Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm's exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds[18]. We grossly over-estimated.

In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds.

The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques [12, 16, 25]. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	CAIDA. Skitter Datasets. http://www.caida.org/tools/measurement/skitter/.
	2	Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms. In IEEE INFOCOM, 2003.
	3	C. Dovrolis, R. Prasad, N. Brownlee, and k. claffy. Bandwidth Estimation: Metrics, Measurement Techniques, and Tools. IEEE Network, 2004.
	4	Forescout. Wormscout, http://www.forescout.com/wormscout.html.
	5	N. Hindocha and E. Chien. Malicious Threats and Vulnerabilities in Instant Messaging. Technical report, Symantec, 2003.
	6	J. Jung, V. Paxson, A. W. Berger, and H. B. Nan. Fast Portscan Detection Using Sequential Hypothesis Testing. In 2004 IEEE Symposium on Security and Privacy, to appear, 2004.
	7	J. Jung and S. Schechter. Fast Detection of Scanning Worms Using Reverse Sequential Hypothesis Testing and Credit-Based Connection Rate Limiting. Submitted to Usenix Security 2004, 2004.
	8	H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the 14th USENIX Security Symposium. USENIX, August 2004.
	9	Mirage Networks. http://www.miragenetworks.com/.
	10	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003  [doi>10.1109/MSECP.2003.1219056]
	11	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637244]
	12	D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code, 2003.
	13	D. Nojiri, J. Rowe, and K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. In Proc. DARPA DISCEX III Conference, 2003.
	14	Colleen Shannon , David Moore, The Spread of the Witty Worm, IEEE Security and Privacy, v.2 n.4, p.46-50, July 2004  [doi>10.1109/MSP.2004.59]
	15	S. Sing, C. Estan, G. Varghese, and S. Savage. The EarlyBird System for Realtime Detection of Unknown Worms: UCSD Tech Report CS2003-0761.
	16	S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.
	17	S. Staniford and C. Kahn. Worm Containment in the Internal Network. Technical report, Silicon Defense, 2003.
	18	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	19	The Honeynet Project. http://lwww.honeynet.org/l.
	20	J. Twycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In Proceedings of the 12th USENIX Security Symposium. USENIX, August 2003.
	21	S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New Streaming Algorithms for Fast Detection of Superspreaders.
	22	Arno Wagner , Thomas Dübendorfer , Bernhard Plattner , Roman Hiestand, Experiences with worm propagation simulations, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA  [doi>10.1145/948187.948194]
	23	Nicholas Weaver , Vern Paxson , Stuart Staniford , Robert Cunningham, A taxonomy of computer worms, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA  [doi>10.1145/948187.948190]
	24	N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. Submitted to Usenix Security 2004, 2004.
	25	Matthew M. Williamson, Throttling Viruses: Restricting propagation to defeat malicious mobile code, Proceedings of the 18th Annual Computer Security Applications Conference, p.61, December 09-13, 2002
	26	Yin Zhang , Nick Duffield, On the constancy of internet path properties, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA  [doi>10.1145/505202.505228]