Internet Worms and BGP Storms

i surfed the web today, and reached jose’s blog. he covered a paper called:
“is bgp update storm a sign of trouble: observing the internet control and data planes during internetworms”
by:
matthew roughan, jun li, randy bush, zhuoqing mao and timothy griffin.

you can find it here: http://www.eecs.umich.edu/~zmao/papers/spects06-camera.pdf

the paper’s abstract:

there are considerable reasons to wish to understand the relationship between the internet’s control and data planes in times for stress. for example, the much publicized internet worms—code red, nimda and sql slammer—caused bgp storms, but there has been comparatively little study of whether the storms impacted network performance. in this paper, we study these worm events and see whether the bgp storms observed during the worms actually corresponded to problems in the internet’s data plane. by processing and analyzing
two datasets from ripe, we have found that while bgp update storms occurred in all three worms, the performance of the data plane degraded during the slammer worm but did not during the code red and the nimda. no direct correlation should be drawn between the degradation of the internet data plane and the occurrence of a bgp update storm—it may not be a sign of trouble but a sign of the internet control plane doing its job.

in essense, they say:

“in this paper, we studied bgp update storms during three well-known internet worms—code red, nimda, and slammer—and found that while bgp update storms occurred in all three worms, the performance of the data plane degraded during the slammer worm but did not during the code red and nimda worms. while it is certainly important to pay attention to the occurrence of bgp update storms, our results show that a bgp update storm does not necessarily map to data plane disruption.”

gadi evron,
ge@beyondsecurity.com.

Share