On Thu, 13 Nov 2003 sgorman1@gmu.edu wrote:

I was hoping to get some estimates from folks on the costs of defending networks from various worm attacks. It is a pretty wide open question, but if anyone has some rough estimates of what it costs per edge, manpower vs. equipment costs, or any combination thereof it would be of great assistance. We are doing some simulations of attack and defense strategies and looking for some good metrics to plug into a cost benefit model. We'd be happy to share the results if anyone is interested as well.

I don't know of any existing worms that attack Cisco or Juniper or other network backbone equipment. For a NSP or ISP, worms are primarly an issue of capacity planning. According to bankruptcy filings, companies such as Worldcom spent billions increasing their backbone capacity throughout the 1990's. So the backbones still have a massive capacity glut. But I don't know if they increased their network capacity due to worms or for other reasons. If the worms don't cause problems for the network provider, what should they do? On the other hand, would it make the problem worse? The US Forest Service used to have a policy of aggressively fighting all forest fires. This resulted in a build-up of fuel load throughout the forest lands, and then massive forest fires. The regular smaller fires served an important purpose in the eco-system, and limited the fuel load. If NSPs aggressively blocked worms, would this result in end-users doing even less than they currently do to keep their systems up to date and protected? Then instead of the occasional 1% to 5% infection rate for worms, would we be faced with a user population with even worse defenses than they have now? You often see this effect in enterprise networks with massive firewalls on the perimeter, and no protection on the inside. When a worm gets past the perimeter firewall, it wrecks havoc on the out-of-date systems in the enterprise.