesting)

    by Tim Doran ( 910 ) <{timmydoran} {at} {rogers.com}> on Wednesday August 01, 2001 @11:24AM (#22047)
    I got precisely one Code Red attack on my home linux box (via cable modem). Last time around, I had upwards of 25 attacks.

    Heard an interview with a Microsoft spokesperson this morning. Interesting how the terms 'Windows', 'NT', 'Windows 2000' and 'IIS' didn't come up once. Gotta protect those brands, I guess.

    (To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

    • MS NT/2000 buffer overflow vulnerabilities galore. (Score:3, Interesting)

      by Anonymous Coward
      (To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

      NT/2000 are chocked full of buffer overflow vulnerabilities. Some have no patches available. How many more exist that are yet to be discovered? These known ones establish a pretty poor reputation that is difficult to get rid of. See this article from BugTraq:

      BindView Security Advisory
      --------

      Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
      Issue Date: July 30, 2001
      Contact: tsabin@razor.bindview.com

      Topic:
      Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
      Overview:
      Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request.

      Affected Systems:

      At least the following services are known to be affected. More servers are likely to be vulnerable. For a complete list of what Microsoft has patched, see their security bulletin mentioned below.

      W2K SCM (services.exe)
      NT4 SCM (services.exe)
      NT4 LSA (lsass.exe)
      NT4 Endpoint mapper (Rpcss.exe)
      W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
      SQL Server 7 (sqlservr.exe)
      W2K's DHCP Server
      W2K's IIS Server (inetinfo.exe)
      Exchange 5.5 SP3 (STORE.exe)
      Exchange 5.5 SP3 (MAD.exe)
      NT4 Spooler (spoolss.exe)
      W2K License Srv (llssrv.exe)
      NT4 License Srv (llssrv.exe)

      Impact:

      An unauthenticated remote attacker that can talk to the endpoint on which the server is listening can crash the server. In some cases, the servers may either restart themselves, or be restarted by the OS.

      Details:

      By sending successively larger and larger requests containing nothing but nulls to every operation on every interface supported by a DCE/RPC server, it's often possible to find a particular request that will crash a server. Note that it's not technically necessary to run through every possible request to crash a given server. Each server has a particular request (or requests) which crashes it. Once the proper request has been found by grinding through all the possibilities, only that request is needed to crash the server.

      The exact endpoints on which a server listens will vary from service to service. Many listen on named pipes, which are accessible via TCP port 139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on both TCP and UDP ports above 1024. Those services which do not listen on named pipes can usually be enumerated via the endpoint mapper, using rpcdump. rpcdump comes with the NT resource kit. A free version is also available on the RAZOR web site in the rpctools package.

      If COM Internet Services has been installed and enabled, then these attacks may be possible over port 80, as well. This is not a default configuration, however.

      Workarounds:
      Firewall off as much as possible.

      Recommendations:
      Install the appropriate patches from Microsoft.
      Do not install COM Internet Services.

      References:
      Microsoft's security bulletin:
      http://www.microsoft.com/technet/security/bulletin /MS01-041.asp

      Microsoft's patches:
      The patches vary, depending upon the service.
      See the security bulletin for details.

      Microsoft's Knowledge Base article:
      http://support.microsoft.com/support/kb/articles/Q 298/0/12.ASP

    • Well, I'm monitoring the firewall logs for a class C subnet right now, and I'm seeing a hit every two minutes on average. It's not as bad as the 19th of last month, but it's been building steadily throughout the day. I got no hits between 00:00 and 09:00 BST, but they started shortly after that and have been escalating slowly.

      I'm hoping this is the peak right now, as the last wave ate up a third of the incoming bandwidth on my company's Internet pipe at its height.

    • Buffer overflow's happen more to people who program in certain styles. If you have a methodology of good design, limited privilages, and isolation between unrelated modules, then you are not going have a problem with buffer overflows. On the other hand, if you have a methodology of hot programming (ie without design), then testing to detect the bugs, then you are going to be suspectible to this sort of bug.

  • It's only just started! (Score:4, Insightful)

    by Dr_Cheeks ( 110261 ) on Wednesday August 01, 2001 @11:24AM (#22048) Homepage Journal
    Code Red propagates itself throughout the month until somewhere near the end (19th, IIRC) when it starts to attack whitehouse.gov.

    Remember; there was no major problem with Code Red until it was almost time for it to attack last time around because it hadn't infected enough hosts. This is not yet over and will get progressively worse throughout the month.

    That is, of course, assuming that Gibson was right yesterday when he said it will still be active....

    And don't start hyping sircam - I'm enjoying reading private documents ; )

    • No, let it blow! (Score:3, Interesting)

      by twitter ( 104583 )
      Hush! Let this thing blow up and get as bad as it will. I'll suffer a few days of slow net service so that the world might learn how irresponsible MS is and how bad their wares are. Of course, even if this is fought tooth and nail, it will still show up how inferior a closed source, NDA distribution model really is. Leave MS to worn their people.

