Simplicity in design. Episode 1. Warhol Worm
as simple as possible
In 2001, after the CodeRed epidemic, Nicholas Weaver wrote an extremely interesting article about the rapidly spreading worms “Warhol Worms: The Potential for Very Fast Internet Plagues” , which later had a couple of sequels. Summary of the article: If a series of optimizations are added to the spreading mechanism of a worm, the worm can hit the entire vulnerable population in 15 minutes or even faster. Roughly speaking, breaking the Internet is faster than the admin will finish drinking coffee. Optimizations were interesting:
I was then very impressed with such possibilities of worm-building. I then rolled out the article "Modular Worms" that the worms of the future will be with interchangeable nozzles, update directly on the network, etc. My article, as usual, was rejected, and after five years, as usual, it was these worms that were used to build botnets. First was Agobot , and then it fell on the stream. Even the term "open-source worm" appeared.
The real Warhol worm appeared on February 25, 2003. It was called SQL Slammer , it infects MS SQL Server. And this worm did not use a single sly optimization. It stupidly spread via UDP, fitting inside a single datagram. It was easier, it was cheaper. After all, we all know that TCP needs to send three packets only to start communication. At the same time, it is necessary to keep data structures in the kernel, wait for a response, set timers, etc. etc. In contrast, a UDP worm could stupidly clog an uplink with datagrams, as much as it would fit. And a lot of things: 1Mbits is 332 “spores” per second, each dispute is 376 bytes. The global spread of the worm occurred in 10 minutes. Maybe faster, I thought, because my statistics were collected in increments of 10 minutes. And there was no worm in one file, but it was already in the next one. I checked the timestamps - yes, about 10 minutes. Foreign colleagues also said 10 minutes. This record is still not broken.
')
Thus, the most outstanding result in the field of worms was achieved through simplicity and cheapness, and not through clever mechanisms and optimization.
In 2001, after the CodeRed epidemic, Nicholas Weaver wrote an extremely interesting article about the rapidly spreading worms “Warhol Worms: The Potential for Very Fast Internet Plagues” , which later had a couple of sequels. Summary of the article: If a series of optimizations are added to the spreading mechanism of a worm, the worm can hit the entire vulnerable population in 15 minutes or even faster. Roughly speaking, breaking the Internet is faster than the admin will finish drinking coffee. Optimizations were interesting:
- hitlist scanning (create a list of the first 1000-10.000 victims in advance to avoid the initial flat stage of exponential growth)
- permutation scan (after detecting an already infected machine, skip the list of addresses, since the addresses following the infected are probably already scanned)
- partitioned scan (parent worm distributes address ranges to children to completely eliminate re-scans)
- subnet scan - an obvious scan of the local subnet first
I was then very impressed with such possibilities of worm-building. I then rolled out the article "Modular Worms" that the worms of the future will be with interchangeable nozzles, update directly on the network, etc. My article, as usual, was rejected, and after five years, as usual, it was these worms that were used to build botnets. First was Agobot , and then it fell on the stream. Even the term "open-source worm" appeared.
The real Warhol worm appeared on February 25, 2003. It was called SQL Slammer , it infects MS SQL Server. And this worm did not use a single sly optimization. It stupidly spread via UDP, fitting inside a single datagram. It was easier, it was cheaper. After all, we all know that TCP needs to send three packets only to start communication. At the same time, it is necessary to keep data structures in the kernel, wait for a response, set timers, etc. etc. In contrast, a UDP worm could stupidly clog an uplink with datagrams, as much as it would fit. And a lot of things: 1Mbits is 332 “spores” per second, each dispute is 376 bytes. The global spread of the worm occurred in 10 minutes. Maybe faster, I thought, because my statistics were collected in increments of 10 minutes. And there was no worm in one file, but it was already in the next one. I checked the timestamps - yes, about 10 minutes. Foreign colleagues also said 10 minutes. This record is still not broken.
')
Thus, the most outstanding result in the field of worms was achieved through simplicity and cheapness, and not through clever mechanisms and optimization.
Source: https://habr.com/ru/post/66487/
All Articles