taking down the internet
DESCRIPTION
Taking Down the Internet. Dmitry O. Gryaznov, Sr. Research Architect. Date: Sat, 25 Jan 2003 05:34:07 GMT. South Korea “disappears” Troubles with U.S. ATMs and flights ticketing General Internet slowdown: up to 20% of IP packets lost. W32/SQLSlammer. Only 376 bytes long - PowerPoint PPT PresentationTRANSCRIPT
Taking Down the InternetDmitry O. Gryaznov, Sr. Research Architect
04/22/23Page 2,
Date: Sat, 25 Jan 2003 05:34:07 GMT• South Korea “disappears”• Troubles with U.S. ATMs and flights
ticketing• General Internet slowdown: up to 20% of
IP packets lost
04/22/23Page 3,
W32/SQLSlammer• Only 376 bytes long• Exploits a buffer overflow in MS SQL
Server• Spreads by sending itself to UDP port
1434 at random IP addresses
04/22/23Page 4,
Mass-mailing viruses• Send thousands of copies by E-mail• Can affect mailservers badly• Need to connect to a mailserver and
follow a mail protocol• Require a user
04/22/23Page 5,
Sample SMTP sessionClient Server
(connects to TCP port 25) 220 SMTP ready
HELO mydomain.net 250 Welcome
MAIL FROM:<[email protected]> 250 Sender OK
RCPT TO:<[email protected]> 250 Recipient OK
DATA 354 Send the data
(message content) . 250 Accepted for delivery
QUIT 221 Bye
04/22/23Page 6,
Typical daily @mm chart
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
04/22/23Page 7,
CodeRed and likes• Exploit vulnerabilities in TCP servers (e.g.
a buffer overflow in MS IIS)• Need to connect to a server and follow a
protocol (e.g. HTTP)• Do NOT require a user• Do not affect the Internet noticeably
04/22/23Page 8,
Sample HTTP sessionClient Server(connects to TCP port 80)
GET /us/index.asp HTTP/1.0Host: www.somewhere.net
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Last-Modified: Tue, 23 Sep 2003 00:41:05 GMT Content-Length: 43585 Content-Type: text/html Connection: close (43585 bytes of data)
04/22/23Page 9,
CodeRed.c (aka CodeRed II)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
04/22/23Page 10,
Slammer• Connectionless UDP, “shoot and forget”• A single infected PC exhausts 100Mbps
bandwidth – over 30,000 “shots” per second; could attack each and every computer on the Internet in less than a day
• Much faster in reality – “chain reaction”; took 10-15 minutes to reach its saturation level at 100-200 thousand infected computers worldwide
04/22/23Page 11,
Slammer hits per hour
0500
10001500200025003000
0 1 2 3 4 5 6
04/22/23Page 12,
Slammer hits per minute
050
100150
200250300
0 2 4 6 8 10 12 14 16 18 20
04/22/23Page 13,
Slammer hits per 10 seconds
0102030405060
04/22/23Page 14,
Slammer: First 5 minutes
04/22/23Page 15,
Slammer: First 5 minutes
04/22/23Page 16,
Is it possible to take down the Internet?• 100-200 thousand Slammer-infected
computers – 20% IP packets lost• 1,000,000 computers - ?• 580,000,000 Internet users worldwide• Over 14,000 different “backdoors” in Usenet
in May-June 2003; millions of readers• IRC, P2P, etc.
04/22/23Page 17,
Slammer: First 5 minutes
04/22/23Page 18,
Source: WildList Org.
The WildListThe WildList Asia Asia
020406080
100120140160180200220240
WorldwideJapanIsraelIndiaKorea
04/22/23Page 19,
Source: WildList Org.
The WildListThe WildListIsrael Israel
01020304050607080
04/22/23Page 20,
Source: WildList Org.
The WildListThe WildListIndiaIndia
01020304050607080
Jan-99
Apr-99Jul-99Oct-99
Jan-00
Apr-00Jul-00Oct-00
Jan-01
Apr-01Jul-01Oct-01
Jan-02
Apr-02Jul-02Oct-02
Jan-03
Apr-03Jul-03
04/22/23Page 21,
Source: WildList Org.
The WildListThe WildList Japan - Seiji Murakami (IPA) Japan - Seiji Murakami (IPA)
0102030405060708090
100
04/22/23Page 22,
Source: WildList Org.
The WildListThe WildListKoreaKorea
0
50
100
150
200
04/22/23Page 23,
Source: WildList Org.
The WildListThe WildList Australia Australia
0
10
20
30
40
50
60
04/22/23Page 24,
Source: WildList Org.
The WildListThe WildList Asia Asia
020406080
100120140160180200220240
WorldwideKoreaAustralia