North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Scott A Crosby
  • Date: Mon Feb 09 18:18:52 2004

On Sun, 8 Feb 2004 18:12:46 +0100, Iljitsch van Beijnum <[email protected]> writes:

> But how are you going to infect a million boxes if you can
> only scan one address per second?

With a random scanning worm, the expected time could be as low as
about a day.

Assuming the random scanning model from the paper[1], I get:
    0 time: 1 infected host.
   11 hours to infect 1000 hosts.
   25 hours to infect 800k hosts
   31 hours to infect 996k hosts.

This model assumes one scan per second per infected host. It is
because if a million boxes are vulnerable, then one in 4096 IP
addresses should be vulnerable. A random scan would find one such
every 4096 seconds, implying a doubling time of about 70 minutes.