Stuart Staniford wrote: > Agreed - we're only talking about saturation of the hosts that can actually > be attacked from the Internet, are vulnerable to whatever exploit the worm > has, are currently connected to the Internet, and have publically routable > static Internet addresses. What we're arguing is that the worm can reach > all of those hosts that it's going to reach in O(30secs) if it's small and > uses the kind of strategies we discuss. Hello Stuart, Being vulnerable to a given exploit and having a public and routable IP address are of course 2 necessary conditions, but they are not sufficient: the infected host must be able, in his turn, to infect other machines, and this, as far as most services are concerned, can be prevented or at least limited by an efficient filtering policy: why, for example, would a web server be allowed to initiate an outbound connection (except in very special and rare cases) ? Ok, in the case of a mail server, this argument may be of a lesser importance, though, as most of them are inbound AND outbound. :-) Or maybe I simply misunderstood the term "vulnerable host", which may mean "host that can be infected and that can infect in his turn" ? Best regards, Bruno -- -- Service Hydrographique et Oceanographique de la Marine --- EPSHOM/INF -- 13, rue du Chatellier --- BP 30316 --- 29603 Brest Cedex, FRANCE -- Phone: +33 2 98 22 17 49 --- Email: Bruno.Treguierat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 10:05:47 PDT