On Sun, 8 Feb 2004 18:12:46 +0100, Iljitsch van Beijnum <iljitsch@muada.com> writes:
But how are you going to infect a million boxes if you can only scan one address per second?
With a random scanning worm, the expected time could be as low as about a day. Assuming the random scanning model from the paper[1], I get: 0 time: 1 infected host. 11 hours to infect 1000 hosts. 25 hours to infect 800k hosts 31 hours to infect 996k hosts. This model assumes one scan per second per infected host. It is because if a million boxes are vulnerable, then one in 4096 IP addresses should be vulnerable. A random scan would find one such every 4096 seconds, implying a doubling time of about 70 minutes. Scott [1] http://www.icir.org/vern/papers/cdc-usenix-sec02/