Re: Flash Worms

[Michal Zalewski <lcamtuf () gis net>]

On Fri, 17 Aug 2001, Stuart Staniford wrote:

> Agreed - we're only talking about saturation of the hosts that can
> actually be attacked from the Internet, are vulnerable to whatever
> exploit the worm has, are currently connected to the Internet, and
> have publically routable static Internet addresses.  What we're
> arguing is that the worm can reach all of those hosts that it's going
> to reach in O(30secs) if it's small and uses the kind of strategies we
> discuss.

There's a huge network in Poland, called Polpak, connected to the
Internet. It makes a part of it. It connects dozens, if not hundreds, of
thousands of computers. It has very centralized structure, built around
the capital of this country. It has very poor international uplinks,
heavily overloaded, with packet loss ratio around 50-60% in peak hours.

You can't ignore networks like that around the globe, they make a
significant percent of overall host count. The Internet is not made only
of US hosts in metropolitan areas, that can interact and exchange
information in fast and reliable way.

I doubt if you can actually inject your code to single host in this
network in 30 seconds, in most cases, and even if so, overloaded hub in
Warsaw would not stand the explosion, and certainly you would not reach
saturation point in seconds. Not in minutes - in long hours, maybe...

So?:)

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com