[Dshield] Zobot spread timeline?

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Thu Aug 18 19:58:17 GMT 2005


On Thu, 18 Aug 2005 12:12:08 PDT, Wayne Beckham said:
> Can anyone point me to any source on the net that tracks the spread of the
> zobot/MS-05-039 attacks?  

For any given worm, after the first 15 minutes to 2 hours (depending on burn
rate of the worm), your best bet is to simply get a world map, and a can of
red spray paint, and color in all the land masses.

For a slightly more technically accurate version, get an Internet map
from http://research.lumeta.com/ches/map/ and a can of spray paint.. ;)

http://research.lumeta.com/ches/map/gallery/wired.gif is the image that
appeared in Wired - which is why trying to track the "spread" is pointless
after it's gotten into more than a few networks.

It will probably be some time before we see any good summary information
regarding aggregate number of infected hosts and so on - calculating a
number isn't that easy.  You can't ask for end sites to provide numbers,
because the ones that answer will almost certainly give a bad estimate

I have a fairly good idea exactly how many Zobot machines are in AS1312
(well, OK - how many were as of about 90 minutes ago, and I can guesstimate
how many new ones since then).  On the other hand, I can only do that because
we have infrastructure for it - and that infrastructure is being used to get
the problem mitigated.  Sites with less security clue will probably have a
much higher incidence rate, and less ability to get a good estimate.

It also isn't easy to set up sensors at Tier-1 sites and count the flows, because
you have to be careful that Tier-1 A and Tier1 B don't report the same flow
twice - which means you have to either do sort/merges on fairly big datasets
at a central site, or look at BGP routing tables at the sensor and exclude
stuff you know will be counted by another sensor...

Anybody from CAIDA lurking on the list?  :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050818/406723ac/attachment.bin


More information about the list mailing list