Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2004 : topspeedworms
The Top Speed of Flash Worms
S. Staniford, D. Moore, V. Paxson, and N. Weaver, "The Top Speed of Flash Worms", in ACM Workshop on Rapid Malcode (WORM), Oct 2004, pp. 33--42.
|   View full paper:    PDF    |  Citation:    BibTeX   |

The Top Speed of Flash Worms

Stuart Staniford2
David Moore1
Vern Paxson3
Nicholas Weaver3

CAIDA, San Diego Supercomputer Center, University of California San Diego


Nevis Networks


The ICSI Center for Internet Research - ICIR

Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm's exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds. We grossly over-estimated.

In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds.

The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.

Keywords: network telescope, security
  Last Modified: Tue Oct-13-2020 22:21:51 UTC
  Page URL: