Interesting paper by Steve Bellovin - Worm propagation in a v6 internet

Valdis.Kletnieks at Valdis.Kletnieks at
Tue Feb 14 15:45:13 UTC 2006

On Tue, 14 Feb 2006 18:42:33 +0530, Suresh Ramasubramanian said:

> After all when there's an unlimited number of hosts connected to the
> v6 network, all that needs to happen is a small botnet to develop, and
> then start to port scan.
> The potentially larger number of hosts that can get infected will
> probably help do an exhaustive search for you, so that v6 botnets
> start small and then grow exponentially in size over time.

OK.. let's say we have a /48 allocated to an end site, and their router
falls over at 1Mpps.  The exhaustive search will completely clog their pipe
for (2 ** (128 - 48))/1000000 seconds, or approximately 38,334,786,263 *years*.
(That 2**80 is *huge*, a lot bigger than people think...)

Even the most dim-witted site will notice after a day or two of this.

And that's why a worm would have to use techniques like Steve and fiends wrote about.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list