how-to block ads
|
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
| reply to catseyenu
Re: Nachi the new champion bad boy
This is an Excellent report. Although I suspect the estimates of numbers infected at 2% is way too conservative. here in the US, I suspect initially, at the onset of the outbreak, 10% would have been a conservative estimate.
By my own observations with another American ISP, I suspect they had 10's of THOUSANDS of infected users. (MILLIONS nationwide...!)
I understand they have given up on notifiying infected users, and have been actively shutting down infected workstations for some time now. But with 10's of thousands of infected users, and only so many hours a day, and only so many bodies available to actively search for infected users.....and lets not forget, newly infected users come on line every day....well......it's an uphill battle.
It's a shame it had to come to that though....truly.
But your explanation of the IP Scanning algorythm, and the SCAN effect on local bandwidth clearly demonstrates how devastating just a COUPLE infected machines can be on a whole community.
Nachi EATS bandwidth....massively.
I am linking to this article from a couple other forums.
--
Join the NAVY, see the world....It's mostly water! | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| 2% is my very conservative estimate and I would agree with you in that its likely much more.
ISPs are not setup for doing user notifications of this magnitude and I doubt they ever could, as the cost would certainly be prohibitive, as their user base would certainly balk at the increased user fees. Most ISPs have been reducing staff and to track down and notify users of infected systems is a labour intensive process, especially if you try to help people fix their systems. I'm sure everyone here has tried to help someone over the phone with a computer problem and found it to be a frustrating experience at best. In short ISP are not going to be able to help much when it comes to mass infections and nor can they be expected to for the price they charge. Can they filter traffic, certainly, but can you really filter ICMP traffic, what about the next attack vector, and filtering for the most part is only a delaying tactic.
When MSBlast was released, it was likely the most anticipated worm ever, as everyone had lots of advanced notice as to what vulnerability it was going to attack and even scan tools were available to located systems vulnerable to the impending attack. I conducted an internet survey and posted my results in the Security Forum »Re: Defcon5? Impact if(when) Dcom worm released? two days before we captured our first instance of the MSBlast worm »New Capture on TCP port 135 and found that despite all the warnings little was being done to reduce the threat level.
Now we hear about new threats »Hackers crack latest Windows flaw for example would seem to be an impending mass attack and the question is did we learn anything from MSBlast in that preparations will be better this time? Certainly those who are aware of such things will make preparations (or more likely will check that their normal mode of operations has already installed the required patches etc), but once again the masses will not and we will all share in the results.
I see a foot race coming in that Black hats are going to try to release their worms before Microsoft gets XP SP2 out as enabling ICF by default is certainly going to dampen the success of worm authors (virus authors on the other hand are a different story as social engineering will always be their most effective weapon and can defeat even the best network security).
Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel | |
|
