Propagation of computer worms
The field of epidemiology studies the health of populations with any eye to detection and prevention of illness.
Disease is fascinating in any light, and as our world shrinks due to global travel we’re likely to see a lot more of it in new guises. Single cases of disease in exotic places are a potent threat to major population centres, because that single person can travel round the world in a single day.
Securing yourself against infection is a proper arms race: infectious agents and defences improving in lock-step, forever exploiting and then being beaten back.
Nothing about the above paragraphs is unique to biology. In the early hours of the 25 January 2003 the fastest-spreading global infection ever seen first began to take hold, on the internet.
The infection, known as the Slammer worm, was the first of a new kind of Warhol worm - one that would spread as fast as it could within its “15 minutes of fame”. This epidemiological analysis of the appearance, spread and weaknesses of the Slammer worm make fascinating reading for the geeky. Let’s look at what happened.
Global epidemic in double-quick time
“The mathematics of uncontrolled growth are frightening. A single cell of the bacterium E. coli would, under ideal circumstances, divide every twenty minutes. That is not particularly disturbing until you think about it, but the fact is that bacteria multiply geometrically: one becomes two, two become four, four become eight, and so on. In this way it can be shown that in a single day, one cell of E. coli could produce a super-colony equal in size and weight to the entire planet Earth.”
- Michael Crichton, The Andromeda Strain
(Does anyone know if this is true? Or can you do the calculations to show it?)
The doubling time of E coli is twenty minutes, given enough nutrients, space, warmth and so on. The ideal requirements for the Slammer worm are CPU time, bandwidth and machines to infect. If all these three are in good supply then the growth will be ‘optimal’ (from the point of view of the infection).
Nobody is quite sure what the very fastest doubling time for the Slammer was. What we do know is that, before it reached that optimum, it was doubling in size every 8.5 seconds.
Only three minutes after its release into the wild there were 55 million malicious packets being created every second, in an effort to infect more machines. At this point the infected networks reached saturation point: the constraining factor was bandwidth. The infection continued for a while at this limited rate, causing vast amounts of damage on the way.
The next limiting factor to be hit was the number of suitable hosts. After only ten minutes, 90% of all vulnerable machines were infected. The infected computers had sent speculative packets to more than 150 million computers. The networks had been saturated for some time.
Collateral damage
The Slammer worm was not designed to do anything. Once it infected a computer it did not look for files to delete or attempt to sniff your passwords. It didn’t even bother to save itself to disk. Its only aim in life was self-propagation - a job it did extremely well.
It infected machines that were running a particular version of Microsoft’s database server software. The first casualties were obviously the database servers themselves. They did nothing but create and send infected packets back out onto the internet - the computer equivalent of sneezing over everyone.
After the database servers, the next casualties would be other computers on the network. All the bandwidth would be consumed by this worm sending its seed out into the world. The networks would grind slowly to a halt for all other uses.
Eventually the routers that shuffle packets from place to place were slowly overwhelmed. They had more requests than they could deal with, and neither the CPU capacity nor bandwidth to satisfy the demand. Many simply failed.
When a router fails, its neighbouring routers will notice that it’s not responding and will mark it in their routing tables as being unavailable. They will then send these routing tables to their own neighbours. Since this was happening almost simultaneously all over the world this meant even more traffic and even more failures.
As the study above states:
It is important to realize that if the worm had carried a malicious payload, had attacked a more widespread vulnerability, or had targeted a more popular service, the effects would likely have been far more severe.
As it is, the worm is blamed for “network outages and […] canceled airline flights, interference with elections, and ATM failures”.
Flawed Propagation
The Slammer worm sent out infected packets to randomly generated addresses on the internet. It didn’t know whether there was a vulnerable machine at the other end, it just sent one anyway.
Large amounts of data need to be split up before they’re sent across networks. The Slammer worm was small enough that it could fit into a single packet. Sending out infections was easy and cheap: there was no possibility that parts of the message would get separated from the others, like a half-present SMS message.
As small and devastating as it was, however, it was not perfect. I have already mentioned how it managed to quickly saturate its transport medium, so that each newly infected machine had to compete with all the existing machines. But there was also another flaw, built in to the worm itself.
All software is buggy: even malicious software. The authors of the worm tried to create a worm that would search for a random internet address and fire off a packet. Fortunately for us they made a mistake in their random number generator. It was flawed in such a way that were certain numbers it would never produce - so there would be certain computers that might have been vulnerable but would never be infected.
Think of it like making a dice with the numbers 1, 1, 3, 3, 5, 5. No matter how many you play you’ll never roll an even number. In the Slammer, the IP addresses generated would accidentally have some digits set to zero every time. This cut down on the potential harm for vulnerable machines, but as you can see from the dice example, everyone else gets hit twice as hard…
The internet changes everything
You’re just not hip if you don’t mention the long tail at some point, right? Well, this is it. Despite the vast amounts of damage caused, not many machines were actually infected - only 75,000 are known for sure. It could have been a lot worse.
And that’s the curious thing. For a while it was considered that something akin to herd immunity would protect small numbers of vulnerable machines:
Formerly, small populations (<20,000 machines or less on the Internet) were not viewed as particularly vulnerable to worms, as the probability of finding a susceptible machine in any given scan is quite low. However, a worm which can infect a population of 75,000 hosts in 10 minutes can similarly infect a population of 20,000 hosts in under an hour. Thus, exploits for less popular software present a viable breeding ground for new worms.
This is the long tail of computer infection. Using the power of the internet, even attacking the small populations is not only possible but viable.