Code Red and SQL Slammer
Two worms a year and a half apart proved a single UDP packet could saturate the global internet in under fifteen minutes.
In July 2001, a worm called Code Red began exploiting a buffer overflow in Microsoft's IIS web server. It defaced pages with the text "Hacked By Chinese!", carried a payload that would launch a denial-of-service attack against a White House IP address, and infected on the order of 359,000 hosts within about fourteen hours. It was a preview.
Fifteen minutes to saturation
The full demonstration came in January 2003 with SQL Slammer, also called Sapphire. Slammer exploited a vulnerability in Microsoft SQL Server. Its entire body fit in a single 376-byte UDP packet — no need to establish a connection, no waiting for a response. It simply spat copies of itself at random addresses as fast as the infected host's network link allowed.
The result was the fastest-spreading worm ever measured. Analysis by CAIDA showed Slammer doubling its infected population roughly every 8.5 seconds and infecting the vast majority of vulnerable hosts on the entire internet within about ten minutes. The traffic it generated, not its payload — it had no malicious payload at all — knocked out ATM networks, airline booking systems, and emergency call centers as collateral congestion.
What the chronicle remembers
Code Red and Slammer together established the worst-case propagation curve. Slammer in particular proved that a connectionless, payload-free worm could take a meaningful fraction of the internet offline faster than any human response could be organized. Every later argument for automated patching, network rate-limiting, and ingress filtering traces back to the ten minutes of January 25, 2003.