Ten days into Slammer's aftermath. The lessons are clearer now.
What the aftermath shows
The vulnerable population was concentrated. Many of the compromised SQL Servers were desktop installations — SQL Server installed by another product (often as part of a Microsoft Office or development product) and forgotten. Operators did not know they were running SQL Server.
The patch deployment was slow. Six months between patch availability and worm. Most affected operators had simply not applied the patch.
The bandwidth impact was uneven. Areas with denser SQL Server deployment experienced more disruption. Several countries' internet experienced significant degradation; others were largely unaffected.
The cleanup was easy because the worm was simple. Slammer is memory-resident only (no persistence). Reboot removes it. Patching prevents reinfection. The cleanup was a one-time exercise once patches were applied.
What this teaches
Forgotten infrastructure is the largest attack surface. I wrote about this in 2001; Slammer is the largest-scale demonstration. The vulnerable SQL Servers were vulnerable because nobody knew they existed.
Inventory discipline matters. An operator who knows what is running on their network can patch it. An operator who does not cannot.
Bandwidth is the limit when worms are this fast. Future worm authors will optimise for bandwidth efficiency rather than per-host scan rate, because bandwidth is the constraint.
More as the year develops.