[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [Full-Disclosure] short Blaster propagation algorithm analysi s

To: full-disclosure@lists.netsys.com
Subject: AW: [Full-Disclosure] short Blaster propagation algorithm analysi s
From: vogt@hansenet.com
Date: Thu, 14 Aug 2003 15:50:55 +0200

> > It is not always a random IP that is chosen. Each time a host 
> > is infected,
> > there is a 40% chance that it will begin at the first address 
> > of its "Class
> > C"-size subnet (x.x.x.0), and a 60% chance that it will start at a
> > completely random IP address with the last octet set to 0
> > ([1-254].[0-253].[0-253].0).


I've added these parameters to my worm propagation simulation and it
is very obvious that this hurts propagation speed considerably. In
fact, a simple random algorithm (pick IP completely at random) would
have been faster by a factor of almost two.

Whoever wrote this thing either had no grasp on worm propagation
whatsoever, or he had and wanted it to spread badly. If you write
something that is half as fast as even the most obvious and trivial
propagation algorithm, you're either very dumb or very smart.


Tom Vogt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] msblast.exe
Next by Date: Re: [Full-Disclosure] ISP's save the Inet from Blaster?
Prev by thread: AW: [Full-Disclosure] future happenings..
Next by thread: [Full-Disclosure] Re: new msblaster on the loose?
Index(es):
- Date
- Thread