About RIPE NCC | Contact  | Search | Sitemap    
Homepage RIPE NCC  
RIPE NCC
search
     
Next Section 
 
RIPE NCC Navigation Ends
RIPE NCC Home Page
RIPE NCC Navigation Ends
Next Section

Routing Information Service

Sapphire/Slammer Worm - Impact on Internet Performance

James Aldridge
7-February-2003

Announcement rate

All RIS route collectors (rrc02 excepted, which currently has no full BGP feeds) saw a similar increase in announcement activity starting at around 05:30 UTC. Taking the RIS as a whole, the announcement rate increased from about 100,000/hour to about 3,000,000/hour.

Data for the graphs in this presentation was extracted from the RIS database on Monday morning. However, the massive increase in the number of routing updates to be stored (from a normal value of just over 100,000/hour to a peak of around 4,000,000/hour) meant that there was a backlog in processing and data for rrc00 after about 15:00 had not yet made its way into the database.

Withdrawal rate

Similarly, the withdrawal rate also increased substantially at the same time. For the RIS as a whole, the rate increased from a normal of about 16,000/hour to around 1,000,000/hour.

State-change rate

Although a number of route collectors showed a peak in the rate of BGP state changes, this was short-lived (although rrc02 showed an overall increase in number of state changes following this peak). Where me might have expected to see an overall increase in number of state changes on rrc00 where all sessions are via multi-hop links, this did not happen (probably as a result of running most sessions without keepalives.

Announcements per peer (RRC00)

Looking now in more detail at a particular route collector (rrc00, which has 13 full BGP feeds) we see a similar, simultaneous increase in the number of announcements from around 250 per 5 minute period to around 10,000 per 5 minute period after 05:30.

The spikes to around 100,000 announcements/5 minute period on the graph for a couple of peers after the initial attack suggest that a full BGP table is being reannounced. As we see no corresponding increase in the number of state changes for BGP sessions on rrc00 itself, this would suggest BGP sessions resetting further away from the route collector.

Withdrawals per peer (RRC00)

Again, looking at the per-peer withdrawal rate on rrc00 we see an increase from around 100/5-minute period to around 4,000/5-minute period.

The spikes from one of our peers following the attack suggest the explicit withdraw of a full BGP table, again suggesting a reset of a BGP session further from our route collector.

Root name service prefix activity (announcements)

Having looked at the overall announcement and withdrawal rate, we now turn to looking at particular prefixes. In this case those containing the DNS root name servers. From almost no activity prior to 05:00, we see a massive increase in the number of announcements leading to a peak of around 650/hour between 07:00 and 08:00 UTC. Activity related to the G root-server is particularly prominent.

Root name service prefix activity (withdrawals)

Again, if we look at the withdrawal rate for the root nameserver prefixes, we see a increase from nothing prior to the attack to around 150 withdrawals/hour between 07:00 and 08:00.

Aggregate root name service prefix activity

Looking at both Announcements and Withdrawal activity for all the root nameserver prefixes in slightly more detail, we see a similar increase in activity starting at about 05:30 UTC (the first small bar on the graph at around this time is for the period 05:15 - 05:30 as we see on the final graph which shows the same data but only for the period from 05:00 UTC to 16:00 UTC.

Back to the full report.
WHOIS SEARCH


 

Next Section
     About RIPE NCC | Site Map | LIR Portal | About RIPE | Contact | © RIPE NCC. All rights reserved.
RIPE NCC Homepage LIRPortal RIPE Community