North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: looking for Slammer infectee access link speeds

  • From: Deepak Jain
  • Date: Sun May 02 11:26:14 2004

With colleagues I'm working on Internet-scale modeling of Slammer's behavior.
Its spreading dynamics significantly differed from those of most worms,
an effect we're pretty sure is related to the fact that unlike most worms,
an infected host's scanning often clogged the host's access link.

I think a more interesting aspect of this particular worm is that it only takes a single packet to infect a vulnerable host. As far as I know no other worm can do this. The effect is that even packets to broadcast or multicast address have the potential to infect.

I think this is really the most important point. Link speeds and such are not as significant, maximum packet rates probably are. The compromised servers didn't need to wait for confirmation of the packets they spit out, and since a high percentage of the packets between "normal" levels of traffic and "pipe speed" [until pipe speed was reached] you get a very high infection rate in moments.

Every other virus had to do a long more talking, was a lot more dependent on reciprocal communication.

It might be interesting to model how many pps infected machines would have to spit out to infect 100% of the Internet in a certain about of time.

Deepak Jain