The city didn't fall all at once. It fell the way cities always fall — one neighborhood at a time, so fast that by the time anyone with authority understood what was happening, the map had already gone dark.
The first sign was the slowness. Not a crash. Not an outage. Just... drag. Applications that used to snap now paused. Email took a beat too long to arrive. Web pages loaded like they were being pushed through wet concrete. If you'd asked anybody on the floor that Tuesday afternoon, they'd have said the network was being "sluggish," the way you say the weather is "muggy" — a complaint, not a diagnosis. Nobody calls it an emergency when the lights are still on. They just squint harder and keep working.
But underneath the sluggishness, something was flooding. Every router in the enterprise was drowning in ICMP traffic — ping requests, millions of them, hitting every host on every subnet on every site across three continents. Not from outside. From inside. From machines that had already been compromised, scanning for more machines to compromise, each new infection adding its own flood of pings to a rising tide that was eating the network's capacity from the inside out.
Tens of thousands of employees spread across every time zone the company touched. And every single one of their machines was either already infected or being scanned by something that wanted to infect it.
Every machine except mine.
I ran a satellite operation. Not IT. Not engineering. Not security. A client-facing facility on the wrong side of the org chart — the kind of place the infrastructure team forgot existed until they needed a favor. We hosted outside visitors constantly. Vendors, clients, contractors, partners — a revolving door of people who weren't employees, plugging devices into our network that had never seen a corporate policy document, bringing whatever was living on their laptops into our airspace like tourists carrying seeds through customs.
That last part is why I was paranoid. Not theoretically paranoid. Not policy-document paranoid. Paranoid paranoid. The kind where you build your own security protocols because the people whose actual job it is are thinking about the perimeter and you're thinking about the contractor who just plugged his unpatched laptop into your guest port because he had a presentation to give in ten minutes.
My subnet was mine. I controlled what came in and what went out. I patched aggressively, scanned constantly, and treated every external device like a loaded weapon being carried into a nursery. The enterprise team had their standards and their policies and their approved configurations, and I'm sure it all looked great in the audit. But standards are a treaty, and treaties work until someone shows up who didn't sign one.
I didn't know it at the time, but I'd built the only clean room in the building.
It wasn't one worm. It was three: Sobig in the mailboxes, Blaster in the wound, and Nachi flooding the streets trying to play doctor.
Sobig hit first. Email-borne. Forged headers, spoofed senders, attachments with names designed to make polite people click. The return address was always a lie, which meant every mail server with an auto-responder or a helpful antivirus notification would dutifully send a warning back to the forged sender — who was somebody's grandmother, or a small business in Mexico, or nobody at all — telling them they'd sent a virus they'd never heard of. The worm generated less damage than the infrastructure trying to be helpful about it.
The enterprise mail servers caught it eventually. Updated signatures. Stripped attachments. But by then, the inboxes were already flooded. One of my users was sitting in Outlook staring at hundreds of Sobig-generated messages that had sailed right past the filters before the signatures were in place. I told him to close Outlook and not touch anything. Then I called it in.
Then came Nachi, and Nachi was the one that burned the city down.
Here's the thing about Nachi that nobody appreciates until it's too late: Nachi wasn't malicious. Nachi was a vigilante. A few weeks earlier, a worm called Blaster had torn through Windows networks worldwide, exploiting a vulnerability in the RPC DCOM service — a hole that let an attacker execute code on any unpatched machine just by reaching it on the network. No email. No attachment. No user interaction. Blaster was a brute, and it left a mess. So someone — to this day nobody's sure who — built a worm that used the same exploit to get into machines, but instead of doing damage, it tried to download the Microsoft patch, install it, and remove Blaster. Malware with a conscience.
The problem was the method. To find vulnerable machines, Nachi pinged them. It didn't ping politely. It didn't ping a few at a time and wait for answers like a census worker going door to door. It flooded. Every infected machine blasted ICMP echo requests at every address in its subnet, then the next subnet, then the next, scanning for hosts that would answer, looking for the vulnerability it was trying to fix. And every machine it successfully infected started doing the same thing. Exponential. Geometric. A cascade of good intentions drowning the network in traffic that was, technically, trying to help.
The cure was worse than the disease. The vigilante burned the city down trying to save it.
The network team started blocking ICMP at the routers, site by site, like cops throwing up roadblocks neighborhood by neighborhood trying to contain a riot. It helped. But it also meant nobody could ping anything, which meant the diagnostic tools everyone relied on were now useless. The doctors couldn't take the patient's pulse because the virus had made the stethoscope toxic.
Every job has a Jimmy. The mistake is thinking that tells you what kind.
This Jimmy wasn't a supervisor per se — they weren't in my operation, they worked in the official IT chain. The one with the badge, the title, the enterprise infrastructure under their name. Jimmy was the kind of competent that looks like confidence when things are normal and looks like procedure when things are on fire. They followed the playbook because the playbook had always been enough, and to be fair, the playbook had always been enough. Until it wasn't.
I'd emailed Jimmy when the Sobig messages started landing in my user's inbox. Told them the mail server scanning wasn't catching them. The response came back the same day: run a cleanup utility off a network share. A UNC path to an executable on a file server somewhere in the building. One machine at a time. Log in, run the tool, check the result, report back. Standard procedure. Textbook response.
It was exactly the right thing to do for one infected workstation.
It was not the right thing to do for a network that was on fire across three continents.
Jimmy wasn't wrong. That's the thing about Jimmys. They're almost never wrong. They identified the tool. They pointed to the share. They asked for a status report. Every step was correct. Every step was also completely inadequate for the scale of what was happening, because the playbook was written for incidents and this was a war, and the difference between an incident and a war is that in an incident you follow the procedure and in a war you throw the procedure out and improvise with whatever's still standing.
