We observe a significant increase in the number of announcements of BGP updates during Slammer worm attack, which is most evident on a Logarithmic scale in Fig. 1. This significant increase in the number of announcements of BGP was reported many times and it is assumed to be related with the doubling of number of infected machines approximately every 9 seconds [8; 15]. At the same time, it should be noticed that it is still not known who launched Slammer attack and exactly when. It is just supposed that the worm began to infect hosts “slightly before” 05:30 UTC on Saturday, 25 January 2003 [9]. Anyway, we see in Fig. 1, that the actual visual changes in BGP updates time series occurred after 25 January 2003, and these changes on logarithmic scale look very similar for all used BGP updates time series from 8 different locations.
As already mentioned, in the present work we are focused on the analysis of possible dynamical changes caused by Slammer in BGP updates process after worm attack (supposing that, according to accepted view attack started on 25.01.2003, 05.30). At the same time, we briefly will discuss the question of BGP updates behavior in period when obviously slammer worm spreading took place i.e. slightly before 25 January. Separately we will also touch situation with dynamics of BGP updates relatively long before and long after of Slammer attack.
As we see in Figs. 2 and 3, in general, the regularity of the process of BGP updates evolution is of a variable nature and looks different for each rrc location. At the same time, according to the results of the LZC and Lv analysis, we observed qualitatively similar changes in the updates time series at all location following the start of the attack.
These changes show that the extent of regularity of BGP updates variation strongly increased. This increase in the extent of regularity occurred after Slammer worm attack, which began about 05:30 UTC on Saturday, 25 January 2003 and lasted 15–19 hours [9; 10]. Indeed, for this 15–19 hours we observe the strongest decrease in LZC and Lv values for each of analyzed BGP data sets from all selected 8 locations.
As far as we use 1440 data (24h) length sliding windows, shifted by 1 data point (1 minute), it is difficult to discern tiny details in the process of BGP updates evolution. Thus in Figs. 2 and 3 we add insets of shorter observation periods. The presented results confirm that immediately after 05.30 (23.01.2003), the changes in BGP updates process occurred simultaneously in all considered data sets.
These changes, in spite of small quantitative differences, are obviously qualitatively similar and apparently are related with Slammer worm attack (see middle inset in Fig. 2 and inset in Fig. 3). Moreover, we do not see such similarity neither prior nor after Slammer attack (Figs. 2 and 3). On the other hand, we should note some similarity in LZC analysis results of BGP updates variation, what took place for some collectors, in the period when presumably the worm started to spread in the network, i.e. prior to declared Slammer attack (see left inset in Fig. 2).
We also note that the weak decrease in the calculated LZC values that we observed relatively long after Slammer attack (right inset in Fig. 2) involved the time series from only one collector and is seemingly caused by local factors not related to the worm. Meanwhile the results of Lv analysis do not indicate an increase in the extent of regularity besides the period after Slammer worm attack (see Fig. 3).
Thus the results of the LZC and Lv analysis indicate a noticeable increase in the extent of regularity in BGP updates variation that was evident at all 8 considered collectors in the period after Slammer attack. This we regard as a clear indication that the Slammer worm caused similar changes (at least qualitatively) at all considered locations in the period of the attack. The other data analysis methods used for each of 8 considered time series gave the same conclusions (not shown here).
Taking into account the qualitative similarity of changes observed in BGP updates variability from considered collectors, we proceeded to analyzing the BGP time series averaged for all 8 observation sites (see Fig. 4). The analysis of these averaged data sets allowed us to focus on the features of BGP updates variation what are most important and common for all considered collectors that underwent the Slammer worm attack.
The results of the LZC and Lv calculations obtained for averaged BGP updates time series are presented in Figs. 5 and 6. It is clear that after the Slammer worm attack both characteristics essentially decreased, indicating an increase in the extent of regularity in the process of BGP updates variation, like it was shown for the original time series from each location (see Figs. 2 and 3).
The next method we used is Tsallis entropy calculation. Analysis was carried out both for the original as well as averaged BGP updates time series. Following the logic accepted for LZC and Lv calculations, we do not show here results of Tsallis entropy calculation of each original time series and present just results obtained for the averaged time series. Generally, it is known that the results of Sq calculation depend upon the entropic index q. In our case we indeed saw some differences in Sq values obtained for different q indexes though, what is most important for our analysis, Tsallis entropy values for the windows after Slammer worm commencement were always minimal. Thus, for demonstrative purposes, we present results just for q = 0.5, in Fig. 7.
As mentioned, the results indicate a drastic decrease in the value of Sq for the sliding windows located after the start of the Slammer worm attack is declared (25.01.2003). This confirms that the extent of order in the process of BGP updates variability increased after the attack. We note here that in Fig. 7, like in Fig. 5, we see an indication that the extent of order in the averaged data set of BGP updates also increased (though not strongly as after attack) prior to Slammer worm attack (about 19–22 January). At this time, we can not connect this to the influence of worm attack. At the same time, we cannot conclude for sure that this was not caused by the spreading of worm which apparently has started prior 25.01.2003, 05.30 [9].
