Last Modified:                                                                                                

Homepage / Publications & Opinion /

Peter Cochrane's Uncommon Sense: Net Antibodies
Given the size, speed and interconnectivity of the net, viral and worm infections now spread far faster and wider than any other human infection generated from a single sneeze...

Over the past month I've watched the escalation of network attacks on my home computers that roughly track the global trend that has seen more than 170,000 individual network attacks on the US alone in the first six months of 2003.

In my case the average time between attacks has rapidly fallen from days, to hours, to minutes and now to around one every four seconds, and I think I have topped out. I may be wrong, but this seems to be the response time of my combined ISP server, connection, home network, and machines.

All attacks manifest themselves as warning flags on my screen from my firewalls and virus catchers. These inform me that threats have been repelled and I am still secure, or not.

A primary result has been a visible slow down in network performance, and I estimate that the SoBig virus and Blaster worm consumed more than 50 per cent of the global network capacity at their peak. Ultimately I had to switch off my monitoring flags and to only show violations, but at the end of each day I had logged thousands of individual attacks.

Upon analysis I found that the majority originated from customers connected to my ISP, and it is clear that thousands of local computers had been infected. ISP communities were thus acting as unwitting distribution centres.

Several variants of Slammer/Blaster,SoBig/Nachi/Welchia are still appearing on my screen in the guise of messages from people I know, or indeed don't know, with headers such as - help, your order is confirmed, sexy girls, that movie, returned email and more. Fortunately, I find it relatively easy to identify virus-carrying emails and not being a user of the dominant operating system and office products, I'm a lot less prone to infection anyway.

To date I have resisted the temptation to install a dedicated hardwired firewall into my homework network, preferring instead to leave it wide open to visitors who want to access via Wi-Fi. I ensure protection by installing firewalls on individual machines and while I am in some respects open to attack, I am willing (for now) to take this risk for the overwhelming benefits of flexibility in the working environment.

I have however experienced first hand the devastating impact of this new style of attack of combined virus and worm on my son's PC. He does use the dominant operating system and office products, and despite the fact that this machine has a firewall and virus protection, somehow the worm got in and the machine was rendered useless. It took more than a full day and concerted effort to rebuild, fully protect and get it back onto the network. What a waste!

If you multiply up this level of effort we are talking billions of dollars in repair costs and even more in lost business revenues. Experts estimate that the Blaster and SoBig events alone cost global businesses more than $2bn. And be sure, this is only one incident - there are going to be thousands more of a gradually increasing seriousness. To date virus and worm attacks have been relatively benign. I think we are fast heading to an era when they are going to become really vicious and there is a very real risk of bringing down business and seriously disrupting society.

If the last attack could stop trains running, foul up traffic control systems, stop banks trading and cripple small businesses, watch out. The question is: what are we going to do?

After more than five years of concerted and growing virus/worm attacks it is paradoxical that our general ability, as a lawful society, to resist these attacks has not significantly improved. The perpetrators are not fun loving geeks thumbing their noses at us, they are cyber-terrorists and as individuals and groups they present a rapidly growing threat to business and society.

If they were planting high explosives, cutting power lines, wrecking property and killing people we would engage our police and security services to track them down, arrest and lock them up. With only a very small per cent of the estimated $500bn that will be lost this year alone due to these people we could set up security teams across the planet to do exactly the same on the internet. It is easy to track down these people on the net and if we can't physically get at them because they are behind an unfriendly country border, then we should set about electronically attacking them, and if needs be blockading that country to exclude it from the internet community until they clean up their act.

No matter what you do as a network administrator or as a self-contained small business it is extremely difficult to ensure that all machines and all possible routes of attack are 100 per cent up to date all of the time. Sooner or later something will slip through and you will find yourself becoming part of the distribution network for an unwanted infection.

Given the size, speed and interconnectivity of the net, viral and worm infections now spread far faster and wider than any other human infection generated from a single sneeze. The difference is that we possess a natural immune system, which seeks to automatically learn about, assimilate and reject all forms of infection. It is obviously a roaring success as a systems concept otherwise most of us wouldn't be here.

It seems to me that we need to design and engineer electronic antibodies for all our computers and other technologies, and we need them to look out for, identify and learn about any invaders of the viral/worm variety. Instead of just sitting there and being attacked, our machines could then respond by broadcasting successful antidotes across the net which would rapidly outstrip and kill the infection before it gained a hold and caused major disruption. If a virus/worm such as SoBig can emanate from a single source and spread across the network in a matter of 10 hours, then so could antidotes.

It would be to the advantage of all commercial operations of any size to invest in antidote technologies so that the broadcasting of solutions to repel/destroy boarders would occur at a far greater rate and effectiveness than those maligned individuals can perpetuate these attacks.

We are all watching the most revolutionary communications channel invented being taken down a step at a time by small groups of twisted individuals. At a modest estimate a combination of virus, worm and spam traffic is reducing the net to 20 per cent of its former self. If this was our oil, water, or food supply we would have to react real fast. Soon it will be. Take down our communications and all the rest will quickly follow.

So why haven't we done anything? My theory: because we haven't seen sufficient damage, inconvenience, pain, loss of business, or loss of human life to date. But I suspect we soon will. It is only a matter of time before a pharmacy, MDs surgery, hospital, or transport system has an induced event. I think we are rapidly approaching the point of no return where we really do have to decide to repel boards in a far more serious and professional way. I really don't think we should wait for the lights to go out, the taps to run dry, and the shelves to empty.