What was still standing was my subnet.
They came to me. Not because they wanted to. Because they had to. The entire enterprise infrastructure was compromised — every segment, every site, every machine that had been reachable when Nachi started scanning was either infected or clogged with the traffic of infected machines trying to reach it. You can't do forensics in a contaminated lab. You can't autopsy a body while the plague is still in the air. You need a clean room.
I was the clean room. The satellite office. The shadow IT operation that nobody on the org chart thought about twice. The segment that survived because the guy running it was worried about outside visitors and had locked the doors that the enterprise left open.
Jimmy stood in my doorway. Not with the easy confidence of a supervisor checking in on a subordinate. With the look of someone who needed something they couldn't get anywhere else and knew exactly what that meant about the thing they'd been responsible for.
"We need to use your network."
I didn't make them ask twice.
I set up a clean machine — one of mine, freshly imaged, verified clean, and deliberately left missing the RPC patch Nachi was hunting for — and moved it off my subnet onto theirs. Like lowering a sealed container into contaminated water to see what swims in through the vents. A honeypot. An undercover cop sent into the infected precinct with instructions to get mugged and take notes.
We watched. The file drops came exactly the way the advisories said they would — Nachi exploiting the RPC vulnerability, transferring itself to the target, executing, beginning its ping sweep. But now we were watching it happen on a machine we controlled, in real time, without the noise of an already-compromised environment confusing the picture. We could see the sequence. The exploit. The payload. The files it touched, the order it touched them in, the traffic it generated. The autopsy, performed on a fresh victim, in a clean room, by the one team that hadn't been infected.
From there, they could build the remediation plan. Understand the infection chain. Develop the removal sequence. Not from vendor advisories and best guesses, but from direct observation of the worm doing its work on a machine they'd sacrificed on purpose.
The network came back. It always comes back. They cleared the infections site by site, restored ICMP when the scanning traffic died down, patched every machine they could reach, and rebuilt the ones they couldn't. The enterprise team wrote their after-action report. I don't know what it said. I was never on the distribution for that document. I wasn't supposed to be part of the war, and once the war was over, the org chart reasserted itself the way org charts always do — the emergency authority flows back to the people with the titles, and the people who held the line go back to their regular desks and their regular jobs and their regular place in the hierarchy.
But something shifted. Not on the org chart. Nothing that clean. Just... the hallway conversations changed. The people three levels above me who used to walk past my office without looking in now stopped sometimes. Nodded. Asked how things were going. Not because they suddenly understood what I did. Because they remembered standing in my doorway asking to use my network, and that's not the kind of thing you forget about the guy who said yes.
Jimmy went back to their office. Back to their procedures. Back to their enterprise infrastructure, rebuilt and patched and properly segmented this time, the playbook updated with a chapter it didn't have before. Jimmy wasn't a villain. Jimmy wasn't a fool. They were a professional who'd built their career on the assumption that the playbook would be sufficient, and they'd had the particular misfortune of being in charge the one week it wasn't. That's not a character flaw. That's a Tuesday in August.
Months later — long after the triage, long after the honeypot, long after the org chart had reasserted itself and the emergency was just a line item in someone's after-action report — the network infrastructure team was still hunting infected machines. Every morning, a new list. IP addresses, MAC addresses, NetBIOS names, each one another node still scanning the network from the inside. They'd been at it for weeks. And one morning, someone on that team tagged a batch of scanning traffic to my site. My subnet. The one clean segment on the entire network, CC'd to a distribution list of fifteen people as a possible source of infection.
I was already on the phone getting it corrected before the follow-up email landed. Wrong site. Different facility. The scanning machines belonged to another location that had never locked its doors the way I'd locked mine — tenant equipment sitting on the corporate LAN with no segmentation, open for three years, and nobody had thought to ask whether that was a problem until the worm made it one.
The correction went out. Quietly. No reply-all apology. No acknowledgment that the guy who'd spotted the first Sobig emails, who'd provided the clean room for the forensic work, who'd built the honeypot that mapped the infection chain, had just been named as a suspect by people who weren't in the room when any of it happened. The canary who called the fire, blamed for the smoke two months after the building stopped burning.
The worm that burned the network down was trying to save it. That's the part that keeps me up at night, years later. Nachi wasn't written by a criminal. It was written by someone who saw Blaster tearing through the world and thought, I can fix this. And they built a tool that used the same exploit to deliver the cure — the actual Microsoft patch, applied automatically, Blaster removed, vulnerability closed. If it had worked the way its author intended, it would have been the single greatest act of unsanctioned network hygiene in the history of the internet.
But the scanning. The ICMP flood. The exponential cascade of pings that turned the cure into a denial-of-service attack on every network it touched. The author didn't think about the traffic. Didn't think about what happens when ten thousand machines simultaneously start pinging every address they can reach. Didn't think about the difference between a tool that fixes one machine and a tool that tries to fix every machine it can find, all at once, as fast as possible, with no throttle and no grace period and no concept of what a network can absorb before it chokes.
Good intentions. Bad implementation. The vigilante who sets fire to the tenement trying to smoke out the rats.
I keep a clean subnet to this day. Patch cycles. Access control. Threat models based on what actually walks through the door, not what the policy says is allowed. It's not paranoia when the city's burned down once already and you were the one neighborhood that didn't catch fire. It's just maintenance. It's just the job.
Some lessons you only have to learn by watching other people learn them the hard way.
Case closed.