[67416] in North American Network Operators' Group
Re: Monumentous task of making a list of all DDoS Zombies.
daemon@ATHENA.MIT.EDU (Scott A Crosby)
Mon Feb 9 18:16:15 2004
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: Suresh Ramasubramanian <suresh@outblaze.com>, nanog@merit.edu
From: Scott A Crosby <scrosby@cs.rice.edu>
Date: 09 Feb 2004 16:32:46 -0600
In-Reply-To: <0399DAD6-5A5A-11D8-9F25-000A95CD987A@muada.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 8 Feb 2004 18:12:46 +0100, Iljitsch van Beijnum <iljitsch@muada.com> writes:
> But how are you going to infect a million boxes if you can
> only scan one address per second?
With a random scanning worm, the expected time could be as low as
about a day.
Assuming the random scanning model from the paper[1], I get:
0 time: 1 infected host.
11 hours to infect 1000 hosts.
25 hours to infect 800k hosts
31 hours to infect 996k hosts.
This model assumes one scan per second per infected host. It is
because if a million boxes are vulnerable, then one in 4096 IP
addresses should be vulnerable. A random scan would find one such
every 4096 seconds, implying a doubling time of about 70 minutes.
Scott
[1] http://www.icir.org/vern/papers/cdc-usenix-sec02/