Such a proposition may be logical assuming that during the worm spreading, changes occurred gradually and did not happen at once at all rrc locations. In any case, for the purpose of present research it is most important that increase of the extent of regularity in BGP updates variation is clearly stronger after the Slammer worm attack and that this is evident for all considered locations.
We next carried out composite multiscale entropy, RCMSE, calculation for averaged BGP data sets. Here we point that, in order to avoid biases related to the variance of estimated entropy values calculated at different scales for different windows, we averaged the calculated values of entropies for all used scales. Such averaging obviously prevents us from having visibility of process on the each of the 10 used scales but is useful for having additional, averaged, entropic measure of complexity in each of windows. The results further confirm the increase in the extent of order in BGP updates process that took place following the Slammer worm attack at all analysed collectors. Indeed, in Fig. 8, we see that, for the averaged BGP updates time series calculated for 1440 min long sliding windows, the values of multiscale entropies are minimal in windows after Slammer worm attack (see the dip below the horizontal dotted line).
We then performed recurrence quantification analysis on the averaged BGP data sets. According to the results of RQA analysis, presented in Fig. 9, it can be concluded that the extent of regularity of the process of BGP updates variation is higher (%DET characteristics increased to maximal value – above grey dotted line) in the windows that followed the start of the Slammer worm attack. Thus, in general, the results of testing of recurrence features in the structure of reconstructed phase space, also confirm the above conclusion about the increased extent of regularity in the process of BGP updates variability following the attack.
Aftermath, we come back to the changes observed prior the start of slammer worm attack. These changes are visible for almost all metrics (see Figs. 4, 5, 7, 8 and 9). Essentially, analyzing both the original and averaged BGP data sets shows that regularity in the update process slightly increased prior to the start of slammer worm attack (please note the changes that occurred between 19 and 22 January 2003). This period of the beginning of worm’s spreading is very interesting because there were little human counter-actions to worm propagation. This period involved both an exponential propagation with constant and positive infection rate [11]. Therefore, the impact on BGP could have been weaker and not observable at all locations. Here we can propose the possibility of preventive countermeasures when in groups of rrc collectors appear simultaneous dynamical changes especially when these changes point to the increase of order in the process of BGP updates evolution. Such preventive countermeasures even for small and hardly detectable changes are of outmost importance because as is thought there are still Internet anomalies that may be ”not reported” or remain “even unnoticed” Karimi et al [7].
In this respect, we recall results of our former analysis of BGP updates data sets from the four largest Internet Service and/or Transit Providers AT&T, NTT, IIJ, and Tinet. On these data sets, recorded in 2011, we showed simultaneous increase in the order of BGP updates variability when no worm or malware attack was reported [6]. In the light of our current results, it can be proposed that mentioned simultaneous increase in BGP variations can be caused by influence of Slammer like worm which may be remained unnoticed that time. Such proposition definitely deserves attention because in 2014 and 2016 a come back of Slammer worm was reported. In the frame of our ongoing research, we investigated the changes in BGP updates that accompanied this recent attack and as a preliminary result we can state that the results seem not to contradict the findings of the present report.
Finally and in an attempt to shed more light on the question of differences in the dynamics of BGP updates variation in periods before during and after the Slammer worm attack, we have carried out additional analysis. Namely as it is described in methods section in addition to BGP time series collected from 16.01.03 to 02.02.03 at 8 main considered collectors we also analysed BGP data sets from other periods from several collectors with acceptably good quality data sets. As said was above we used BGP time series recorded long before slammer worm commencement, from 06.01.2003 to 09.01.2003 and 12.01.2003 to 15.01.2003.
Besides, BGP time series long after slammer worm attack, 12.02.2003 to 15.02.2003 were analysed. For this part of analysis we focused on the LZC and Lv calculations. The results of LZC and Lv analysis for these periods (as well as for the period of main our analysis, from 16.01.03 to 02.02.03) are presented in Figs. 10 and 11. As we see in the two figures, BGP updates variation in periods long before and after the Slammer worm attack also may be characterized by some dynamical changes which for some collectors may even slightly resemble changes caused by Slammer worm attack, described above. At the same time these results provide clear evidence that strong, similar to each other and noticeable for all considered collectors changes in the dynamics of BGP updates evolution occurred only in period of slammer attack (indicated by black frames in Figs. 10 and 11).
Thus we conclude that in the period of Slammer worm attack (approximately 15–16 hours after 25.01.2003) the process of BGP updates variation become much more regular than it was prior or after of computer worm commencement. We note again that this is true for all considered collectors located both close or distant to each other. Such wide spread changes in the dynamics of BGP updates variability, caused by slammer worm attack in the Internet, is quite logical because the propagation of worm codes is usually global and large-scale [11].