It is easy enough to pontificate after the fact about what went wrong and who made which mistakes. So I shall pull out my soapbox without further ado.

There were several contributing factors to the general mayhem that reigned for a short while on the 25th January. The most worrying is that so many administrators (an estimated 75,000) didn't firewall the relevant ports as listed in the above writeup.

The first important thing anyone running a server on the Internet should know is this: only open the ports you need, and close everything else. For a single server running a website and mail, these ports are 80 for http, maybe 21 for ftp, 25 for smtp, 110 for pop3, and, if you need to allow secure surfing, port 443 for SSL/TLS. Windows 2000 has the capability for basic firewalling built in. Windows NT does not, but should always have a firewall between it and the Internet.

Next I'll fling some impressive statistics your way:

[Slammer] was the fastest spreading computer worm in history. It spread throughout the Internet and infected most of the vulnerable hosts that could be found within ten minutes.

During the first three minutes of the worm's spread, the number of infected machines doubled roughly every 8.5 seconds [...] the worm hit its full scanning rate of around 55 million scans per second at around three minutes after the attack began at roughly 05:30 GMT on Saturday.

In hitting this impressive rate of infection, out-pacing even the theoretical Warhol Worm, Slammer generated an enormous amount of traffic. According to anecdotal evidence, a handful of infected machines managed to saturate a 100 Mbps Ethernet link - something most servers should never have to deal with.

This level of traffic caused problems for some of the routers that make up the backbone of the Internet. Some became so bogged down that they couldn't keep up with their BGP duties, and became unreachable from the rest of the Internet. This second factor would be slightly ironic, if it hadn't knocked Korea off the net along with Bank of America's ATM network1. In a few cases, some heavily infected subnets cut themselves off from the rest of the Internet by overloading routers, hence slowing the infection rate.

The second and equally important thing that anyone running a server on the Internet should know is this: keep up to date on patches. This particular tale of woe that comes straight out of RISKS digest, and is an illustration of how even little mistakes cause big problems.

Security vulnerabilities such as those used by Slammer work by exploiting problems in programs. Patches (or, as Microsoft calls them, ''hotfixes'') correct the problems in the files that are make up these programs. Microsoft has made a command line tool available, ''hfnetchk''2, that is supposed to check a given system for the presence of all available patches, and thereby verify that the computer is as secure as possible. On running, hfnetchk parses a file downloaded from Microsoft's website called ''mssecure.xml'' that contains an up-do-date list of all security patches published by Microsoft3.

As of Sat, 25 Jan 2003 09:45:38 -06004, Microsoft's version of mssecure.xml contained no mention of patch that fixed the vulnerability exploited by Slammer. Administrators using hfnetchk to check their servers would see no mention of this missing patch, and hence remain vulnerable.

It's this kind of thing that make sysadmins grind their teeth in frustration. Sometimes at the companies who supply them with software, but more often at the members of their own profession who couldn't tell a firewall from an iron curtain.

1: What I want to know is, WTF was an ATM network doing anywhere near the big bad Internet?!‽
2: hfnetchk: HotFixNETworkCHecKer.
3: You can download the current version (at 1.4 MB) from
4: The time was taken from this message posted to ntbugtraq by Eric Schultze of Shavlik Technologies, the external developers of hfnetchk:

Sources not mentioned elsewhere: