Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]
Stuart Staniford
stuart at silicondefense.com
Tue Nov 25 00:30:48 UTC 2003
[Sorry for responding to old mail, but I'm catching up]
On Sunday, November 16, 2003, at 02:12 PM, Sean Donelan wrote:
> I've often tried to explain that ISPs generally view worms as a
> "capacity
> planning" issue. Worms change the "eco-system" of the Internet and
> ISPs
> have to adapt. But ISPs generally can't "fix" the end-users or their
> computers.
I'm curious to know if doing this is at all well understood?
Those of us doing research on worm spread, I don't think have a
completely clear understanding of the interaction of Internet bandwidth
and worm spread. Slammer, we are pretty clear became bandwidth limited
(the rate of spread slowed down dramatically about 40 seconds into the
spread). But we don't really know where those chokepoints live (at the
edge, or in the middle).
It would seem for the Internet to reliably resist bandwidth attacks
from future worms, it has to be, roughly "bigger in the middle than at
the edges". If this is the case, then the worm can choke edges at the
sites it infects, but the rest of the net can still function. If it's
bigger at the edges than in the middle, you'd expect a big enough worm
would be able to choke the core. For a given ISP, you'd want capacity
to the upstream to be bigger than the capacity to downstream customers.
(It would seem like this would be the reverse of what economics would
tend to suggest).
Do we really know much about the capacity of the Internet to carry worm
traffic? (We believe Slammer used a peak bandwidth of roughly 200
Gbps).
Stuart.
Stuart Staniford, President Tel: 707-840-9611 x 15
Silicon Defense - Worm Containment - http://www.silicondefense.com/
The Worm/Worm Containment FAQ: http://www.networm.org/faq/
More information about the NANOG
mailing list