Slammer - doesn't take much to push 2 gigabits ....

I talked to a friend who works over at Georgia State.  He was called into work about 3:00am Saturday morning, and stayed there until 4pm that afternoon, trying to get control of the network.

He says the Slammer worm was pumping out about 2 gigabits a second out to the Internet.  The real surprise to me - that traffic was from only 30-40 infected hosts.  It actually makes some sense, if you break it down:

• Once a host is infected, it starts sending 376 byte UDP packets as fast as possible
• 2e9 bits/sec = 250 mbytes/sec, or ~ 665,000 376 byte packets/second
• Over 40 hosts, that's 16,000 packets/second, or about 50 mbits/second per host. 

So each host is using about half of a 100mbits/sec ethernet connection.

The scary part of that number: assuming the worm probes the net randomly, Georgia State alone sending out almost 2.4 billion probes per hour.  No wonder this thing took down the net so quickly.