Hi, in this video, I want to talk about another worm in 2003 called Nachi. Now this is a crazy one. Here's how this one worked essentially. There had been infections, malware infections that have been occurring through 2003. It was a big year for malware infections for whatever year, for whatever reason. It seemed like people were not patching properly and a lot of the offense noticed that they could break into systems through unpatched vulnerabilities. We saw a lot of issues, particularly with worms. Well, one of them that popped up is this worm called the Nachi Worm. Now this is an interesting one because basically it's a vigilante worm. Now if you're familiar with that concept, [LAUGH] that means a good guy writing something, in this case a worm, presumably to go out and find problems and fix them. I know that seems like a noble goal, but it turned out to be a complete mess. And I want to tell you some of the building blocks involved in this Nachi worm. So, the first thing is that whoever wrote this worm, and by the way, a lot of these attacks are still completely non-attributable. One of the challenges we have in cybersecurity is [LAUGH] a lot of these unsolved crimes that go on for many many years of decades or forever without knowing who actually did it. But the first aspect of this worm is that it used something you're very familiar with. A ping, this echo request response protocol using ICMP to actually find systems that ultimately it would be trying to clean up. So think about that, sending all this ping traffic out across the Internet. Saying, hey, let's take inventory, and then we'll go in and we'll see what's going on, and blah, blah, blah. Well, as you might expect, the ping traffic went nuts and actually took out the Internet. Now, let's think about that. To take out the Internet [LAUGH], it's not an easy thing. And even back in 2003, we had massive infrastructure, it's grown since then, but the idea that ping traffic would cascade speaks to the power of an Internet worm. Now, here's what it was sort of like if you were working in an Internet service provider or in a research organization or a university just collecting traffic. What you would see is if you were in an ops center, you probably are doing something called analytics. You've probably heard Big Data Analytics, as a term that's pretty frequently used. Or in the analytic sense, you're monitoring stuff, and being a little cynical. Sometimes you're just counting and graphing. So a typical sort of thing you might be counting and graphing would be the amount of ICMP traffic that you might be seeing through all the different monitoring points that are part of your analysis work. So let's you're a big university and you have a big cooperative amongst other universities. And you're all collecting data and doing some sort of analytics. Then what you would've seen just before the Nachi worm is essentially very quiet pipes in terms of ICMP traffic. because that’s not a big protocol. There’s a lot of network management tools that use it. But it's not like HTTP or email or any of the things that really dominate the Internet. So you would see very quiet traffic. And let's say on each hour, you're refreshing and looking at the amount of traffic that comes in on the different pipes. So, at a particular time, and on the chart I sort of circle and show the gradual rise of the Nachi Worm. In this section that I kind of circled that you see there in the chart where it's first evidenced, it'll give you an idea of what it was like. Imagine all these different pipes and then in one hour change, you might see one of the pipes increase just a little bit in terms of ping traffic. And here's the challenge that you have with something like that. The question is, what do you do? Do you call someone? Do you not call someone? Do you mark it down? Do you keep track, do you ignore it? What's the threshold, what's the driver that would actually make you take action? So it [INAUDIBLE] a little increase, and you go, [SOUND], we'll leave it alone, we'll keep an eye on it. And then an hour later, it increases some more. And the question now is, has that increased sufficiently to take action and furthermore what action, what are you going to do? Are you going to turn off ICMP, make it impossible to ping either across your network or at least on that one gateway, or whatever it is you're looking at? You see the point? Very difficult, a, to determine when you should take action, [LAUGH] and b, difficult to figure out exactly what you do. Now, if you kept watching, what you would see is that in hour three, four, five, maybe in the first five or six hours, it went from nothing to this massive explosion of ICMP traffic. And in fact, when this thing reached full strength, I almost can't believe I'm going to say the following metric but blows my mind to this day. But for the latter portion of 2003, the Nachi Worm, the traffic involved in the Nachi Worm ping garbage bouncing all over the place accounted for, get this, up to 40% of the sessions on the public Internet. A session is a source destination pair. You think of it as a flow, so that's mind-boggling. If you go back and you watch the kinds of things people were talking about on television in 2003, it certainly wasn't this. And unfortunately, those of us in the network community probably didn't make a big enough fuss about this because I think that's a policy issue. I think it's part of the issue of Internet governance, and how we determine what threshold would cause the international community to do something. Maybe decide collectively that we're going to turn off ICMP traffic. And again, what does that mean? If you turn off ICMP traffic, that means that gateways, you're looking for a ping or for that basic echo handshake and if you see it, you drop it. You just don't allow it through. And that would have the effect of essentially dampening the worm propagation, but what does it break? As I said, network management tools frequently use that protocol to find equipment that needs update to do network management, network monitoring. So the implications of taking action could be very consequential. So this Nachi worm was I think another learning point. We talked about in a previous video about the slammer worm and how it helped us understand that there are indicators. The Nachi worm I thought taught us a few things. Number one, vigilante worms are a terrible idea. Number two, the idea that, at what point do you actually do something? What point or where do you set thresholds? Think about in your personal life. If you're at home and someone is walking up your driveway, do you call the police? Now, depending on where you live, you might have different answers. But I'm guessing that the vast majority of you listening would not be calling the local police if somebody was walking up toward your home. Now what if they're banging on the door making a big commotion, do you call the police at that point? Again, where is the threshold? Let's say they break a window and they climb in. Well, of course you would be calling a local police, the question is have you waited too long? Is there consequence that's required before we spring to action? And back in in 2003, the whole Internet security community was grappling with these issues. So the good news is we were grappling. The bad news, here we are so many years later and I can't tell you that we've completely solved the issue. I think we still have these residual problems of when there's indication warning that an attack may be brewing, where's the threshold? And what specifically, what sort of action would make sense in terms of doing something? Now the sort of test our understanding here, we've got a very brief quiz, as we do on many of our videos. Now as you consider the three, let's go through them. So firewalls, yeah, there's certainly some risk reduction. Probably not the primary means, but certainly a contributing factor. And as we go through these quizzes, you know that there's generally not some absolute answer. Security's one of those things where there's a lot of different things, if I said what would be the best way to be healthy and I said one is jog, another one is eat better. Well, they both make sense, one might be better than the other. But so anyway, follow this up, the second one, patching it turns out has a significant impact on reducing worms. Only because most worms find their way into your system by exploiting some sort of unpatched vulnerability. So patching turns out to have a very strong effect. Well, firewalls certainly have an effect, but perhaps less so. And then third encryption, there's probably not a significant risk reduction. Because for the most part, traffic is going to just find its way across a network. Whether it's encrypted, plaintext, ciphertext sort of doesn't matter. So I would say probably the best answer would be to make sure that your systems are patched, and to complement it with things such as firewalls. So I hope that helps your learning. And I hope this Nachi worm and its impact on the Internet and on security, [LAUGH] it's helpful to you. So we'll see you in the next video.
