Full Disclosure mailing list archives
AW: short Blaster propagation algorithm analysi s
From: vogt () hansenet com
Date: Thu, 14 Aug 2003 15:50:55 +0200
It is not always a random IP that is chosen. Each time a host is infected, there is a 40% chance that it will begin at the first address of its "Class C"-size subnet (x.x.x.0), and a 60% chance that it will start at a completely random IP address with the last octet set to 0 ([1-254].[0-253].[0-253].0).
I've added these parameters to my worm propagation simulation and it is very obvious that this hurts propagation speed considerably. In fact, a simple random algorithm (pick IP completely at random) would have been faster by a factor of almost two. Whoever wrote this thing either had no grasp on worm propagation whatsoever, or he had and wanted it to spread badly. If you write something that is half as fast as even the most obvious and trivial propagation algorithm, you're either very dumb or very smart. Tom Vogt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- AW: short Blaster propagation algorithm analysi s vogt (Aug 14)