I think I'm jinxed. When I put my anti-DoS article up on this site the root name servers were attacked. Then O'Reilly put the article on ONLAMP and the next day there was the MS SQL worm...

A worm in a single 404 byte UDP packet: the net certainly wasn't prepared for that. This worm didn't really harm infected systems all that much: it's the incredible amount of traffic generated by each infected system that caused so much trouble. Obviously dozens of megabits worth of traffic for each affected host will lead to congestion in many places, but it was worse than that: Cisco routers that were doing fast switching rather than Cisco Express Forwarding (CEF) ran out of memory and CPU. It also seems Riverstone routers, which are supposed to be able to do this in hardware, fell flat on their faces. (But I haven't seend this myself.)

Have a look at an article I wrote for the O'Reilly Network about the impact of this worm: Network Impact of the MS SQL Worm. (Note: the link doesn't work anymore, but I saved the article here.) And CAIDA has an in-depth analysis.

Permalink

April fools day RFCs

▼ April fools day is coming up again! Don't let it catch you by surprise. Over the years, a number of RFCs have been published on April first, such as:

0894 Standard for the transmission of IP datagrams over Ethernet
networks. C. Hornig. Apr-01-1984. (Format: TXT=5697 bytes) (Also
STD0041) (Status: STANDARD)

But not all RFCs stubbornly ignore their publishing day. The first "fools day compatible" RFC dates back to 1978:

0748 Telnet randomly-lose option. M.R. Crispin. Apr-01-1978. (Format:
TXT=2741 bytes) (Status: UNKNOWN)

Probably the most famous of all is RFC 1149, which was updated in RFC 2549:

1149 Standard for the transmission of IP datagrams on avian carriers.
�� D. Waitzman. Apr-01-1990. (Format: TXT=3329 bytes) (Updated by
�� RFC2549) (Status: EXPERIMENTAL)

2549 IP over Avian Carriers with Quality of Service. D. Waitzman.
�� Apr-01-1999. (Format: TXT=9519 bytes) (Updates RFC1149) (Status:
�� INFORMATIONAL)

It took some time, but in 2001 the Bergen Linux User Group implemented RFC 1149 and carried out some tests.

Can't get enough? Here are more April first RFCs:

RFC 1097, RFC 1217, RFC 1313, RFC 1437, RFC 1438, RFC 1605, RFC 1606, RFC 1607, RFC 1776, RFC 1924, RFC 1925, RFC 1926, RFC 1927, RFC 2100, RFC 2321, RFC 2323, RFC 2324, RFC 2550, RFC 2551, RFC 2795.

Permalink - posted 2002-04-01

Analysis of 9/11 impact on the net

Jaap Akkerhuis from the .nl TLD registry made an analysis of the impact of the events of September 11th on the net which he presented at the ICANN general meeting mid-November.

Permalink

Impact of Code Red and Nimda

The Renesys Corporation has published a preliminary report indicating that the Code Red II and Nimda worms caused a somewhat alarming instability in global routing. Remarkably, this instability lasted much longer than those caused by (even quite large) outages. When important links go down, BGP converges within minutes and remains stable after that. The worms on the other hand made the interdomain routing system less stable for many hours.

Permalink

MS SQL "slammer" or "sapphire" worm

Network Impact of the MS SQL Worm

First copies of my BGP book have arrived!

April fools day RFCs

April fools day RFCs

Analysis of 9/11 impact on the net

Impact of Code Red and Nimda