David.M..Chess.CHESS@YKTVMV (11/20/89)
Alan Roberts, commenting on Pam Kane's book, writes: > We know that 50% of the connections were > downfor 24 hours and some (including ARPANET) were down for up to 4 > days. Do we really know that? That sounds somewhat more severe than numbers I've heard elsewhere. ARPANET being down for 4 days is *certainly* new news to me. The most recent estimate on the number of systems the worm actually ran on (and I'm afraid I've forgotten the source for the moment!) was 2500; seems unlikely that that (or even the earlier 6000 figure) would have killed 50% of the links for 24 hours. Are the numbers you quote from any published source I could get and read? The (very early) reports in the Seeley, Spafford and Eichlin/Rochlis papers didn't give me the impression that the impact on connectivity was that severe, and one chronology says (attributing it to Stoll) that the virus was "pretty much eliminated" by 1800 on 11/4, which is only 48 hours after it was first noticed. I'm not trying to argue that Alan is wrong, of course. I'm only surprised and curiosified by his numbers, and would like to read whatever it was they came from. DC
spaf@cs.purdue.edu (Gene Spafford) (11/22/89)
We'll never have exact figures, of course. Here are some ballpack figures that represent my estimates based on site accounts from over 100 sites, plus some additional information I've gathered elsewhere. I believe that between 3000 and 6000 machines were infected by the virus, at perhaps 500 sites maximum. Many more 1000s of machine were affected by network disruption or preventative action, however, but those machines were not directly infected. Many of these machines were "down" for only 6 to 12 hours. Few of the infected machines are used 24 hours per day, so most were not discovered to be infected until Thursday morning. Within 24 hours of the infection starting, folks at Berkeley had distributed source code patches to stop its spread, and folks at Purdue had developed and publicized an innoculation that would prevent infection. Thus, most machines were affected for less than a single business day. Most admins discovered early on that rebooting all their machines at once cleared them of the Worm. Once this occurred, reinfection from outside often failed to happen -- other machines were also being cleared, and bugs (probably) in the Worm code caused it to spread more slowly than many people think it did. The massive infection that occurred happened only because it had overnight on lightly-loaded machines to probe across the net. Once sites started to go down and disconnect, the rate of infection dropped significantly. A very large percentage of the infected machines were single-use Sun workstations, or small Vaxen. Thus, the number of users prevented access was much less than the 20 people per machine quoted in one of the preceding articles. 3-5 per machine might be better averages. Many of the affected users were students. Their time can hardly be valued at $27 per hour. On the other hand, many machines belonged to faculty or research engineers. Their time is usually valued a bit more than $27 per hour. Lost time is very difficult to value. I'd guess that based on everything I've heard and the information I've gathered, I'd estimate the "loss" as between $30million and $50million. McAfee's estimate of $96million was, at best, badly estimated, and at worst self-serving and irresponsible. Numbers greater than $75million cannot be supported in the face of critical analysis. 5% of the machines on a known-to-be-insecure network of loosely administered machines were infected. This is noteworthy, but it was not the crisis some people have claimed it to be. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf