1 / 24

Taking Down the Internet

Taking Down the Internet. Dmitry O. Gryaznov, Sr. Research Architect. Date: Sat, 25 Jan 2003 05:34:07 GMT. South Korea “disappears” Troubles with U.S. ATMs and flights ticketing General Internet slowdown: up to 20% of IP packets lost. W32/SQLSlammer. Only 376 bytes long

piper
Download Presentation

Taking Down the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Taking Down the Internet Dmitry O. Gryaznov, Sr. Research Architect

  2. Date: Sat, 25 Jan 2003 05:34:07 GMT • South Korea “disappears” • Troubles with U.S. ATMs and flights ticketing • General Internet slowdown: up to 20% of IP packets lost

  3. W32/SQLSlammer • Only 376 bytes long • Exploits a buffer overflow in MS SQL Server • Spreads by sending itself to UDP port 1434 at random IP addresses

  4. Mass-mailing viruses • Send thousands of copies by E-mail • Can affect mailservers badly • Need to connect to a mailserver and follow a mail protocol • Require a user

  5. Sample SMTP session Client Server (connects to TCP port 25) 220 SMTP ready HELO mydomain.net 250 Welcome MAIL FROM:<me@mydomain.net> 250 Sender OK RCPT TO:<you@yourdomain.net> 250 Recipient OK DATA 354 Send the data (message content) . 250 Accepted for delivery QUIT 221 Bye

  6. Typical daily @mm chart

  7. CodeRed and likes • Exploit vulnerabilities in TCP servers (e.g. a buffer overflow in MS IIS) • Need to connect to a server and follow a protocol (e.g. HTTP) • Do NOT require a user • Do not affect the Internet noticeably

  8. Sample HTTP session Client Server (connects to TCP port 80) GET /us/index.asp HTTP/1.0Host: www.somewhere.net HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Last-Modified: Tue, 23 Sep 2003 00:41:05 GMT Content-Length: 43585 Content-Type: text/html Connection: close (43585 bytes of data)

  9. CodeRed.c (aka CodeRed II)

  10. Slammer • Connectionless UDP, “shoot and forget” • A single infected PC exhausts 100Mbps bandwidth – over 30,000 “shots” per second; could attack each and every computer on the Internet in less than a day • Much faster in reality – “chain reaction”; took 10-15 minutes to reach its saturation level at 100-200 thousand infected computers worldwide

  11. Slammer hits per hour

  12. Slammer hits per minute

  13. Slammer hits per 10 seconds

  14. Slammer: First 5 minutes

  15. Slammer: First 5 minutes

  16. Is it possible to take down the Internet? • 100-200 thousand Slammer-infected computers – 20% IP packets lost • 1,000,000 computers - ? • 580,000,000 Internet users worldwide • Over 14,000 different “backdoors” in Usenet in May-June 2003; millions of readers • IRC, P2P, etc.

  17. Slammer: First 5 minutes

  18. The WildList Asia Source: WildList Org.

  19. The WildListIsrael Source: WildList Org.

  20. The WildListIndia Source: WildList Org.

  21. The WildList Japan - Seiji Murakami (IPA) Source: WildList Org.

  22. The WildListKorea Source: WildList Org.

  23. The WildList Australia Source: WildList Org.

  24. The WildList Asia Source: WildList Org.

More Related