[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <DF79BE12AF8DD344B107D0D03621E5750ED9A6@kermit.corp.hansenet.com>
From: vogt at hansenet.com (vogt@...senet.com)
Subject: short Blaster propagation algorithm analysis
As I have been working on analysing worm propagation
algorithms for a while now (paper forthcoming), I did
a short analysis and simulation/extrapolation of what
we know about Blaster.
The core points seem to be:
* It should have a fairly high exploitable
population
* It uses a "choose random IP, then scan sequentially
from there" algorithm
* The infection should be fairly slow compared to
others, as it needs to first infect, then fetch
more stuff via tftp.
At first, I thought that these last two factors
explain why it is so slow. However, I have written a
simple simulation system for worm propagation, and it
shows that while random-IP+sequential-scanning is
slower than pure random scanning, the difference is
not very large, at most 50%.
Also, Blaster only needs to fetch its main body if the
infection was successful. On the other hand, I can show
that it does spread faster this way then if it would
fire its whole code at a prospective victim.
The main part that I am still puzzling over is the
question of just how many systems are vulnerable? Where
"vulnerable" means that they can actually be infected.
If they're firewalled, they aren't vulnerable as far
as I am concerned, for example.
Also, if anyone has hard data on how long Blaster takes
to infect a machine, and how much overhead it occurs
through handshakes, tftp communication, etc. I would be
much oblieged for that data as it would help me refine
my simulation.
The most important result I have so far is that the
shape of the propagation curve looks the same as any
other worm, and while it is slower than even the very
first Code Red, the difference is less than a factor
of two. Depending on the vulnerable population, things
may be worse - the vulnerable population has a
considerable impact on propagation speed.
All this is based on what data I have, but I feel
confident that the order-of-magnitude is correct.
Tom Vogt
Powered by blists - more mailing lists