tion protocol Given Http's support for variable-sized headers, it would not be surprising to find that a buffer overflow exploit of KaZaA exists. Given such an ex- ploit, it is apparent that if an attacker started out having nfected all of the universitys KazaA hosts, then after a month they would have control of about 9 million hosts, x assuming that the Kazaa clients are sufficiently homo- A geneous that a single exploit could infect them all. 9 How plausible is it that the attacker could begin with control over all of the university's KazaA hosts? Quite while the goal of the contagion worm is to evade detec- tion, the attacker can likely risk a more blatant attack on a single university. If they can find a university lacking Degree of Remote KazaA Host in diligent security monitoring(surely there must be a few of these!), they can then compromise a single host Figure 9: Complementary distribution at the university, engage in"noisy"brute-force scanning local university hosts to which different of the internal hosts to find all of the kazaa clients. and connected Both axes are log-scaled; the l infect them. They then switch into contagion spread- plot corresponds to a Pareto distribution a=2.1 While the above argues that the attacker could gain the which the university's hosts are"typical. "We also lack 9 million hosts within a month, the actual spread is likely any traces of their internal peer-to-peer traffic, which, if much faster, because once a remote host is infected, it frequent, would have major implications for the ra too contributes to spreading the contagion. Not only which the worm could infect an entire remote slle te at does this accelerate the epidemic, but it also likely turns it into a pandemic, because the remote hosts can connect We are pursuing further work in this area. First, we are with other remote hosts that wouldn't happen to visit the attempting with colleagues to develop graph-based mod- single infected node could pretend to have information it spread of the contagion based on different sets of as- sumptions about the hosts in our trace. Second, we have crease the number of connections received, although that obtained traces of KazaA traffic from another university would somewhat disrupt the normal patterns of commu-(in another country), and will be analyzing these to de- nicatIo termine the degree of overlap and cross-talk between the two universities with which to then better estimate the We would like therefore to better understand the rate at total KaZaA population and its communication patterns which a KaZaA contagion worm could spread, and to Finally, we are building a simulator for both active and what breadth. To estimate this from just the university contagion worms within various peer-to-peer topologies of the KazaA population. Doubtless it is larger than have evidence that the kazaa 9,000,000-but is it as high as 30,000,000, as indicated network may behave like a"scale-free"topology in How many of those copies were redundant terms of its interconnection. Figure 9 shows the dis- (same user fetching the software multiple times), or are tribution of the degree of the remote hosts in the trace longer in use? On the other hand, could the po i.e. the num ber of distinct local hosts to which each re tion be higher, due to users getting copies of the clients mote host connected during November, 2001. The plot is from other sources than (Ka01]? shown as a log-log complementary distribution function Another problem is that we do not know the degree to the x-axis shows log1o of the remote host's degree, and the y-axis shows logo of the probability of observing a an this. It turns out Bde j that remote host with that outdegree or higher. ( Due to the has a remote access backdoor installed or the immense size of the dataset, we plot a subset rather than purposes the entire dataset, randomly sampled with p=0.01) worms, because they include mechanisms by which an attacker monitor portions of the global query stream in order to compile a A straight line on such a plot corresponds to a Pareto distribution. While the majority of the remote hosts con-tion protocol. Given HTTP’s support for variable-sized headers, it would not be surprising to find that a buffer overflow exploit of KaZaA exists. Given such an ex￾ploit, it is apparent that if an attacker started out having infected all of the university’s KaZaA hosts, then after a month they would have control of about 9 million hosts, assuming that the KaZaA clients are sufficiently homo￾geneous that a single exploit could infect them all.9 How plausible is it that the attacker could begin with control over all of the university’s KaZaA hosts? Quite: while the goal of the contagion worm is to evade detec￾tion, the attacker can likely risk a more blatant attack on a single university. If they can find a university lacking in diligent security monitoring (surely there must be a few of these!), they can then compromise a single host at the university, engage in “noisy” brute-force scanning of the internal hosts to find all of the KaZaA clients, and infect them. They then switch into contagion spread￾ing.10 While the above argues that the attacker could gain the 9 million hosts within a month, the actual spread is likely much faster, because once a remote host is infected, it too contributes to spreading the contagion. Not only does this accelerate the epidemic, but it also likely turns it into a pandemic, because the remote hosts can connect with other remote hosts that wouldn’t happen to visit the university. Furthermore, depending on the protocol, a single infected node could pretend to have information it doesn’t have, in order to appear highly attractive and in￾crease the number of connections received, although that would somewhat disrupt the normal patterns of commu￾nication. We would like therefore to better understand the rate at which a KaZaA contagion worm could spread, and to what breadth. To estimate this from just the university trace is difficult, because we don’t know the total size of the KaZaA population. Doubtless it is larger than 9,000,000—but is it as high as 30,000,000, as indicated in [Ka01]? How many of those copies were redundant (same user fetching the software multiple times), or are no longer in use? On the other hand, could the popula￾tion be higher, due to users getting copies of the clients from other sources than [Ka01]? Another problem is that we do not know the degree to 9 It is actually worse than this. It turns out [Bd02, We02] that KaZaA already has a remote access backdoor installed! But for the purposes of our discussion here, we put aside this fact. 10We note that some P2P networks are also amenable to constructing flash worms, because they include mechanisms by which an attacker can monitor portions of the global query stream in order to compile a hit-list of clients. Degree of Remote KaZaA Host P[X >= x] 1 5 10 50 100 0.00001 0.001 0.1 Figure 9: Complementary distribution of number of distinct local university hosts to which different remote KaZaA hosts connected. Both axes are log-scaled; the linear fit shown in the plot corresponds to a Pareto distribution with shape parameter α = 2.1. which the university’s hosts are “typical.” We also lack any traces of their internal peer-to-peer traffic, which, if frequent, would have major implications for the rate at which the worm could infect an entire remote site. We are pursuing further work in this area. First, we are attempting with colleagues to develop graph-based mod￾els with which we can then extrapolate properties of the spread of the contagion based on different sets of as￾sumptions about the hosts in our trace. Second, we have obtained traces of KaZaA traffic from another university (in another country), and will be analyzing these to de￾termine the degree of overlap and cross-talk between the two universities, with which to then better estimate the total KaZaA population and its communication patterns. Finally, we are building a simulator for both active and contagion worms within various peer-to-peer topologies. As a last comment, we have evidence that the KaZaA network may behave like a “scale-free” topology in terms of its interconnection. Figure 9 shows the dis￾tribution of the degree of the remote hosts in the trace, i.e., the number of distinct local hosts to which each re￾mote host connected during November, 2001. The plot is shown as a log-log complementary distribution function: the x-axis shows log10 of the remote host’s degree, and the y-axis shows log10 of the probability of observing a remote host with that outdegree or higher. (Due to the immense size of the dataset, we plot a subset rather than the entire dataset, randomly sampled with p = 0.01.) A straight line on such a plot corresponds to a Pareto distribution. While the majority of the remote hosts con-