On Fri, 17 Aug 2001, Stuart Staniford wrote: > Agreed - we're only talking about saturation of the hosts that can > actually be attacked from the Internet, are vulnerable to whatever > exploit the worm has, are currently connected to the Internet, and > have publically routable static Internet addresses. What we're > arguing is that the worm can reach all of those hosts that it's going > to reach in O(30secs) if it's small and uses the kind of strategies we > discuss. There's a huge network in Poland, called Polpak, connected to the Internet. It makes a part of it. It connects dozens, if not hundreds, of thousands of computers. It has very centralized structure, built around the capital of this country. It has very poor international uplinks, heavily overloaded, with packet loss ratio around 50-60% in peak hours. You can't ignore networks like that around the globe, they make a significant percent of overall host count. The Internet is not made only of US hosts in metropolitan areas, that can interact and exchange information in fast and reliable way. I doubt if you can actually inject your code to single host in this network in 30 seconds, in most cases, and even if so, overloaded hub in Warsaw would not stand the explosion, and certainly you would not reach saturation point in seconds. Not in minutes - in long hours, maybe... So?:) -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 10:27:47 PDT