???
The "network traffic per IP" is a fixed number here. It's the figure
that's in question. Network load to cover 255 IP addresses every second
would certainly be less than network load to cover 65000 a second,
wouldn't you say?
That's not what I talked about. The "black" noise I mentioned can be
seen as a +/-constant chance for any given IP to get hit by an attack
issued by one of the worm infected hosts out there. (As we're talking
about worms at the moment.) Depending on the current infection state,
this number can be diminishing small or stem from (hundred-)thousands
(or more) infected hosts at a given moment (e.g. Sasser).
Supposed, the worm attacks are not restricted to specific IP ranges,
then if you're a provider with a small IP range you see only a seemingly
small amount of bandwidth used up - compared to a class A net. But both
providers see the same per-IP traffic. Because both have to ensure their
services per IP, the stress induced by (on a statistic measure) hitting
any IP per second/minute/hour is not larger for a big than for a small
net. With one exception: A small net usually has to stock a higher
bandwidth reserve per IP than a large one. - To buffer usage peeks.
If we take Sasser again as an example - it used different kinds of
target IP-creation: totally randomized and different degrees of
network neighborhood (deduced from the infected hosts IP). So there
was a per IP chance and an increased chance for networks with a huge
amount of already infected hosts. If it had created a comparable amount
of traffic per infected host as Witty, the consequences might have been
worse than those actually observed...
BeAr
