Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Don't Panic. Plan: Page 3 of 8



Top 5 Port Scans for March 18, 2003
click to enlarge

Fast-spreading worms are particularly vicious. The authors of an analysis published by CAIDA, "The Spread of the Sapphire/Slammer Worm", estimate that a single instance of a worm could infect seven hosts per minute, plus or minus one minute, with the resulting infected population doubling every 8.5 seconds, plus or minus one second. Sapphire, for example, peaked in about three minutes at 55 million scans per second, eventually exhausting the available bandwidth of various networks and leveling out its scan rate. "Top Five Security Events" (below) shows the startling effect of worm activity. The number of attack events for common protocols remains relatively stable. The attacks on Port 1434, used by Sapphire/Slammer, show the impact. Worm writers are getting better at building propagation methods and as a result, worms are picking up many of the reconnaissance techniques used by targeted attackers.

Writing a smart worm is a challenge, and we should consider ourselves lucky that common worms and viruses don't really do any serious harm. One of the surprising conclusions of the CAIDA report is that, even for applications with deployments of fewer than 20,000 nodes on the Internet, a worm still can spread very fast. It's not just widespread software that can be used to wreak havoc. If you develop software and want to perform in-depth security testing, check out our review of Cenzic's Hailstorm Protocol Modeler on page 103.

An Easy Mark?

Targeted attacks are much more dangerous than random scans because your organization has been singled out for a takeover. Whether the coup succeeds depends on a number of variables, but knowing you've been targeted is crucial. Finding out the goal of the attack is the next step.



Top 5 Security Events
click to enlarge

The bad news: The more skilled the attacker, the less likely he or she will be noticed during the attack. The good news: Targeted attacks comprise a small portion of overall attacks, and successful targeted attacks are rarer still. For example, in 2002, ISS Managed Security Service noted 5,052 incidents, encompassing port scans to severe attacks, but only about 80--1.6 percent--were severe enough that ISS' Emergency Response Service needed to deal with the attack.