The Top Speed of Flash Worms
Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm's exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds. We grossly over-estimated.
In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds.
The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.