1 / 8

The Spread of the Sapphire/Slammer Worm

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer. The Spread of the Sapphire/Slammer Worm. Sapphire Worm. Fastest computer worm in history Doubled size every 8.5 seconds 90% of vulnerable hosts within 10 minutes aka Slammer January 25 2003

phelan-owen
Download Presentation

The Spread of the Sapphire/Slammer Worm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer The Spread of the Sapphire/Slammer Worm

  2. Sapphire Worm • Fastest computer worm in history • Doubled size every 8.5 seconds • 90% of vulnerable hosts within 10 minutes • aka Slammer • January 25 2003 • Microsoft's SQL Server • Flaw was discovered in July 2002 • Patch was releasaed before it was announced • 75000 hosts

  3. Why? • Patch was released half a year before outbreak • Service is generally not publicly used (port 1434) • If users were not so ignorant, this worm had never existed • Firewalls were known before • Also their benefit • Vulnerability was known • All effected systems did not apply patch

  4. Saphire: A Random Scanning Worm • Exponential rapidly • Random constant spread (RCS) modle • Spread initially conformed to the RCS, before it began to saturate • Bandwith-limited (only one way communication) • Send and never care • latency limited • Send and wait for response (RTT) • 30,000 scans/second

  5. Pseudo Random Number Generator (PRNG) • X' = (X * a + b) mod m • Very efficient • Reasonable good distributional properties • Implementation flaws • One worm didn't scan the full network • However, all worms together still reached the full network

  6. Spread and Operator Response • 55 million scans per second across the Internet in under 3 minutes • Destination port was fix (UDP port 1434) • Not widely used • Easy to block • Constant scan rate • Easy to identify

  7. Conclusions • Speed is not dependent on protocol • Smaller population as a target and therefor thread • 20,000 nodes in under one hour • What would happen if it stopped scanning after 10 minutes? • Hard to identify attack • Hard to identify infected machines • World got aware of the thread (at least for some time) • One could think it was a lesson, but history proves us wrong (How many email worms do you get per day?)

  8. ?

More Related