From comp.risks, the Warhol Worm (Worstcase scenario)
Fri, 10 Aug 2001 23:46:32 -0700
Wow, interesting stuff.
Although the strict pseudo-random ordering of addresses,
plus detection of already-probed-ranges, is nifty, I
suspect a consistent-hashing based division of labor
would be nearly as effective. It might even be better,
in certain situations, such as where a machine's
infectability is subject to volatility -- dynamic
IP assignment, contemporaneous software changes,
the presence of certain active defenses.
The assumption that the worm can reliably detect a
previously-infected host suggests to me both a
communication-method and potential automated defense.
Rather than simply answering, "I'm infected", an
infected machine could tell the probe the ranges
of addresses it already knows to have been probed.
Each "collision" thus results in a sharing of
The converse is that nodes could lie about being
infected, and/or about the ranges already probed,
to slow the propagation. I think this "immunity"
could be achieved in a general fashion, without
specific human analysis of the specific worm.
For example, seed the net with a small number of
specially-configured "honeypot" machines with
either known vulnerabilities or common
configurations which might have yet-unknown
vulnerabilities. Watch the inbound traffic;
watch for fresh bursts of outbound traffic.
Direct this outbound traffic to more test machines,
rather than real addresses. (Perhaps even loop
it back to the infected machine itself.) See which
probes should be ignored -- or answered in specific
ways -- to change the infected machine's behavior
or spare new hosts from being infected. Perhaps
even force-evolve a vaccine -- a weakened version
of the infection probe that conveys immunity
without virulence -- by running randomly jittered
versions of the attack against test machines and
observing the results. Once discovered, any immunities
can be shared with a network of friendly hosts as
quickly as the worm itself is propagating.
It would only take a few such active-defense
machines -- wired up to many random target IP
addresses to catch and characterize naive "Warhols"
quickly. I could even imagine a cooperative
"militia" like approach -- where everyone forwards
1 out of X of their IP addresses at random to
to the community honeypot/sentinels.
These scenarios really evoke Vinge for me -- not
just the idea of a network "blight" and awakening
"countermeasures", but also the similarity to
"things just seem to wake up" rapid-posthumanity