How to 0wn the Internet in Your Spare Time
Stuart Staniford∗ Vern Paxson† Nicholas Weaver ‡
Silicon Defense ICSI Center for Internet Research UC Berkeley
stuart@silicondefense.com vern@icir.org nweaver@cs.berkeley.edu
Abstract
The ability of attackers to rapidly gain control of vast
numbers of Internet hosts poses an immense risk to the
overall security of the Internet. Once subverted, these
hosts can not only be used to launch massive denial of
service floods, but also to steal or corrupt great quantities
of sensitive information, and confuse and disrupt use of
the network in more subtle ways.
We present an analysis of the magnitude of the threat.
We begin with a mathematical model derived from em-
pirical data of the spread of Code Red I in July, 2001. We
discuss techniques subsequently employed for achiev-
ing greater virulence by Code Red II and Nimda. In this
context, we develop and evaluate several new, highly vir-
ulent possible techniques: hit-list scanning (which cre-
ates a Warhol worm), permutation scanning (which en-
ables self-coordinating scanning), and use of Internet-
sized hit-lists (which creates a flash worm).
We then turn to the to the threat of surreptitious worms
that spread more slowly but in a much harder to detect
“contagion” fashion. We demonstrate that such a worm
today could arguably subvert upwards of 10,000,000 In-
ternet hosts. We also consider robust mechanisms by
which attackers can control and update deployed worms.
In conclusion, we argue for the pressing need to de-
velop a “Center for Disease Control” analog for virus-
and worm-based threats to national cybersecurity, and
sketch some of the components that would go into such
a Center.
∗Research supported by DARPA via contract N66001-00-C-8045
†Also with the Lawrence Berkeley National Laboratory, University
of California, Berkeley.
‡Additional support from Xilinx, ST Microsystems, and the Cali-
fornia MICRO program
1 Introduction
If you can control a million hosts on the Internet, you
can do enormous damage. First, you can launch dis-
tributed denial of service (DDOS) attacks so immensely
diffuse that mitigating them is well beyond the state-of-
the-art for DDOS traceback and protection technologies.
Such attacks could readily bring down e-commerce sites,
news outlets, command and coordination infrastructure,
specific routers, or the root name servers.
Second, you can access any sensitive information
present on any of those million machines—passwords,
credit card numbers, address books, archived email,
patterns of user activity, illicit content—even blindly
searching for a “needle in a haystack,” i.e., information
that might be on a computer somewhere in the Internet,
for which you trawl using a set of content keywords.
Third, not only can you access this information, but you
can sow confusion and disruption by corrupting the in-
formation, or sending out false or confidential informa-
tion directly from a user’s desktop.
In short, if you could control a million Internet hosts,
the potential damage is truly immense: on a scale where
such an attack could play a significant role in warfare
between nations or in the service of terrorism.
Unfortunately it is reasonable for an attacker to gain con-
trol of a million Internet hosts, or perhaps even ten mil-
lion. The highway to such control lies in the exploita-
tion of worms: programs that self-propagate across the
Internet by exploiting security flaws in widely-used ser-
vices.1 Internet-scale worms are not a new phenomenon
[Sp89, ER89], but the severity of their threat has rapidly
grown with (i) the increasing degree to which the In-
1 We distinguish between the worms discussed in this paper—
active worms—and viruses (or email worms) in that the latter require
some sort of user action to abet their propagation. As such, they tend to
propagate more slowly. From an attacker’s perspective, they also suf-
fer from the presence of a large anti-virus industry that actively seeks
to identify and control their spread.

0 20 40 60 80
0
50
00
10
00
0
20
00
0
Days Since July 18, 2001
D
ist
in
ct
R
em
ot
e
H
os
ts
A
tt
ac
ki
ng
L
BN
L
Ju
l 1
9
Au
g
1
Se
p
1
Se
p
19
O
ct
1
Code Red I v2
Code Red II
Nimda
Figure 1: Onset of Code Red I v2, Code Red II, and Nimda:
Number of remote hosts launching confirmed attacks corre-
sponding to different worms, as seen at the Lawrence Berkeley
National Laboratory. Hosts are detected by the distinct URLs
they attempt to retrieve, corresponding to the IIS exploits and
attack strings. Since Nimda spreads by multiple vectors, the
counts shown for it may be an underestimate.
ternet has become part of a nation’s critical infrastruc-
ture, and (ii) the recent, widely publicized introduction
of very large, very rapidly spreading Internet worms,
such that this technique is likely to be particularly cur-
rent in the minds of attackers.
We present an analysis of the magnitude of the threat.
We begin with a mathematical model derived from em-
pirical data of the spread of Code Red I v2 in July and
August, 2001 (Section 2). We then discuss techniques
employed for achieving greater effectiveness and viru-
lence by the subsequent Code Red II and Nimda worms
(Section 3). Figures 1 and 2 show the onset and progress
of the Code Red and Nimda worms as seen “in the wild.”
In this context, we develop the threat of three new
techniques for highly virulent worms: hit-list scanning,
permutation scanning, and Internet scale hit-lists (Sec-
tion 4). Hit-list scanning is a technique for accelerat-
ing the initial spread of a worm. Permutation scanning
is a mechanism for distributed coordination of a worm.
Combining these two techniques creates the possibility
of a Warhol worm,2 seemingly capable of infecting most
or all vulnerable targets in a few minutes to perhaps an
hour. An extension of the hit-list technique creates a
flash worm, which appears capable of infecting the vul-
nerable population in 10s of seconds: so fast that no
human-mediated counter-response is possible.
We then turn in Section 5 to the threat of a new class of
2So named for the quotation “In the future, everyone will have 15
minutes of fame.”
0 50 100 150
0
50
0
10
00
15
00
20
00
Days Since Sept. 20, 2001
D
ist
in
ct
R
em
ot
e
H
os
ts
A
tt
ac
ki
ng
L
BN
L
O
ct
1
O
ct
1
5
N
ov
1
N
ov
1
5
D
ec
1
D
ec
1
5
Ja
n
1
Ja
n
15
Nimda
Code Red I v2
Code Red II
Figure 2: The endemic nature of Internet worms: Number
of remote hosts launching confirmed attacks corresponding to
different worms, as seen at the Lawrence Berkeley National
Laboratory, over several months since their onset. Since July,
139,000 different remote Code Red I hosts have been con-
firmed attacking LBNL; 125,000 different Code Red II hosts;
and 63,000 Nimda hosts. Of these, 20,000 were observed to
be infected with two different worms, and 1,000 with all three
worms. (Again, Nimda is potentially an underestimate because
we are only counting those launching Web attacks.)
surreptitious worms. These spread more slowly, but in a
much harder to detect “contagion” fashion, masquerad-
ing as normal traffic. We demonstrate that such a worm
today could arguably subvert upwards of 10,000,000 In-
ternet hosts.
Then in Section 6, we discuss some possibilities
by which an attacker could control the worm using
cryptographically-secured updates, enabling it to remain
a threat for a considerable period of time. Even when
most traces of the worm have been removed from the
network, such an “updatable” worm still remains a sig-
nificant threat.
Having demonstrated the very serious nature of the
threat, we then in Section 7 discuss an ambitious but
we believe highly necessary strategy for addressing it:
the establishment at a national or international level
of a “Center for Disease Control” analog for virus-
and worm-based threats to cybersecurity. We discuss
the roles we envision such a Center serving, and offer
thoughts on the sort of resources and structure the Cen-
ter would require in order to do so. Our aim is not to
comprehensively examine each role, but to spur further
discussion of the issues within the community.