This is interesting because it tells us that a worm like this can compromise all vulnerable machines on the Internet fairly fast. 与25558*8日之 Figure 3 shows hourly probe rate data from Ken Eich- mann of the Chemical Abstracts Service for the hourly probe rate inbound on port 80 at that site. Also shown is a fit to the data with K=1. 8.T=11.9. and with 100000 the top of the fit scaled to a maximum probe rate of 510,000 scans/hour. (We fit it to fall slightly below the 0246810121416 data curve. since it seems there is a fixed background Hour of the day rate of web probes that was going on before the rapid rise due to the worm spread. ) This very simple theory 一# of scans一群 of unique IPs 一 Predicted群 of scan can be seen to give a reasonable first approximation ex planation of the worm behavior. See also Section 4.3 for alidation of the theory via simulation igure 3: Hourly probe rate data for inbound port 80 at the Chemical Abstracts Service during the initial outbreak of Code Note that we fit the scan rate. rather than the number of Red I on July 19th, 2001. The t-axis is the hour of the day distinct IPs seen at this site. The incoming scan rate seen (CDT time zone), while the y-axis is probe rate, the number at a site is directly proportional to the total number of in- of different IP addresses seen, and a fit to the data discussed the text fected IPs on the Internet, since there is a fixed probabil ity for any worm copy to scan this particular site in the current time interval. however. the number of distinct compromise per unit time(K(1-a)), times the incre- IPs seen at a site is distorted relative to the overall in- ment of time(dt).(Note that machines can compromis fection curve. This is because a given worm copy, once K others per unit time to begin with, but only K (1-a) it is infected, will take some amount of time before it once a proportion of other machines are compromised gets around to scanning any particular site. For a small address space, this delay can be sizeable and causes the distinct IP graph at the given site to lag behind the over This give us the differential equation all Internet infection rate graph =Ka(1-a) (2) Two implications of this graph are interesting. One is that the worm came close to saturating before it turned with solution itself off at midnight UTC(1900 CDT), as the num- K(t-r) ber of copies ceased increasing a few hours before the 1+ek(t-T (3) worm s automatic turnoff. Thus it had found the bulk of the servers it was going to find at this time. Secondly, the infection rate was about 1.8 per hour-in the early where T is a constant of integration that fixes the time stages of the infection, each infected server was able to position of the incident. This equation has been well known for many years as the logistic equation, and gov erns the rate of growth of epidemics in finite systems Although Code Red I turned itself off at midnight UTC when all entities are equally likely to infect any other on July igth, hosts with inaccurate clocks kept it alive entity(which is true for randomized spreading among and allowed it to spread when the worm code al Internet-connected servers, in the absence of firewall fil- lowed it to re-awaken on August Ist. Figure 4 show tering rules that differentially affect infectability from or similar data and fit for that incident. The K here is about to different addresses) 0. 7. Since the worm code-base was the same. this lower pread rate indicates that the number of vulnerable sys- This is an interesting equation. For early t(significantly tems was a little less than 40% as many as the first time before T), a grows exponentially. For large t(signifi- around. That is, the data appears consistent with slightly cantly after T), a goes to 1(all vulnerable machines are more than half the systems having been fixed in the 11 compromised). The rate at which this happens depends days intervening only on K(the rate at which one machine can compro se others), and not at all on the number of machines0 100,000 200,000 300,000 400,000 500,000 600,000 0 2 4 6 8 10 12 14 16 Hour of the day Number seen in an hour # of scans # of unique IPs Predicted # of scans Figure 3: Hourly probe rate data for inbound port 80 at the Chemical Abstracts Service during the initial outbreak of Code Red I on July 19th, 2001. The x-axis is the hour of the day (CDT time zone), while the y-axis is probe rate, the number of different IP addresses seen, and a fit to the data discussed in the text. compromise per unit time (K(1 − a)), times the incre￾ment of time (dt). (Note that machines can compromise K others per unit time to begin with, but only K ·(1−a) once a proportion of other machines are compromised already.) This give us the differential equation: da dt = Ka(1 − a) (2) with solution: a = e K(t−T) 1 + eK(t−T) , (3) where T is a constant of integration that fixes the time position of the incident. This equation has been well known for many years as the logistic equation, and gov￾erns the rate of growth of epidemics in finite systems when all entities are equally likely to infect any other entity (which is true for randomized spreading among Internet-connected servers, in the absence of firewall fil￾tering rules that differentially affect infectability from or to different addresses). This is an interesting equation. For early t (significantly before T), a grows exponentially. For large t (signifi- cantly after T), a goes to 1 (all vulnerable machines are compromised). The rate at which this happens depends only on K (the rate at which one machine can compro￾mise others), and not at all on the number of machines. This is interesting because it tells us that a worm like this can compromise all vulnerable machines on the Internet fairly fast. Figure 3 shows hourly probe rate data from Ken Eich￾mann of the Chemical Abstracts Service for the hourly probe rate inbound on port 80 at that site. Also shown is a fit to the data with K = 1.8, T = 11.9, and with the top of the fit scaled to a maximum probe rate of 510,000 scans/hour. (We fit it to fall slightly below the data curve, since it seems there is a fixed background rate of web probes that was going on before the rapid rise due to the worm spread.) This very simple theory can be seen to give a reasonable first approximation ex￾planation of the worm behavior. See also Section 4.3 for validation of the theory via simulation. Note that we fit the scan rate, rather than the number of distinct IPs seen at this site. The incoming scan rate seen at a site is directly proportional to the total number of in￾fected IPs on the Internet, since there is a fixed probabil￾ity for any worm copy to scan this particular site in the current time interval. However, the number of distinct IPs seen at a site is distorted relative to the overall in￾fection curve. This is because a given worm copy, once it is infected, will take some amount of time before it gets around to scanning any particular site. For a small address space, this delay can be sizeable and causes the distinct IP graph at the given site to lag behind the over￾all Internet infection rate graph. Two implications of this graph are interesting. One is that the worm came close to saturating before it turned itself off at midnight UTC (1900 CDT), as the num￾ber of copies ceased increasing a few hours before the worm’s automatic turnoff. Thus it had found the bulk of the servers it was going to find at this time. Secondly, the infection rate was about 1.8 per hour—in the early stages of the infection, each infected server was able to find about 1.8 other servers per hour. Although Code Red I turned itself off at midnight UTC on July 19th, hosts with inaccurate clocks kept it alive and allowed it to spread again when the worm code al￾lowed it to re-awaken on August 1st. Figure 4 shows similar data and fit for that incident. The K here is about 0.7. Since the worm code-base was the same, this lower spread rate indicates that the number of vulnerable sys￾tems was a little less than 40% as many as the first time around. That is, the data appears consistent with slightly more than half the systems having been fixed in the 11 days intervening