The 'Sobering' truth: Why a single T1 line is no longer enough

As e-mail worms like the resilient Sober variants spread, they consume a lot of bandwidth and computing resources. However, it really doesn't take much worm traffic to disable e-mail services for an entire company, especially if that organization is using a single T1 line. Find out why Jonathan Yarden says the days of relying on a corporate T1 connection are over.

Whether it's due to multiple e-mail deliveries, insufficient storage, forged bounces, or just exhaustion of TCP sockets, e-mail worms wreak plenty of damage. Forged bounces can be particularly troublesome, as they're likely to get the attention of the various relay block lists (RBLs) or another Internet provider. When that occurs, your IP address can lose its ability to send e-mail.

In fact, thanks to the Sober worm, this happened to the Internet service provider (ISP) I work for last month. It took me several phone calls and a few tense hours to convince America Online and EarthLink that forged bounced e-mail wasn't due to my company's efforts to propagate junk e-mail. The Sober variants have once again set the bar by which we'll judge other e-mail worms (for the moment, at least), and this worm hasn't finished its destructive path.

By this point, you would think that e-mail worms would be a thing of the past, but they only seem to be getting worse. One reason for this is because more and more users are forgetting the first rule of using the Internet: Keep yourself protected and secure—because you really have no other choice. And that includes not opening suspicious e-mail attachments or running programs from e-mail.

It never ceases to amaze me how quickly an Internet worm can go from being a minor nuisance to becoming capable of disabling entire e-mail servers, and the latest variant of the resilient Sober e-mail worm only emphasized this point. But when it comes down to it, it really doesn't take much worm traffic to disable e-mail services for an entire company—or to seriously degrade the ability of an ISP to service them.

As e-mail worms spread, they consume a lot of bandwidth and computing resources. Add up all of that bandwidth, and it's capable of causing widespread problems on the Internet backbone itself, which means it can easily interfere with corporate Internet access. Even if an organization's Internet access appears to be working, the fallout due to this high consumption of resources can bring many an e-mail server to a standstill.

At the core of the issue is bandwidth. It doesn't take too many broadband connections to flood a typical company's Internet pipe. Many companies connect to the Internet using a single T1 line, which is capable of a raw bandwidth of about 1.544 Mbps—and that simply isn't enough anymore.

Believe it or not, a typical T1 line is no match for a few broadband pipes. Here's why: A corporate network uses quite a bit of that T1 bandwidth in other layers of network signaling, leaving roughly 1.29 Mbps for actual Internet data.

Now, consider that this bandwidth applies only to "point-to-point" connections—in other words, from where the T1 connects your data center to your ISP. So, in theory, you could transmit Internet traffic to and from your ISP at approximately 1.29 Mbps. (Of course, actual speed to and from the Internet also depends on other factors, which are far outside the scope of this article. Keep in mind that once data leaves your router, you have very little control over how it gets to and from anywhere else on the Internet.)

But there's more to why a T1 is no longer sufficient bandwidth for corporate use. You also lose some speed for TCP/IP overhead. For TCP data—the typical traffic used for Internet activity—a T1 can handle approximately 193 KBps. A typical DSL or cable modem Internet pipe can upload roughly 256 Kbps, or about 32 KBps, of TCP data. So by doing some rough math, you can see that it takes approximately six DSL or cable modem connections to completely saturate the inbound bandwidth of a T1.

In my experience, it doesn't take more than three broadband connections to disrupt a T1 connection to the point that TCP becomes unusable, and you can accomplish this just by pinging the router. According to one of my company's customers, it only took two Sober-infected broadband connections to flood a corporate e-mail server, which was behind a firewall and adequately secured. The sheer bandwidth of Sober caused several days of intermittent e-mail downtime, loss of Internet access, and loss of business.

So, if your organization thinks that a T1 line still provides adequate bandwidth, consider this "Sobering" thought about Internet access: Today's single T1 connection has become the equivalent to what a dial-up Internet connection was a few years ago. These days, organizations need more bandwidth, and it needs to be redundant whenever possible. One option is to split Internet access between inbound and outbound e-mail, perhaps using a different connection for outbound e-mail and Web surfing.

As broadband deployments increase, the risk of bandwidth exhaustion due to an Internet security issue also grows. And the only way to overcome bandwidth exhaustion is by adding more bandwidth. It only takes a few broadband connections to cause Internet access problems for a T1 connection, and that's why the days of a single corporate T1 as a viable connection to the Internet are long gone.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.