(unless a first generation child has less than 1/n of the 5 Stealth worms-contagion initial copy's bandwidth available to it). The exact time required to transmit the list will depend on the available bandwidth of the storage sites. As an example, however, The great speed with which the worms described in the we point out that a 48 MB address list could be pushed down an OC-12 link in less than a second. 6 previous sections can propagate presents a grave threat to the Internets security, because there is so little time Thus, starting the worm on a high-bandwidth ink is a possibility of devising mechanisms that automatically desirable for the attacker, and bandwidth is probably a detect the spread of such worms and shut them down concern at the next layer or two. Compression of the in some fashion [MSVS02]. Such mechanisms would list could make the list delivery much faster. Indeed we took a sorted list of the 9 million server addresses ikely be triggered by the singular communication pat- terns the worms evince-hosts generating much more discussed in Section 5 and found that g=ip compression diverse and rapid Internet traffic than they usually do shrinks the list from 36 MB to 13 MB, and differencing the addresses prior to compression reduced it to 7.5 MB. We now turn to a different paradigm of worm prop- agation,contagion, which, while likely spreading sig Another possible limitation is simply the latency re- nificantly slower than the rapidly-propagating worms, quired to infect each new layer in the tree. Given that evinces almost no peculiar communication patterns. As probes can be issued in parall lel, and substantially more such these worms could prove much more difficult to de- threads can be spawned than n(the number of children), tect and counter, allowing a patient attacker to slowly but we do not have to add up the time required for a given surreptitiously compromise a vast number of systems mum infection latency. A single second is a reasonable The core idea of the contagion model can be expressed latency, but with n=10 and a large hit-list to trans- with the following example. Suppose an attacker has fer,it might take a little longer to get 10 copies of the attained a pair of exploits: Es, which subverts a popular worm through a given site's link. However, not much longer-if a 5 KB worm can get 50% utilization through type of Web server; and Ec, which subverts a popular type of Web client(browser). The attacker begins the a 256 Kbps DSL uplink, it can transmit ten copies of t- worm on a convenient server or client (it doesn't matter self in three seconds. That leads to a sub-thirty-second which, and they could start with many, if available by limit on the total infection time, given an infection tree some other means), and then they simply wait. If the seven layers deep and a design where the new worm chi- starting point is a server, then they wait for clients to visit dren go to a server for their addresses. (An additional (perhaps baiting them by putting up porn content and concern here is the possibility of elements of the worm taking care that the large search engines index it). As interfering with one another, either directly, by induc- each client visits. the subverted server detects whether ongestion,or indirectly, for example by overflowing the client is vulnerable to E. If so. the server infects it, ARP tables, as happened during the Code red l outbrea [SAol]. These possibilities are difficult to analyze. sending along both ec and Es. As the clients user now urfs other sites, the infected client inspects whether the servers on those sites are vulnerable to es, and, if so In conclusion, we argue that a compact worm that be- gins with a list including all likely vulnerable addresses again infects them, sending along Ec and es and that has initial knowledge of some vulnerable sites In this fashion, the infection spreads from clients to with high-bandwidth links, appears able to infect almost servers and along to other clients, much as a contagious all vulnerable servers on the Internet in less than thirty disease spreads based on the incidental traffic patterns of seconds hosts Clearly, with the contagion model there are no unusual communication patterns to observe, other than the larger RTT of volume of the connections due to the worm sending 100 mse 1500 byte segments, an initial window of I segment, along a copy of itself as well as the normal contents of ind the us receiver of delayed acknowledgments, the transfer the connection-in the example, the URl request or the lkes 2.3 using equation(10)of (CSA0o). Since we con- corresponding page contents. Depending on the type of the receiver, we could perhaps turn off delayed acknowledgments, data being transferred, this addition might be essentially ch lowers this to 1.5 seconds. We could even skip congestion con- rely, but that runs the serious risk of lengthening the transfer negligible(for example, for MP3s). Thus, without an time by inducing packet loss, requiring retransmission analyzer specific to the protocol(s) being exploited, and(unless a first generation child has less than 1/n of the initial copy’s bandwidth available to it). The exact time