      Relax, all you MS sysadmins. Nothing Really Bad is going to happen. Just sit tight and all this will blow over, like Mellisa did. Educate your users and continue upgrading to W2K. Sleep, now.

      • Re:No, let it blow! (Score:2, Insightful)

        by Zico ( 14255 )

        The patch was available for a month before Red Code struck, so how does this show how irresponsible Microsoft is compared to worms that have hit other operating systems? Why has Linux been struck with worms of its own? Does that mean a "closed source, NDA distribution model" is superior, then? Besides, just like with desktops, most web servers on the internet run Windows, so it's not too surprising that more of them get attacked, especially since not only are there more, they're usually used for more important data/applications, especially when it comes to e-commerce.

        • Until upgrading and patching is as easy as:

          1. Editing a textfile /etc/apt/sources.list
          2. apt-get update
          3. apt-get upgrade
          and free software is retrieved from any of hundreds of mirror sites around the world, closed source distribution will continue to be second or third rate.

          A pay for each copy in a box approach to distribution just sucks rocks.

          A subscription to closed source junk is almost as bad. It can't be updated as quickly and well, it costs money. Do I really want to pay for my telnet client every month? If you buy microsoft OS, you have bought the same telnet client two or three times in the last four years. Same old bugs, same old look, same limits, yawn.

          MS has got a record of inconvenient and extortionate distribution. Their dedication to the pay per each copy on each machine model and "aggresive" competitive measures to break other people's software has left them with nasty co mingled code that sysadmins are rightly hesitant to patch, ever. They have consistently denied any failings by blaming user and sysadmin ignorance and lazyness. People, not just crackers, have noticed that MS stuff won't work and every piece comes at a price. In the end despite all you wrongly say, the proof is in the kaputting. As yet another virus blows over them and anoys everyone, the inferiority shines through.

  • Billions of dollars spent... (Score:4, Insightful)

    by tonywestonuk ( 261622 ) on Wednesday August 01, 2001 @11:23AM (#22511)
    And nothing happens!! - So, this means it was a waste of time/money patching up the servers then? As with Y2k, If the time/money wasn't spent sorting out the systems, things could have been as predicted.
    • They need to modify the worm to make it download the MS Security patch, install it and reboot the system. Although that could be significantly more damaging to those IIS server than the worm currently is. At least Code Red doesn't have the potential to leave your system in a non-working state. I've heard tell that a lot of those MS security patches don't get installed because they do more harm than good (I have no personal experience with that though; no "you're bashing windows" flames, please. I'm not.)
    • this means it was a waste of time/money patching up the servers then?

      I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.
      • Ummm, did you not realize that your comment's parent was a parody [or worse, probably stunnigly like] the reaction of most PHB's?

      • I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.

        Even then, one thing this worm has done a good job of highlighting is that it's not just a waste of your resources if you don't patch your servers. I'm seeing a lot of my bandwidth being eaten up because other people are too lazy/incompetent/ignorant to administer their systems properly.

        Sorry. Rant over. I feel calmer now

  • Another near disaster passes us by and I have to say that I'm more than a little dissapointed.

    I got all revved up in late '99, waiting for the death cults and survivalists to do their thing. But everyone was remarkably quiet about it all.

    Y2K = all hype and no looting. California Power Crisis = same. Code Red = Same. I promised myself I wasn't going to get excited this time. But with all the coverage, I got suckered into it again.

    What am I going to do with my Honda generator that I bought in '99, sold in 2000 and bought back again two weeks ago?

    Here are some links to stories about similar dissapointments:

    Foretold Apocalypse Refuses To Occur [ridiculopathy.com]

    Survivalist Emerges From Y2K Bunker, Says "Oh, Crap" [ridiculopathy.com]

  • ... because reporters usually protect their sources. And witht the wealth of confidential documents that they're getting from Sircam, they're not going to rat on it, won't they?

  • Sad but true (Score:2, Funny)

    by Mdog ( 25508 )
    I'm sure I'm not telling anybody here anything new, but the reason code red is getting more attention is because:
    • The name is cooler
    • Snowball effect


    I don't know about the rest of you, but I'm rooting for the virus.

  • The best take on this I've seen today is over at User Friendly [userfriendly.org].

  • Look, it's not going to destroy the internet. It's not going to be a tempest in a teacup either. incidents.org [incidents.org] reports 22,000 infections at this point. I've recorded 4 hits so far this morning (though I got nearly 30 the last time around).

