Taking down the internet
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Taking Down the Internet PowerPoint PPT Presentation


  • 49 Views
  • Uploaded on
  • Presentation posted in: General

Taking Down the Internet. Dmitry O. Gryaznov, Sr. Research Architect. Date: Sat, 25 Jan 2003 05:34:07 GMT. South Korea “disappears” Troubles with U.S. ATMs and flights ticketing General Internet slowdown: up to 20% of IP packets lost. W32/SQLSlammer. Only 376 bytes long

Download Presentation

Taking Down the Internet

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Taking down the internet

Taking Down the Internet

Dmitry O. Gryaznov, Sr. Research Architect


Date sat 25 jan 2003 05 34 07 gmt

Date: Sat, 25 Jan 2003 05:34:07 GMT

  • South Korea “disappears”

  • Troubles with U.S. ATMs and flights ticketing

  • General Internet slowdown: up to 20% of IP packets lost


W32 sqlslammer

W32/SQLSlammer

  • Only 376 bytes long

  • Exploits a buffer overflow in MS SQL Server

  • Spreads by sending itself to UDP port 1434 at random IP addresses


Mass mailing viruses

Mass-mailing viruses

  • Send thousands of copies by E-mail

  • Can affect mailservers badly

  • Need to connect to a mailserver and follow a mail protocol

  • Require a user


Sample smtp session

Sample SMTP session

ClientServer

(connects to TCP port 25) 220 SMTP ready

HELO mydomain.net 250 Welcome

MAIL FROM:<[email protected]> 250 Sender OK

RCPT TO:<[email protected]> 250 Recipient OK

DATA 354 Send the data

(message content) . 250 Accepted for delivery

QUIT 221 Bye


Typical daily @mm chart

Typical daily @mm chart


Codered and likes

CodeRed and likes

  • Exploit vulnerabilities in TCP servers (e.g. a buffer overflow in MS IIS)

  • Need to connect to a server and follow a protocol (e.g. HTTP)

  • Do NOT require a user

  • Do not affect the Internet noticeably


Sample http session

Sample HTTP session

Client Server

(connects to TCP port 80)

GET /us/index.asp HTTP/1.0Host: www.somewhere.net

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Last-Modified: Tue, 23 Sep 2003 00:41:05 GMT Content-Length: 43585 Content-Type: text/html Connection: close (43585 bytes of data)


Codered c aka codered ii

CodeRed.c (aka CodeRed II)


Slammer

Slammer

  • Connectionless UDP, “shoot and forget”

  • A single infected PC exhausts 100Mbps bandwidth – over 30,000 “shots” per second; could attack each and every computer on the Internet in less than a day

  • Much faster in reality – “chain reaction”; took 10-15 minutes to reach its saturation level at 100-200 thousand infected computers worldwide


Slammer hits per hour

Slammer hits per hour


Slammer hits per minute

Slammer hits per minute


Slammer hits per 10 seconds

Slammer hits per 10 seconds


Slammer first 5 minutes

Slammer: First 5 minutes


Slammer first 5 minutes1

Slammer: First 5 minutes


Is it possible to take down the internet

Is it possible to take down the Internet?

  • 100-200 thousand Slammer-infected computers – 20% IP packets lost

  • 1,000,000 computers - ?

  • 580,000,000 Internet users worldwide

  • Over 14,000 different “backdoors” in Usenet in May-June 2003; millions of readers

  • IRC, P2P, etc.


Slammer first 5 minutes2

Slammer: First 5 minutes


The wildlist asia

The WildList Asia

Source: WildList Org.


The wildlist israel

The WildListIsrael

Source: WildList Org.


The wildlist india

The WildListIndia

Source: WildList Org.


The wildlist japan seiji murakami ipa

The WildList Japan - Seiji Murakami (IPA)

Source: WildList Org.


The wildlist korea

The WildListKorea

Source: WildList Org.


The wildlist australia

The WildList Australia

Source: WildList Org.


The wildlist asia1

The WildList Asia

Source: WildList Org.


  • Login