From comp.risks, the Warhol Worm (Worstcase scenario)

Gordon Mohr gojomo@usa.net
Fri, 10 Aug 2001 23:46:32 -0700


Wow, interesting stuff.

Although the strict pseudo-random ordering of addresses,
plus detection of already-probed-ranges, is nifty, I 
suspect a consistent-hashing based division of labor 
would be nearly as effective. It might even be better,
in certain situations, such as where a machine's
infectability is subject to volatility -- dynamic
IP assignment, contemporaneous software changes,
the presence of certain active defenses.

The assumption that the worm can reliably detect a 
previously-infected host suggests to me both a 
communication-method and potential automated defense.

Rather than simply answering, "I'm infected", an
infected machine could tell the probe the ranges
of addresses it already knows to have been probed.
Each "collision" thus results in a sharing of 
information.

The converse is that nodes could lie about being 
infected, and/or about the ranges already probed,
to slow the propagation. I think this "immunity"
could be achieved in a general fashion, without
specific human analysis of the specific worm.

For example, seed the net with a small number of
specially-configured "honeypot" machines with
either known vulnerabilities or common 
configurations which might have yet-unknown
vulnerabilities. Watch the inbound traffic; 
watch for fresh bursts of outbound traffic.

Direct this outbound traffic to more test machines,
rather than real addresses. (Perhaps even loop
it back to the infected machine itself.) See which 
probes should be ignored -- or answered in specific 
ways -- to change the infected machine's behavior
or spare new hosts from being infected. Perhaps
even force-evolve a vaccine -- a weakened version 
of the infection probe that conveys immunity 
without virulence -- by running randomly jittered
versions of the attack against test machines and
observing the results. Once discovered, any immunities 
can be shared with a network of friendly hosts as 
quickly as the worm itself is propagating.

It would only take a few such active-defense 
machines -- wired up to many random target IP
addresses to catch and characterize naive "Warhols"
quickly. I could even imagine a cooperative 
"militia" like approach -- where everyone forwards
1 out of X of their IP addresses at random to
to the community honeypot/sentinels.

These scenarios really evoke Vinge for me -- not 
just the idea of a network "blight" and awakening 
"countermeasures", but also the similarity to 
"things just seem to wake up" rapid-posthumanity
onset scenarios.

- Gordon