A week into Slapper. The peer-to-peer architecture has produced a more durable compromised population than centralised worms produce.
What is happening
The Slapper mesh has reached approximately 20,000 hosts. Cleanup is harder than for previous worms because:
- Identifying the controlling node is impossible (there is no controlling node).
- Disrupting one host's connectivity does not affect the others.
- The mesh continues to coordinate attacks even as compromised hosts are slowly cleaned up.
The cleanup is happening, but at the per-operator scale rather than at any infrastructure-level effort. Each compromised operator individually patches and cleans; the mesh shrinks slowly.
What this teaches
Worms are evolving toward resilience. The earlier worms (Code Red, Nimda) were vulnerable to coordinated takedown if the master could be identified. P2P architectures eliminate that vulnerability.
Future worms will probably use P2P by default. The architectural innovation, once demonstrated, will be reused. Defenders should expect P2P command-and-control to become standard.
The economic incentive favours persistence. A compromised mesh is a strategic asset. Operators of these meshes will optimise for retention; the meshes will become harder to dislodge.
What this implies for defenders
At the individual-host level, the defences are unchanged: patch promptly, defence in depth, off-host monitoring.
At the network level, detection of P2P-mesh traffic is the new requirement. The traffic patterns are distinctive (UDP traffic to and from random hosts, not matching any normal application protocol). Detecting them at the firewall level is feasible.
At the infrastructure level, the takedown problem is unsolved. Coordinated cleanup across many operators, on the scale of compromised meshes, is operationally difficult.
More as the situation develops.