required to transmit the list will depend on the available bandwidth of the storage sites. As an example, however, we point out that a 48 MB address list could be pushed down an OC-12 link in less than a second.6 Thus, starting the worm on a high-bandwidth link is desirable for the attacker, and bandwidth is probably a concern at the next layer or two. Compression of the list could make the list delivery much faster. Indeed, we took a sorted list of the 9 million server addresses discussed in Section 5 and found that gzip compression shrinks the list from 36 MB to 13 MB, and differencing the addresses prior to compression reduced it to 7.5 MB. Another possible limitation is simply the latency re￾quired to infect each new layer in the tree. Given that probes can be issued in parallel, and substantially more threads can be spawned than n (the number of children), we do not have to add up the time required for a given copy to cycle through its list, but simply take the maxi￾mum infection latency. A single second is a reasonable latency, but with n = 10 and a large hit-list to trans￾fer, it might take a little longer to get 10 copies of the worm through a given site’s link. However, not much longer—if a 5 KB worm can get 50% utilization through a 256 Kbps DSL uplink, it can transmit ten copies of it￾self in three seconds. That leads to a sub-thirty-second limit on the total infection time, given an infection tree seven layers deep and a design where the new worm chil￾dren go to a server for their addresses. (An additional concern here is the possibility of elements of the worm interfering with one another, either directly, by induc￾ing congestion, or indirectly, for example by overflowing ARP tables, as happened during the Code Red I outbreak [SA01]. These possibilities are difficult to analyze.) In conclusion, we argue that a compact worm that be￾gins with a list including all likely vulnerable addresses, and that has initial knowledge of some vulnerable sites with high-bandwidth links, appears able to infect almost all vulnerable servers on the Internet in less than thirty seconds. 6 Or, if we model TCP slow start, then assuming an RTT of 100 msec (high), 1500 byte segments, an initial window of 1 segment, and the use by the receiver of delayed acknowledgments, the transfer takes 2.3 seconds, using equation (10) of [CSA00]. Since we con￾trol the receiver, we could perhaps turn off delayed acknowledgments, which lowers this to 1.5 seconds. We could even skip congestion con￾trol entirely, but that runs the serious risk of lengthening the transfer time by inducing packet loss, requiring retransmission. 5 Stealth worms—contagion The great speed with which the worms described in the previous sections can propagate presents a grave threat to the Internet’s security, because there is so little time available to react to their onset. Still, there might be a possibility of devising mechanisms that automatically detect the spread of such worms and shut them down in some fashion [MSVS02]. Such mechanisms would likely be triggered by the singular communication pat￾terns the worms evince—hosts generating much more diverse and rapid Internet traffic than they usually do. We now turn to a different paradigm of worm prop￾agation, contagion, which, while likely spreading sig￾nificantly slower than the rapidly-propagating worms, evinces almost no peculiar communication patterns. As such these worms could prove much more difficult to de￾tect and counter, allowing a patient attacker to slowly but surreptitiously compromise a vast number of systems. The core idea of the contagion model can be expressed with the following example. Suppose an attacker has attained a pair of exploits: Es, which subverts a popular type of Web server; and Ec, which subverts a popular type of Web client (browser). The attacker begins the worm on a convenient server or client (it doesn’t matter which, and they could start with many, if available by some other means), and then they simply wait. If the starting point is a server, then they wait for clients to visit (perhaps baiting them by putting up porn content and taking care that the large search engines index it). As each client visits, the subverted server detects whether the client is vulnerable to Ec. If so, the server infects it, sending along both Ec and Es. As the client’s user now surfs other sites, the infected client inspects whether the servers on those sites are vulnerable to Es, and, if so, again infects them, sending along Ec and Es. In this fashion, the infection spreads from clients to servers and along to other clients, much as a contagious disease spreads based on the incidental traffic patterns of its hosts. Clearly, with the contagion model there are no unusual communication patterns to observe, other than the larger volume of the connections due to the worm sending along a copy of itself as well as the normal contents of the connection—in the example, the URL request or the corresponding page contents. Depending on the type of data being transferred, this addition might be essentially negligible (for example, for MP3s). Thus, without an analyzer specific to the protocol(s) being exploited, and