Full Disclosure mailing list archives
interesting?
From: batz <batsy () vapour net>
Date: Fri, 31 Jan 2003 22:58:29 -0500 (EST)
According to the analysis posted to NANOG by a number of researchers (http://www.caida.org/analysis/security/sapphire/), It infected the majority of hosts within the first 10 minutes.
From the introduction:
"The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. " The paper goes on a few paragraphs down to talk about how both Code Red and Sapphire used a strategy based upon "random scanning", a feature of which is that they spread exponentially rapidly. They call this the Random Constant Spread model (RCS). This is apparently also a "classic logistic form". So let me get this straight. You release a peice of _randomly_ self propagating code into a networked system, and despite its randomness (or limited randomness in the case of sapphire) it still manages to cover %90 of possible targets in its first 10 minutes of existence. I can't be the only one who saw this and wondered whether it was a feature of networks, as logical entities, that allowed for something that randomly picked targets to cover so much ground so quickly. This seems important is because it shows that a high rate of saturation can be achieved among network nodes as effectively (if not more so) using random distribution, as by using a structured or hierarchical distribution strategy. An example of a structured strategy would be, choosing aggregation points and going ISP by ISP, subnet by subnet, or contiguously host by host. I think this is significant as it could offer some insight into whether it is more efficient or economical (fewer iterations?) to distribute mobile or replicating information into a network in a controlled vs. a random way. To me, it's eerily similar to the question of how to distribute vulnerability information most effectively in a system of interconnected administrators. Randomly seems to have worked quite well this time around. Cheers, -- batz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- interesting? batz (Jan 31)
- Re: interesting? Berend-Jan Wever (Feb 01)
- Re: interesting? Ka (Feb 01)
- Re: interesting? Simon Richter (Feb 01)
- Re: interesting? Simon Marechal (Feb 01)
- Re: interesting? Simon Richter (Feb 01)
- Re: interesting? Simon Marechal (Feb 01)
- Re: interesting? Roland Postle (Feb 01)
- Re: interesting? Geoincidents (Feb 01)
- Re: interesting? Simon Marechal (Feb 01)
- Re: interesting? Berend-Jan Wever (Feb 01)
- Re: interesting? batz (Feb 01)