On Thursday, July 19, a major Internet cyberattack, which came to be known as Code Red, infected an estimated 300,000 to 500,000 servers, requiring them to be temporarily taken out of service. Berkeley Lab, like all Internet sites, was heavily attacked - 18 LBNL Web servers were infected, but were taken off line quickly as they began attacking other sites. The attack, which began spreading as a virulent "computer worm," was programmed to turn into a denial-of-service attack on the White House Web site at midnight GMT, but the worm was so persistent and ubiquitous that it served as a denial-of-service attack on the entire Internet.

According to the Associated Press, the Code Red worm spread more quickly than any worm in recent history. Most Web users, however, were unaware of the drama going on behind the scenes.

Although the apparent objective was to bring down www.whitehouse.gov, the worm caused infected machines to begin scanning random IP addresses. When the worm found a Windows 2000 or NT-based Web server, it attempted to load itself into the machine's memory. It succeeded in infecting those Web servers that did not have the latest vulnerability patches installed, and the process continued as the infected machines began scanning other random IP addresses. The target was supposed to switch from random addresses to whitehouse.gov, but the rest of the Internet suffered from the heavy traffic associated with the scanning, which increased with the number of infected machines. The system people who run www.whitehouse.gov changed their IP address, which foiled the worm's objective.

Fortunately, the Lab's Cybersecurity Team led by Jim Rothfuss had distributed information about this vulnerability prior to the attack, and that helped minimize the effect here at Berkeley Lab.

At the Berkeley Lab perimeter, BRO (the Lab's intrusion-detection system) detected worm probes (looking for Web servers) from 296,000 different remote machines, and attempted infections (after they found a Web server) from 20,000 remote machines. The Lab's normal hostile scan rate is about 40 per day. According to Vern Paxson, who developed BRO, the number of new infected hosts scanning the Lab reached a high of 1,600 per minute at 10 a.m. Thursday, July 19 (see figure based on BRO logs below).

The plot of Code Red's growth corresponds to epidemic disease models, in which the entire susceptible population is rapidly infected. The peak occurred around 10 am PDT when the worm started running out of uninfected targets, not because of Internet security countermeasures. The overall growth rate was likely higher than the plot shows, since the data is limited to what was observable at the Lab.

The worm only infects the memory of susceptible computers and is removed by rebooting, so it does not do any permanent damage. However, the worm could result in institutional issues if Lab computers are infected and used to attack other sites. A security patch must be installed to prevent reinfection. All infected machines (BRO identifies the infected systems and notifies cybersecurity staff) were blocked at their local LBLnet connection point and will remain blocked until security patches are installed.

Although the Code Red program was designed with a built-in July 28 expiration date, the source code has been released publicly, so a derivative version could quickly emerge, Rothfuss warned. "I've heard that the designers seemed to have taken great pains to ensure that it would not cause permanent damage," Rothfuss said. "Had this been more malicious, we could have had significant lost data on 18 computers at LBNL. Had the virus attacked Windows in general, rather than just Windows Web servers, we could have had significantly more computers infected."

Code Red illustrates the necessity of fixing all the vulnerabilities in Microsoft's Internet Information Server (IIS), the Web server that has historically been most susceptible to attack, as well as in the Windows operating system. Guidelines for securing ISS and Windows are available at http://www.lbl.gov/ITSD/Security/guidelines/websecure.html and http://www.lbl.gov/ITSD/Security/systems/.

"This kind of incident is a strong reminder of the benefit of having a very competent cybersecurity staff and an approach that fosters agility, not just compliance," said Sandy Merola, the Lab's Chief Information Officer and director of the Information Technologies and Services Division.