Tough night for the internet. A massive worm exploiting a known (and patched) hole in Microsoft SQL Server (that's a database) is doing a pretty good job of grinding the net to a halt. Here's a disassembly of the 400 or so bytes being sent by infected systems. (No, I can't make anything out of that either, but it's kind of cool to look at.)

The worm isn't doing anything (it's not trying to destroy the infected databases,) it's just broadcasting information as it spreads creating a massive denial of service type situation. Basically a giant traffic jam. Theoretically this should be pretty easy to get under control, because all outbound traffic from infected machines is directed at the same port which can just be closed.

But I still can't get to my colo'd mail server with any regularity.
- jim 1-25-2003 7:21 pm

The tree is definitely slower this morning, especially pics. From the articles I read, sounds like the Bushies are using this as an opportunity to plug Information Awareness. Just as the House is about to vote to curb it. Hmmmm...
- tom moody 1-25-2003 8:21 pm


Here's an interesting paper looking at the rapid spread of the Slammer worm.

Propagation speed was Sapphire's novel feature: in the first minute, the infected population doubled in size every 8.5 (±1) seconds. The worm achieved its full scanning rate (over 55 million scans per second) after approximatly three minutes, after which the rate of growth slowed down somewhat because significant portions of the network did not have enough bandwidth to allow it to operate unhindered. Most vulnerable machines were infected within 10-minutes of the worm's release. Although worms with this rapid propagation had been predicted on theoretical grounds [5], the spread of Sapphire provides the first real incident demonstrating the capabilities of a high-speed worm. By comparison, it was two orders magnitude faster than the Code Red worm, which infected over 359,000 hosts on July 19th, 2001 [3]. In comparison, the Code Red worm population had a leisurely doubling time of about 37 minutes.

- jim 2-04-2003 12:33 am





add a comment to this page:

Your post will be captioned "posted by anonymous,"
or you may enter a guest username below:


Line breaks work. HTML tags will be stripped.