the spread of the sapphire/slammer worm
DESCRIPTION
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer. The Spread of the Sapphire/Slammer Worm. Sapphire Worm. Fastest computer worm in history Doubled size every 8.5 seconds 90% of vulnerable hosts within 10 minutes aka Slammer January 25 2003 - PowerPoint PPT PresentationTRANSCRIPT
1
The Spread of the Sapphire/Slammer Worm
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver
Presented by Stefan Birrer
2
Sapphire Worm
● Fastest computer worm in history● Doubled size every 8.5 seconds● 90% of vulnerable hosts within 10 minutes● aka Slammer● January 25 2003● Microsoft's SQL Server
– Flaw was discovered in July 2002– Patch was releasaed before it was announced
● 75000 hosts
3
Why?
● Patch was released half a year before outbreak● Service is generally not publicly used (port 1434)● If users were not so ignorant, this worm had never
existed– Firewalls were known before– Also their benefit– Vulnerability was known– All effected systems did not apply patch
4
Saphire: A Random Scanning Worm
● Exponential rapidly● Random constant spread (RCS) modle● Spread initially conformed to the RCS, before it
began to saturate● Bandwith-limited (only one way communication)
– Send and never care– latency limited
● Send and wait for response (RTT)● 30,000 scans/second
5
Pseudo Random Number Generator (PRNG)● X' = (X * a + b) mod m
– Very efficient– Reasonable good distributional properties
● Implementation flaws– One worm didn't scan the full network– However, all worms together still reached the full
network
6
Spread and Operator Response
● 55 million scans per second across the Internet in under 3 minutes
● Destination port was fix (UDP port 1434)– Not widely used– Easy to block
● Constant scan rate– Easy to identify
7
Conclusions
● Speed is not dependent on protocol● Smaller population as a target and therefor thread
– 20,000 nodes in under one hour● What would happen if it stopped scanning after 10
minutes?– Hard to identify attack– Hard to identify infected machines
● World got aware of the thread (at least for some time)– One could think it was a lesson, but history proves us
wrong (How many email worms do you get per day?)
8
?