The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Familiar welcome to the new year
By Scott Bradner
We did not get all that far into the new year before the inevitable happened. Yet another fast-spreading worm struck a Microsoft product and bogged down big chunks of the Internet and took a few tens of thousands of servers off the net. Like the last few times, this attack would have been prevented if the managers of the Microsoft systems had only kept their systems up to date by applying security fixes when they get released.
It only took 20 minutes after the attack started about 12:30am eastern time on Sat Jan 25 for the first message about it to show up on the North American Network Operators Group (nanog) mailing list. (http://www.nanog.org/mailinglist.html) Forty minutes later, at 1:28am, the fact that the attack abused UDP port 1434 was posted, which was enough information for most network operators to know what to do to block the impact. It was too late to have much of an impact on propagation since most of the world-wide spread seemed to happen within the first few minutes. The information about the attack and how to fight it did not propagate as fast as the attack but was available long before most network managers woke up and figured out that they were under attack.
The speed of propagation of this worm was a testament to Microsoft's success in the marketplace and a poster child for the basic reasons that there is no reason to be sanguine about the ability of the Internet, or more particularly, the systems on the Internet, to resist a concerted attack. The software monoculture of today's Internet and the unwillingness of system operators to do what is needed to keep their systems up to date security-wise mean that this is far from the last successful attack we will see. System operator unwillingness seems to be the result of a number of factors, the frequency of updates, the difficulty of knowing when an update is needed, an assumption that updates should not be done when they come out because they my introduce more bugs than they fix, and the disruption required when an update is done.
In the spectrum of attacks, this was quite a benign one. Installing the patch you should have already installed and rebooting did the trick, no rebuilding disks from scratch and hoping that the backups would work. So whoever did this was after disruption not destruction. Someone with a touch more malice in their heart would have made for a very bad weekend for a whole lot of people.
One real puzzle about the attack has not been resolved as I write this column. It seems that 13,000 or so of the Bank of America's ATM machines went down during the attack. The puzzle is why. If the BoA is putting their ATM machines directly on the Internet they are demonstrating a confidence in the Net that few other folks do. If it was because of a leak though a firewall that hit some Microsoft server that ran the ATM net then they need some better firewall folk. But we may never know, the answer might just be too embarrassing.
disclaimer: Causing embarrassment sometimes seems to be a Harvard mission but I did not ask the University about this case -- its all my own puzzlement.