CSE 525 (Winter 2004)
Topic #5: Code Red
Jason Bittel
D. Moore, C. Shannon, K. Claffy, "Code-Red: A Case Study on the Spread and Victims of an Internet Worm", IMW 2002, Paper
L. Wang, X. Zhao, D. Pei, R. Bush, D. Massey, A. Mankin, S. Wu, L. Zhang, "Observation and Analysis of BGP Behavior under Stress", IMW 2002, Paper

Summary: The primary paper in the group analyzed the origin, spread, and impact of the Code-Red worm. It began by outlining the three separate variations of the worm that surfaced; the paper referred to these as Code-RedI v1, Code-RedI v2, and Code-RedII. All three worms worked by exploiting a buffer-overflow bug in the Microsoft IIS web server. The Code-RedI v1 worm had a fatal bug: it used a static seed for its random number generation algorithm for generating IP addresses to infect which limited the worm's growth to a linear rate. The second variation of the worm, Code-RedI v2, fixed this bug and was therefore able to achieve an exponential growth rate. The third version of the worm, Code-RedII spread to a similar host population as Code-RedI v2. For the purposes of this paper, Code-RedI v2 was the focus and will be subsequently referred to simply as Code-Red.

Within 14 hours of its release into the wild, Code-Red spread to over 359,000 distinct IP addresses. A breakdown of the domains that these IP addresses belonged to--coupled with a distinct diurnal cycle in the infected hosts--indicate that approximately 1/3 to 1/2 of the infected web servers were located on end user's computers, as opposed to dedicated web servers. Possibly because of the high percentage of end user machines that were infected, the patching response rate was extremely sluggish. Not until Code-Red reawakened on August 1 did the patching begin in earnest.

The secondary paper of the group looked at the effect that the Code-Red/Nimda worms had on the BGP routing tables. Because of a huge increase in the BGP updates being recorded, it was assumed that BGP was beginning to destabilize with the massive influx of traffic. However, under further study it was discovered that the majority of these BGP updates were not path changes at all, and that only a limited subset of unstable networks were changing their paths with any frequency. In fact, much of the data that was collected was merely monitoring artifacts in the data collection process.

The class discussion was able to clarify several issues in the presentation. There was some discussion on the technical aspects of how the Code-Red and Nimda worms spread, a topic that I had opted not to cover because of time. In addition, some of the BGP issues were clarified to a greater degree. Specifically, it was brought up how the monitoring artifacts observed in BGP were a side-effect of the multi-hop peering. In addition to this, there were some comments regarding worms in general as well as other people's personal experiences that helped to give some context and additional information.

Presentation: Slides