Nicholas Bachmann wrote: > Hi all- > > I think I have found a formula to approximate the number of infected > hosts. My formula is > > ([(Number of Infected Hosts * Number CR Queries p/ Day) / Total IPs on > the Internet ]^-1) / Average IP Requests p/ Host > > So what I would need to know to figure out the approximate number of > infected hosts: > *How many IPs CR can check in a day (Number CR Queries p/ Day) > *Average Number of times people are checked during a set period, > probably 5:00a-5:00p (Average IP Requests p/ Host) > > Does anyone see any big flaws in this (I know it isn't perfect) formula > that would keep it from being within a reasonable margin of error? I was thinking along the same lines myself. The tricky bit is CR-Queries/day; IMHO, this will mainly depend on the response time of the targeted host. Having said that, I was observing the complete attack taking 5-10s. Bearing in mind that the worm spawns 99 scanning threads (right?), I reckon a single worm can scan a host in an effective time of 0.1s (assuming unlimited outbound bandwidth, which should be reasonable given how small (4K) these attacks are). This would give a scan rate of 10*60*60*24=864000 hosts/day. I saw 3 or 4 attacks in a 2h 40m time period (i.e. 27-36 scans per IP address per day, scaled to 24 hours). Howzat? Best Regards, Alex (not a statistician). -- Alex Butcher PGP/GnuPG Key IDs: Consultant, S3 Systems Security Services alex@s3 B7709088 PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp alex.butcher@ 885BA6CE ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 11:14:27 PDT