David.M..Chess.CHESS@YKTVMV (11/20/89)
Alan Roberts, commenting on Pam Kane's book, writes: > We know that 50% of the connections were > downfor 24 hours and some (including ARPANET) were down for up to 4 > days. Do we really know that? That sounds somewhat more severe than numbers I've heard elsewhere. ARPANET being down for 4 days is *certainly* new news to me. The most recent estimate on the number of systems the worm actually ran on (and I'm afraid I've forgotten the source for the moment!) was 2500; seems unlikely that that (or even the earlier 6000 figure) would have killed 50% of the links for 24 hours. Are the numbers you quote from any published source I could get and read? The (very early) reports in the Seeley, Spafford and Eichlin/Rochlis papers didn't give me the impression that the impact on connectivity was that severe, and one chronology says (attributing it to Stoll) that the virus was "pretty much eliminated" by 1800 on 11/4, which is only 48 hours after it was first noticed. I'm not trying to argue that Alan is wrong, of course. I'm only surprised and curiosified by his numbers, and would like to read whatever it was they came from. DC
spaf@cs.purdue.edu (Gene Spafford) (11/22/89)
We'll never have exact figures, of course. Here are some ballpack
figures that represent my estimates based on site accounts from over
100 sites, plus some additional information I've gathered elsewhere.
I believe that between 3000 and 6000 machines were infected by the
virus, at perhaps 500 sites maximum.
Many more 1000s of machine were affected by network disruption or
preventative action, however, but those machines were not
directly infected.
Many of these machines were "down" for only 6 to 12 hours. Few of the
infected machines are used 24 hours per day, so most were not
discovered to be infected until Thursday morning. Within 24 hours of
the infection starting, folks at Berkeley had distributed source code
patches to stop its spread, and folks at Purdue had developed and
publicized an innoculation that would prevent infection. Thus, most
machines were affected for less than a single business day.
Most admins discovered early on that rebooting all their machines at
once cleared them of the Worm. Once this occurred, reinfection from
outside often failed to happen -- other machines were also being
cleared, and bugs (probably) in the Worm code caused it to spread more
slowly than many people think it did. The massive infection that
occurred happened only because it had overnight on lightly-loaded
machines to probe across the net. Once sites started to go down and
disconnect, the rate of infection dropped significantly.
A very large percentage of the infected machines were single-use Sun
workstations, or small Vaxen. Thus, the number of users prevented
access was much less than the 20 people per machine quoted in one of
the preceding articles. 3-5 per machine might be better averages.
Many of the affected users were students. Their time can hardly be
valued at $27 per hour. On the other hand, many machines belonged to
faculty or research engineers. Their time is usually valued a bit
more than $27 per hour.
Lost time is very difficult to value. I'd guess that based on
everything I've heard and the information I've gathered, I'd estimate
the "loss" as between $30million and $50million. McAfee's estimate of
$96million was, at best, badly estimated, and at worst self-serving
and irresponsible. Numbers greater than $75million cannot be
supported in the face of critical analysis.
5% of the machines on a known-to-be-insecure network of loosely
administered machines were infected. This is noteworthy, but it
was not the crisis some people have claimed it to be.
- --
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf