George Kesidis, Ihab Hamadeh, Youngmi Jin, Soranun Jiwasurat, and Milan Vojnovic
We present a simple, deterministic mathematical model for the spread of randomly scanning and bandwidth-saturating Internet worms. Such worms include Slammer and Witty, both of which spread extremely rapidly. Our model, consisting of coupled Kermack-McKendrick (a.k.a. stratified susceptibles-infectives (SI)) equations, captures both the measured scanning activity of the worm and the network limitation of its spread, that is, the effective scan-rate per worm/infective. The Internet is modeled as an ideal core network to which each peripheral (e.g., enterprise) network is connected via a single access link. It is further assumed in this note that as soon as a single end-system in the peripheral network is infected by the worm, the subsequent scanning of the rest of the Internet saturates the access link, that is, there is “instant” saturation. We fit our model to available data for the Slammer worm and demonstrate the model's ability to accurately represent Slammer's total scan-rate to the core.
In ACM Transactions on Modeling and Computer Simulation (TOMACS)