    For the media to go nuts, it took press conferences and press releases from the FBI and Microsoft. Those big organizations aren't making the same noise about Sircam (or Sklyarov, or...).
  • Incidents.org is major hosed (ie slashdotted)

    Dshield.org [dshield.org] has some stats going too. Looks like 23,400 infections as of around 10AM EDT....

  • Hey!
    That's a show I'd like to see!
  • All of these infected hosts ramping up with attacks on other servers and sending gratuitously inefficient traffic takes up a lot of bandwidth... but not compared to the bandwidth the 'net has these days. 200,000 hosts (high point last month) sending lots of tiny packets is probably less traffic than slashdot readers viewing videos from articles.

    Having those hosts sending packets that break routers and printers is more of an issue, but those have generally been fixed last month, because they couldn't very well just have been left off until the thing went dormant.

    The internet's infrastructure has grown significantly in capacity (although not necessarily in smart physical placement) since it was easy to DOS the whole thing with a worm (or with the start of the school year, for that matter), and it's happened in response to actual use of the bandwidth. All of the clients generating web requests easily overcome the traffic all of the servers running IIS could possibly generate, not to mention the traffic that goes over any large, bulldozer-accessible cable.
    • 200,000 hosts (high point last month) sending lots of tiny packets is probably less traffic than slashdot readers viewing videos from articles

      Well, perhaps, but remember, this beast has 100 threads going at once trying to infect machines. And you count is a bit low - the counts I've seen, and disclaimed as LOW - were 360K infected hosts. That's 3.6 MILLION processes choosing random IPs anywhere in teh world and sending a couple hundred bytes. Thats a WHOLE lotta connections. SO it can have an impact.

  • My apache logs show for today already more code red attempted attacks than for all the last month together. What about someone finally posting how to edit the apache config files to just discard and mainly do not LOG these attacks. Since if it will really grow out of proportion, it will trash a lot of partitions on disk of many unix servers...

  • No one is talking about SirCam (Score:5, Funny)

    by wiredog ( 43288 ) on Wednesday August 01, 2001 @11:23AM (#27563) Journal
    Because we, and the press, like getting all those juicy documents from Senator X, Company Y, and Miss (or Mr) Hot Pants in Marketing at BigCorp Intl. If we started raising hell about SirCam, the flow would dry up and we'd have to go back to work.

  • More graphs (Score:4, Informative)

    by Mike Hicks ( 244 ) <hick0088@tc.umn.edu> on Wednesday August 01, 2001 @02:53PM (#27892) Homepage Journal
    For those of you who like pretty graphs, look at caida's nearly-live graphs: [normal scale [caida.org]] [logarithmic scale [caida.org]]

  • But what about the media? (Score:5, Insightful)

    by Aerog ( 324274 ) on Wednesday August 01, 2001 @11:28AM (#29298) Homepage
    The question is, why is it that Code Red was trumpeted as the "End of the entire Internet as It Is", with no mention that it only affects MS IIS servers. The news story I heard made no mention of the systems affected, simply summarizing it as "Webservers everywhere". No, this isn't intended to be Microsoft-bashing, but what would have been the situation had it gone off and the world realized that only a certain server configuration was affected? Would that have been glossed over in the same way that the vulnerablilty was?

    It's just like Y2K. It's a problem that is basically centred around a specific flaw that is NOT present in all computers, yet trupmeted by the media as "The Be All and End All" of computer problems "destined to destroy our information-superhighway society". Yet, when you look into it, it's not as large as it's supposed to be. Could this be the reason that the vast majority of the population is afraid to click the mouse too fast in fear that they "break" their computer?

    • only affects MS IIS servers

      Not only that, but only those IIS servers that haven't been patched. I don't know of anyone running IIS who doesn't at least get the Microsoft Security Bulletins. If there is a patch available for anything you'll hear about it on the mailing list. I didn't really worry about this one at all.

      I have to wonder though - with both Code Red and Sircam, as well as a number of other virii - the damage inflicted by these programs was much less than it could have been. Its as if the virus writer wanted to grab lots of attention(I'm sure having the national media talk about your creation is very gratifying to these people) rather than inflict as much damage as possible.

    • Granted, I haven't been following this too closely, but didn't it also spell doom for certain flavors of Cisco routers? Although, I suppose those in charge of the routers tended to be better equipped to deal with problems than those merely running IIS by default.

      • This isn't true. The routers it affects are largely the routers for people's home DSL installations. Having those routers crash isn't a huge deal for the Internet as a whole, but most home users aren't equipped to deal with the problem.

        • For the record, Code Red doesn't actually infect the routers, but does trigger a known crashing bug in the IOS web server that was discovered a few months ago. So it will stop an un-upgraded router dead in its tracks.

          I've been hit seven times so far according to my Apache access logs, and a possible three other times on another machine with no web server, but a logging firewall block on port 80.

