Nicholas Bachmann wrote:

> Hi all-
>
> I think I have found a formula to approximate the number of infected
> hosts. My formula is
>
> ([(Number of Infected Hosts * Number CR Queries p/ Day) / Total IPs on
> the Internet ]^-1) / Average IP Requests p/ Host
>
> So what I would need to know to figure out the approximate number of
> infected hosts:
> *How many IPs CR can check in a day (Number CR Queries p/ Day)
> *Average Number of times people are checked during a set period,
> probably 5:00a-5:00p (Average IP Requests p/ Host)
>
> Does anyone see any big flaws in this (I know it isn't perfect) formula
> that would keep it from being within a reasonable margin of error?

I was thinking along the same lines myself. The tricky bit is

CR-Queries/day; IMHO, this will mainly depend on the response time of the

targeted host.

Having said that, I was observing the complete attack taking 5-10s.

Bearing in mind that the worm spawns 99 scanning threads (right?), I
reckon a single worm can scan a host in an effective time of 0.1s
(assuming unlimited outbound bandwidth, which should be reasonable given
how small (4K) these attacks are). This would give a scan rate of
10*60*60*24=864000 hosts/day.

I saw 3 or 4 attacks in a 2h 40m time period (i.e. 27-36 scans per IP
address per day, scaled to 24 hours).

Howzat?

Best Regards,
Alex (not a statistician).

-- 
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alexs3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher 885BA6CE
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]