worm blog

« Zotob Authors Jailed | Main | A Distributed Host-based Worm Detection System »

Is BGP Update Storm a Sign of Trouble: Observing the Internet Control and Data Planes During Internet Worms

I recall doing some analysis when SQLSlammer hit, and looking over the routing data I had available to me. It was a pretty disruptive 36 hours or so, honestly, and looking over the changes in the network, I saw an avergae of three BGP messages for every network that was affected. This appearantly mapped to a BGP withdaw message, an announcement, and then a path update message. What's interesting in this work is that they line up such BGP data with reachability measurements, which I did not have access to at the time.

There are considerable reasons to wish to understand the relationship between the Internet’s control and data planes in times for stress. For example, the much publicized Internet worms—Code Red, Nimda and SQL Slammer—caused BGP storms, but there has been comparatively little study of whether the storms impacted network performance. In this paper, we study these worm events and see whether the BGP storms observed during the worms actually corresponded to problems in the Internet’s data plane. By processing and analyzing two datasets from RIPE, we have found that while BGP update storms occurred in all three worms, the performance of the data plane degraded during the Slammer worm but did not during the Code Red and the Nimda. No direct correlation should be drawn between the degradation of the Internet data plane and the occurrence of a BGP update storm—it may not be a sign of trouble but a sign of the Internet control plane doing its job.

Source: Is BGP Update Storm a Sign of Trouble: Observing the Internet Control and Data Planes During Internet Worms, by Matthew Roughan, Jun Li, Randy Bush, Zhuoqing Mao and Timothy Griffin, Proceedings of SPECTS 2006.

September 15, 2006 in Nimda, papers, routing, SQLSlammer | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

nice . . try to updating.

Posted by: security pc | Mar 3, 2010 5:07:31 AM

posted my problem at www.remotepccure.org and got some tips …..thanks Jenny

Posted by: curepc | Mar 16, 2010 2:37:17 AM

The comments to this entry are closed.