Jason Watkins’s Weblog

Reading about Storm recently, I had no idea how big it got before it’s decay. Estimates for how many hosts were in Storm at peak vary, but they’re all in the millions.

I was really struck by how sophisticated command and control for botnets has become, moving from simple IRC servers to peer to peer overlays. The authors are constantly deploying updated code: new attack approaches, email spam, blog comment spam, serving up http exploits… I imagine the application protocols themselves have to be written in such a way that different versions can co-exist in the wild without triggering faults in each other. Thanks to the p2p approach, they can do this simply and rapidly, despite the scale. Their administration mechanisms are even robust against both failure and active attempts to sever control.

Think about how different that is from the typical IT experience. Would your deployment methods still work if you had 50 million hosts to deploy to? Could your administration mechanisms withstand the determined hacking efforts of some of the internet’s smartest security practitioners? Certainly a worm is very different from a production application, but I think there’s a lot to be learned by how these crackers are their solving their problems. Why aren’t we using Name-Dropper protocols, co-existing versions and Epidemic code upgrade?