          At least two of the hits are from an @home and a DSL customer. Perhaps by crashing the un-upgraded Cisco DSL routers they're actually doing a service by preventing DS-Lusers' home machines from being able to spread the worm. Not to mention blocking all the skript-k1dd13 IRC DD0S w4r3z that are already running on said lusers' machines.

          An interesting anecdote is two weeks ago when I called my ISP, their phone answered with a message about Code Red, and then I overheard a tech support guy in another cubicle at the ISP telling someone to power-cycle their router.

    • Affects more than just IIS servers (Score:5, Insightful)

      by CausticPuppy ( 82139 ) on Wednesday August 01, 2001 @12:02PM (#33913)
      How about this (admittedly cheesy) analogy...
      Say there's some bug that causes all Hondas on the road to stop running. It only infects Hondas though. But that sure would create a traffic mess for everybody, including those that don't drive Hondas.
      Now if thousands of IIS servers are clogging your ISP's routers, your Apache server would seem really slow to anybody trying to access it, if they can get there at all.

  • Code Red...unneeded hype..... (Score:3, Insightful)

    by Chanc_Gorkon ( 94133 ) <<moc.liamg> <ta> <nokrog>> on Wednesday August 01, 2001 @12:38PM (#32261)
    Yeah the problem could have been serious if we all had our heads buried in the ground, but most of us, even the dumb ones have heard about this. In my town they even talked about it on Talk Radio. While I agree that there was some need for a warning/alert, I feel, because of the nature of the virus, there was TOO much hype.

    Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning. They don't want to risk not issuing a warning, but if there's a possible severe storm heading our way, they want to make sure it's severe before issuing the warning (hence weather spotters, advancing NEXRAD and other things of this sort). If they just issued a warning for every cell that has a possiblity of being severe, then the poeple may dismiss a valid warning.

    Why does this compare to the Code Red thing? If you hype the virus too much, if the attack is benign or doesn't happen, then when a real bad virus hits and spreads across the net, the people will ignore it and open the stupid attachment or not patch the computer. The media needs to start being responsible and until the media becomes less liberal and less concerned about getting ratings, we will have to live with over hypeness such as Y2K and the Code Red. And when the big one comes, because the media cried wolf so many times, the un-thinking populus will suffer. Also, there were people worrying about their PeeCee's at home when this thing has no danger to the common schlub running Windows 98 or ME. The worst that can happen to them is they have no access or slow access to the internet. The common schlub cares more about the price of gas on the corner then if his internet connection works. (I on the other hand would be freakin! ;) )

    • Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning.

      My father works for the National Weather Service, and this is exactly the reason they have so many checks they have to go through before they issue a warning or a watch. (Not that it takes long to get through them, but they do check themselves on it very well.)

      I suppose the big difference is that when people don't listen to the NWS they tend to die. (I still remember when my dad came home just devastated when some people in a national park were drowned in a flash flood that he put out a watch for.) Still, you're absolutely right.

      The problem is that there's no central authority that most people know of to go to for this sort of accurate information. There's nobody competing with the NWS on the weather. The news states the information they get from the NWS exactly as it comes (with some embellishment to add entertainment value). If those media people could quote and point to actual security experts (not just the loudest), we'd be much better off.

  • When are virus/worm writers going to get serious? (Score:3, Insightful)

    by Colin Smith ( 2679 ) on Wednesday August 01, 2001 @12:55PM (#33049)
    I mean, these DOS attacks are not really all that damaging. If you want to cause some damage then you alter a few words in word files and web pages, change a few numbers in spreadsheets and databases every few days.

    Data *corruption* is far more damaging than blitzing a server or formatting a hard disk. It's where the real danger lies.

    You DOS a server, they move it to a different address. You format a hard disk, they restore from last nights backup but if you modify a couple of files here or there and If you reset the modification date then they won't even notice until all the backups are corrupt as well.

    They now have to check *every* document, spreadsheet and database by hand to see if it's been modified and then try to find an unmodified version in the backup. It could get very nasty if the documents/spreadsheets/databases have *also* been updated legitimately in the meantime, mixing legitimate information with junk.

    So, I'm not worried about files being deleted or servers being DOSd. I have backups, I can move servers, it's a minor inconvenienience at worst.

    I'm worried about trojans/worms which search boxes and *change* information.

    • I'm with you here, but I think its the ego thing - they want the publicity - a worm like you describe wouldn't generate the instant news coverage they crave - a worm liek you describe wouldn't because half the admins would think it was data corruption, not a worm - it would generate news on /., etc but not the national news media.

      DDos attacks get the buzz and thats what they crave. But I have to agree - when worm writers get really serious, it'll make Code Red look like childs play.

Slashdot Top Deals

Work is the crab grass in the lawn of life. -- Schulz

Close