From comp.risks, the Warhol Worm (Worstcase scenario)
Fri, 10 Aug 2001 21:48:12 -0400 (EDT)
"Appendix 1: Justification of assumptions ...
100 scans/second: Scanning a single machine to see if it is running the
vulnerable service requires only about a kilobit of data to be sent and
received, this only requires about a 100kbps link for each active worm. "
These might be good enough assumptions (roughly) for phase I, where you're
targeting 50,000 predetermined, high-speed addresses known to be running
the given server program. But in phase II, where the worms
pseudo-randomly try new IP addresses, it seems like well over half will
either be invalid, a shared cable line, many hops away, or have other
problems that would cause delays or even timeouts. The author doesn't seem
to have very different assumptions for the two phases.
On Fri, 10 Aug 2001, Jesse wrote:
> Finally, someone's run the numbers and designed the algorithm for a
> worst-case maximum-virulence worm. This thing make code-red look benign.
> jesse reed vincent -- email@example.com -- firstname.lastname@example.org
> 70EBAC90: 2A07 FC22 7DB4 42C1 9D71 0108 41A3 3FB3 70EB AC90
> autoconf is your friend until it mysteriously stops working, at which
> point it is a snarling wolverine attached to your genitals by its teeth
> (that said, it's better than most of the alternatives) -- Nathan Mehl