Security Incidents mailing list archives

Re: Flash Worms

From: Stuart Staniford <stuart () silicondefense com>
Date: Fri, 17 Aug 2001 13:55:24 -0700

Well, we're just waiting for a customer with enough money and a need for
one of these, and then we'd be glad to build one and demonstrate for sure
how fast it goes.

Just kidding, just kidding :-)  Saddam Hussein needn't call us.

Michal Zalewski wrote:

My guess is that you'd actually need much more than 30 seconds to reach
significant percentage of vulnerable machines at all, due to network
outages, overloaded links, and so on, and so on. Then, because both
network structure (firewalling, routing) and system configuration is, heh,
more than diverse, it significantly delimits number of "vulnerable hosts"
that can be automatically attacked and successfully exploited.


Agreed - we're only talking about saturation of the hosts that can actually
be attacked from the Internet, are vulnerable to whatever exploit the worm
has, are currently connected to the Internet, and have publically routable
static Internet addresses.  What we're arguing is that the worm can reach
all of those hosts that it's going to reach in O(30secs) if it's small and
uses the kind of strategies we discuss.

I would

argue that it is not very likely for us to see a worm that reaches
"saturation level" in less than 10-20 hours, and that attacks more than
1,000,000 hosts, even according to very enthusiastic guesses (which are
probably at least 50% overestimated) in next two years. Of course, I won't
bet anything on that =)


I would bet against if you would :-)

Stuart.

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart () silicondefense com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Flash Worms Stuart Staniford (Aug 17)
- Re: Flash Worms Michal Zalewski (Aug 18)
  - Re: Flash Worms Stuart Staniford (Aug 18)
    - Re: Flash Worms Michal Zalewski (Aug 18)
    - Re: Flash Worms jaywhy (Aug 18)
    - Re: Flash Worms Dragos Ruiu (Aug 19)
    - Re: Flash Worms Shoten (Aug 23)
    - Re: Flash Worms Kevin Reardon (Aug 24)
    - Re: Flash Worms Stuart Staniford (Aug 22)
    - Re: Flash Worms Bruno Treguier (Aug 21)
    - Re: Flash Worms Kevin Reardon (Aug 22)
  - Re: Flash Worms Robert Graham (Aug 18)
    - Re: Flash Worms Jose Nazario (Aug 19)

(Thread continues...)