[70135] in North American Network Operators' Group
Re: looking for Slammer infectee access link speeds
daemon@ATHENA.MIT.EDU (Deepak Jain)
Sun May 2 11:24:38 2004
Date: Sun, 02 May 2004 11:23:51 -0400
From: Deepak Jain <deepak@ai.net>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: vern@ee.lbl.gov, nanog@merit.edu
In-Reply-To: <F74348C2-9BCE-11D8-AC1F-000A95CD987A@muada.com>
Errors-To: owner-nanog-outgoing@merit.edu
>> With colleagues I'm working on Internet-scale modeling of Slammer's
>> behavior.
>> Its spreading dynamics significantly differed from those of most worms,
>> an effect we're pretty sure is related to the fact that unlike most
>> worms,
>> an infected host's scanning often clogged the host's access link.
>
>
> I think a more interesting aspect of this particular worm is that it
> only takes a single packet to infect a vulnerable host. As far as I know
> no other worm can do this. The effect is that even packets to broadcast
> or multicast address have the potential to infect.
>
I think this is really the most important point. Link speeds and such
are not as significant, maximum packet rates probably are. The
compromised servers didn't need to wait for confirmation of the packets
they spit out, and since a high percentage of the packets between
"normal" levels of traffic and "pipe speed" [until pipe speed was
reached] you get a very high infection rate in moments.
Every other virus had to do a long more talking, was a lot more
dependent on reciprocal communication.
It might be interesting to model how many pps infected machines would
have to spit out to infect 100% of the Internet in a certain about of time.
Deepak Jain
AiNET
