mailing list archives
Bumps on the Net (was Re: Symantec detected Slammer worm "hours")
From: Sean Donelan <sean () donelan com>
Date: Fri, 14 Feb 2003 02:36:17 -0500 (EST)
On Thu, 13 Feb 2003, Mike Lloyd wrote:
You added comment on a fiber cut in that time period - can you offer
more detail? Barry mentioned another roughly simultaneous attack in
Korea. One other theory, of course, would be trial runs of the worm,
perhaps with restricted PRNG to localize attack. I've seen no direct
evidence that this happened, though.
There are bumps all the time on the net. Most of the time they are
ignored. Tracking down their cause or their effect is an inexact
science. For example, on July 19 2001 we had both the Code Red worm and
the Baltimore train tunnel fire. The Internet had problems, but which
caused what problems? Eventually, after staring at a lot of data sources
and squinting really, really hard, the tunnel fire was probably
responsible for most of the slowdown on July 19.
On January 24 2003, Friday afternoon there was a cable cut affecting
several providers. Friday night/Saturday morning, the slammer worm was
spreading across the Net around 12:30am EST. This time I think the worm
was probably responsible for most of the slowdowns.
Several folks with data sets saw a bump around 6-6:30pm EST Friday
night. Was it a worm test/slow worm propagation, manual patching around
the earlier fiber cut, or something completely different? I don't know.
Any network engineers willing to admit futzing with the Net earlier that