Flash worms follow a precomputed spread tree using prior knowledge
of all systems vulnerable to the worm's exploit. In previous
work we suggested that a flash worm could saturate one million
vulnerable hosts on the Internet in under 30 seconds. We
grossly over-estimated.
In this paper, we revisit the problem in the context of single
packet UDP worms (inspired by Slammer and Witty). Simulating
a flash version of Slammer, calibrated by current Internet latency
measurements and observed worm packet delivery rates, we show
that a worm could saturate 95% of one million vulnerable hosts on
the Internet in 510 milliseconds. A similar worm using a TCP based
service could 95% saturate in 1.3 seconds.
The speeds above are achieved with flat infection trees and packets
sent at line rates. Such worms are vulnerable to recently proposed
worm containment techniques. To avoid this,
flash worms should slow down and use deeper, narrower trees. We
explore the resilience of such spread trees when the list of vulnerable
addresses is inaccurate. Finally, we explore the implications
of flash worms for containment defenses: such defenses must correlate
information from multiple sites in order to detect the worm,
but the speed of the worm will defeat this correlation unless a certain
fraction of traffic is artificially delayed in case it later proves to
be a worm.
Cooperative Association for Internet Data Analysis (CAIDA)