From comp.risks, the Warhol Worm (Worstcase scenario)

Matt Jensen mattj@newsblip.com
Fri, 10 Aug 2001 21:48:12 -0400 (EDT)


"Appendix 1: Justification of assumptions ...
100 scans/second: Scanning a single machine to see if it is running the
vulnerable service requires only about a kilobit of data to be sent and
received, this only requires about a 100kbps link for each active worm. "
---

These might be good enough assumptions (roughly) for phase I, where you're
targeting 50,000 predetermined, high-speed addresses known to be running
the given server program.  But in phase II, where the worms
pseudo-randomly try new IP addresses, it seems like well over half will
either be invalid, a shared cable line, many hops away, or have other
problems that would cause delays or even timeouts. The author doesn't seem
to have very different assumptions for the two phases.

-Matt Jensen
 http://mattjensen.com
 http://NewsBlip.com
 Seattle

 
On Fri, 10 Aug 2001, Jesse wrote:

> 
> Finally, someone's run the numbers and designed the algorithm for a 
> worst-case maximum-virulence worm.  This thing make code-red look benign.
> 
> http://www.cs.berkeley.edu/~nweaver/warhol.html  
> 
> 
> 
> 
> -- 
> jesse reed vincent -- root@eruditorum.org -- jesse@fsck.com 
> 70EBAC90: 2A07 FC22 7DB4 42C1 9D71 0108 41A3 3FB3 70EB AC90
> 
> autoconf is your friend until it mysteriously stops working, at which 
> point it is a snarling wolverine attached to your genitals by its teeth
>  (that said, it's better than most of the alternatives)  -- Nathan Mehl
> 
> 
> http://xent.com/mailman/listinfo/fork
>