Worms like Code Red and Nimda continue to generate billions of data packets every day, illegitimate traffic that is creating denial-of-service conditions that clog the availability of not only Web servers, but the Internet, according to research done by network availability vendor, Arbor Networks.
Arbor's initial research on global Internet worm activity revealed massive amounts of infection attempts, an important quantification, according to an IDC analyst.
Arbor, best known for its anti-denial-of-service software Peakflow DoS, set up what it called a "blackhole monitor" to record traffic sent to unused Internet space. The unused space, a Class A network, represented 1/256 of the Internet.
"Any traffic to (the network), we believe to be random scans or direct worm infection attempts," said Dug Song, Arbor security architect.
Arbor's analysis of that traffic, examined over a seven-week period between Sept. 19 and Nov. 3, processed more than 2.5 billion TCP SYN packets probing the unused space for Web servers that did not exist. Multiplying that number across the Internet, there were 640 billion infection attempts during these seven weeks generating 23 terabytes of TCP SYN traffic.
Though Arbor representatives did not venture a comparison of the percentage of worm traffic against legitimate Internet traffic, an IDC analyst said that Arbor's work does help illustrate the Internet's worm problem.
"(Arbor is) confirming in a strong way that these attacks are threatening the environment in an aggressive, unpleasant way," said Chris Christiansen, vice president, Internet Infrastructure and Security Software at IDC. "It's important to note that these are not just script kiddies probing and pinging. There are people out there running sophisticated packets with widely available tools. And that's scary, very scary. Is this research revolutionary? No. But, it's interesting because they drew broad separate ideals into one concrete, conclusive thought."
Traffic jams here to stay
What the research further highlights, according to Song, is that traffic levels do not dissipate with self-propagating worms. Vulnerable servers may get patched, but infected machines continue to ping for victims, and that impacts Internet availability.
"Many of these worms, people believe, are isolated incidents that come and go, but that's not the case. Code Red is periodic. Time-to-time, it shows up (it is active between the 1st and 19th of every month) and this points to a persistent problem: As new worms are introduced, traffic remains consistent," Song said. "Nimda, for example, added 5 billion scans across the Internet and it's only going to get worse. Traffic levels are going to get worse with new worms, and real instability is possible."
Arbor also identified .net and Korean hosts as the biggest generators of bad traffic. Korea has the densest cable modem and DSL penetration in .net, and the country has been singled out by recent Neilsen Netratings as having the most active Internet surfers.
Arbor also delved into an examination of the partitioning of the Internet, called dark address space. The research concludes that about 5% of the Internet is unreachable by service providers, shattering the illusion that the Net is a connected community.
"This research focuses deeper in the plumbing in the routing infrastructure, not the traffic," said Craig Labovitz, Arbor's director of network architecture. "We did a three-year study, listening to routing signaling and determining if all the service providers reach the same places on the Web. There are a lot of failures, a lot of misconfigurations on backbone routing calls.
"We wanted to study how the Internet is connected," Labovitz said. "Is it one Net? Are all providers connected? The answer is no. To the surprise of the engineering community, the Internet is partitioned. There are islands of connectivity. Five percent of the islands (tens of millions of end hosts) cannot reach each other and that figure is larger than we expected."
CERT recently warned that attackers are more frequently attacking routers in denial-of-service attacks and Arbor's research backs up that premise, concluding that some of these "islands" are caused by misconfigured routers, but others could be intentional misuse, like Web attacks or even spamming.
"There is very little security on the routing infrastructure," Labovitz said. "All you need to do is compromise one router, inject the routing information for whatever Web site, and you're able to redirect its traffic to a blackhole or a password-sniffing Web site, for example."
A year ago, denial-of-service attacks were a fresh idea. The maturation of router attacks is at a similar point.
"Getting a packet into a router used to be too high tech for the script kiddies to do any damage," said Arbor chief technology officer Rob Malan. "The learning curve has been sped up. We're on that threshold. We're where we were at a year ago with DoS attacks."