Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[Stuart Staniford <stuart () silicondefense com>]

[Sorry for responding to old mail, but I'm catching up]

On Sunday, November 16, 2003, at 02:12 PM, Sean Donelan wrote:
> I've often tried to explain that ISPs generally view worms as a 
> "capacity
> planning" issue.  Worms change the "eco-system" of the Internet and 
> ISPs
> have to adapt.  But ISPs generally can't "fix" the end-users or their
> computers.

I'm curious to know if doing this is at all well understood?

Those of us doing research on worm spread, I don't think have a 
completely clear understanding of the interaction of Internet bandwidth 
and worm spread.  Slammer, we are pretty clear became bandwidth limited 
(the rate of spread slowed down dramatically about 40 seconds into the 
spread).  But we don't really know where those chokepoints live (at the 
edge, or in the middle).

It would seem for the Internet to reliably resist bandwidth attacks 
from future worms, it has to be, roughly "bigger in the middle than at 
the edges".  If this is the case, then the worm can choke edges at the 
sites it infects, but the rest of the net can still function.  If it's 
bigger at the edges than in the middle, you'd expect a big enough worm 
would be able to choke the core.  For a given ISP, you'd want capacity 
to the upstream to be bigger than the capacity to downstream customers. 
 (It would seem like this would be the reverse of what economics would 
tend to suggest).

Do we really know much about the capacity of the Internet to carry worm 
traffic?  (We believe Slammer used a peak bandwidth of roughly 200 
Gbps).

Stuart.

Stuart Staniford, President                             Tel: 707-840-9611 x 15
Silicon Defense - Worm Containment - http://www.silicondefense.com/
The Worm/Worm Containment FAQ: http://www.networm.org/faq/