Slammer - doesn't take much to push 2 gigabits ....

By Paul Holbrook on January 26, 2003 9:30 PM |

I talked to a friend who works over at Georgia State.  He was called into work about 3:00am Saturday morning, and stayed there until 4pm that afternoon, trying to get control of the network.

He says the Slammer worm was pumping out about 2 gigabits a second out to the Internet.  The real surprise to me - that traffic was from only 30-40 infected hosts.  It actually makes some sense, if you break it down:

  • Once a host is infected, it starts sending 376 byte UDP packets as fast as possible
  • 2e9 bits/sec = 250 mbytes/sec, or ~ 665,000 376 byte packets/second
  • Over 40 hosts, that's 16,000 packets/second, or about 50 mbits/second per host. 

So each host is using about half of a 100mbits/sec ethernet connection.

The scary part of that number: assuming the worm probes the net randomly, Georgia State alone sending out almost 2.4 billion probes per hour.  No wonder this thing took down the net so quickly.

About this Entry

This page contains a single entry by Paul Holbrook published on January 26, 2003 9:30 PM.

Useful klog presentation/introduction was the previous entry in this blog.

Phil Wolff: Project Management as Journalism is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Powered by Movable Type 4.35-en

Search