AW: short Blaster propagation algorithm analysi s

[vogt () hansenet com]

> > It is not always a random IP that is chosen. Each time a host 
> > is infected,
> > there is a 40% chance that it will begin at the first address 
> > of its "Class
> > C"-size subnet (x.x.x.0), and a 60% chance that it will start at a
> > completely random IP address with the last octet set to 0
> > ([1-254].[0-253].[0-253].0).


I've added these parameters to my worm propagation simulation and it
is very obvious that this hurts propagation speed considerably. In
fact, a simple random algorithm (pick IP completely at random) would
have been faster by a factor of almost two.

Whoever wrote this thing either had no grasp on worm propagation
whatsoever, or he had and wanted it to spread badly. If you write
something that is half as fast as even the most obvious and trivial
propagation algorithm, you're either very dumb or very smart.


Tom Vogt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html