![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Basically, it watches your network to see how many scans any given computer is performing. If it crosses a threshold, the network cuts it out. Worms perform lots of scans, looking for vulnerable computers, so by watching this behavior, infected computers can be identified, isolated, and cleaned.
I like the concept, it could be very useful. But the counter-stroke for worm authors is to slow down how much they're scanning. The same concept is applied to distributed denial of service attacks. If your company web site normally gets 200 hits a day and suddenly gets 10,000 a minute, you know you're getting DOS'd. But if that number goes up to 500 an hour, you might not notice it, but still it'll be eating up your bandwidth.
http://www.networkworld.com/community/node/28433
http://tech.slashdot.org/article.pl?sid=08/06/04/2213216
I like the concept, it could be very useful. But the counter-stroke for worm authors is to slow down how much they're scanning. The same concept is applied to distributed denial of service attacks. If your company web site normally gets 200 hits a day and suddenly gets 10,000 a minute, you know you're getting DOS'd. But if that number goes up to 500 an hour, you might not notice it, but still it'll be eating up your bandwidth.
http://www.networkworld.com/community/node/28433
http://tech.slashdot.org/article.pl?sid=08/06/04/2213216
