Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[jmalcolm () uraeus com]

Stuart Staniford writes:
> It would seem for the Internet to reliably resist bandwidth attacks 
> from future worms, it has to be, roughly "bigger in the middle than at 
> the edges".  If this is the case, then the worm can choke edges at the 
> sites it infects, but the rest of the net can still function.  If it's 
> bigger at the edges than in the middle, you'd expect a big enough worm 
> would be able to choke the core.  For a given ISP, you'd want capacity 
> to the upstream to be bigger than the capacity to downstream customers. 
>  (It would seem like this would be the reverse of what economics would 
> tend to suggest).

So, essentially, you are saying that the edges (customers, presumably)
need to be bandwidth-limited to protect the core? This tends to happen
anyway due to statistical multiplexing, but is usually not what the
customers would want if they considered the question, and is not what
ISPs want if they bill by the bit.

> Do we really know much about the capacity of the Internet to carry worm 
> traffic?  (We believe Slammer used a peak bandwidth of roughly 200 
> Gbps).

I suspect that in the end the main backbone constaint will be peering
links, for larger ISPs.