North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Bumps on the Net (was Re: Symantec detected Slammer worm "hours")

  • From: Sean Donelan
  • Date: Fri Feb 14 02:38:37 2003

On Thu, 13 Feb 2003, Mike Lloyd wrote:
> You added comment on a fiber cut in that time period - can you offer
> more detail?  Barry mentioned another roughly simultaneous attack in
> Korea.  One other theory, of course, would be trial runs of the worm,
> perhaps with restricted PRNG to localize attack.  I've seen no direct
> evidence that this happened, though.

There are bumps all the time on the net.  Most of the time they are
ignored.  Tracking down their cause or their effect is an inexact
science.  For example, on July 19 2001 we had both the Code Red worm and
the Baltimore train tunnel fire.  The Internet had problems, but which
caused what problems?  Eventually, after staring at a lot of data sources
and squinting really, really hard, the tunnel fire was probably
responsible for most of the slowdown on July 19.

On January 24 2003, Friday afternoon there was a cable cut affecting
several providers.  Friday night/Saturday morning, the slammer worm was
spreading across the Net around 12:30am EST.  This time I think the worm
was probably responsible for most of the slowdowns.

Several folks with data sets saw a bump around 6-6:30pm EST Friday
night. Was it a worm test/slow worm propagation, manual patching around
the earlier fiber cut, or something completely different?  I don't know.

Any network engineers willing to admit futzing with the Net earlier that
night?