One of the issues I've been discussing as part of various critical infrastructure protection forums is the need for "all hazard" outage information. Treating Internet security as just a law-enforcement issue can warp your perception. Unless you have a good view into all the other things which can wreck Internet availability, it is difficult to gauge the impact of a malicious activity versus "normal" outages.

BoyHowdy! Bingo! I'll say. Also difficult to "sell" to managment--the notion of "normal" outages (I like the terms "risk assessment" and "business continuation preparation" here).

I don't completely understand the data. The impact of the Baltimore train wreck shows up very clearly. Traffic returns to nearly normal by 6am the next morning. But then degrades again the following the day (i.e. "Worm day"). I don't have access to the raw data, so I can't tell if there are differences between carriers with fiber in the Howard tunnel and other carriers. Did congestion increase the following day due to the reduced bandwith the following day, or was it consumed by the worms propagation.

I think you have left out the "rubberneck effect" (I may have just coined a new term). I often notice in our traffic graphs that certain events and certain rumored events, as well as (in the instant case) certain "predictions" Will cause dramatic increases in traffic in our network. I think a sociologist would be helpful in understanding that, but my very informal and anecdote-ridden "study" indicates to me that when we make a major upgrade in facilities, there is a jump in traffic as people ping stuff all over, try the MS web page (and its speedometer doodad), and so on. There was a jump last evening at about 1930 local and there was one the night before at about the same time--people checking to see if the 'net was dead? -- -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- . . - L. F. (Larry) Sheldon, Jr. - . Unix Systems and Network Administration . - Creighton University Computer Center-Old Gym - . 2500 California Plaza . - Omaha, Nebraska, U.S.A. 68178 Two identifying characteristics - . lsheldon@creighton.edu of System Administrators: . - 402 280-2254 (work) Infallibility, and the ability to - . 402 681-4726 (cellular) learn from their mistakes. . - 402 332-4622 (residence) - . http://www.creighton.edu/~lsheldon Adapted from Stephen Pinker . -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-