1

The Spread of the Sapphire/Slammer Worm

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver

Presented by Stefan Birrer

2

Sapphire Worm

● Fastest computer worm in history● Doubled size every 8.5 seconds● 90% of vulnerable hosts within 10 minutes● aka Slammer● January 25 2003● Microsoft's SQL Server

– Flaw was discovered in July 2002– Patch was releasaed before it was announced

● 75000 hosts

3

Why?

● Patch was released half a year before outbreak● Service is generally not publicly used (port 1434)● If users were not so ignorant, this worm had never

existed– Firewalls were known before– Also their benefit– Vulnerability was known– All effected systems did not apply patch

4

Saphire: A Random Scanning Worm

● Exponential rapidly● Random constant spread (RCS) modle● Spread initially conformed to the RCS, before it

began to saturate● Bandwith-limited (only one way communication)

– Send and never care– latency limited

● Send and wait for response (RTT)● 30,000 scans/second

5

Pseudo Random Number Generator (PRNG)● X' = (X * a + b) mod m

– Very efficient– Reasonable good distributional properties

● Implementation flaws– One worm didn't scan the full network– However, all worms together still reached the full

network

6

Spread and Operator Response

● 55 million scans per second across the Internet in under 3 minutes

● Destination port was fix (UDP port 1434)– Not widely used– Easy to block

● Constant scan rate– Easy to identify

7

Conclusions

● Speed is not dependent on protocol● Smaller population as a target and therefor thread

– 20,000 nodes in under one hour● What would happen if it stopped scanning after 10

minutes?– Hard to identify attack– Hard to identify infected machines

● World got aware of the thread (at least for some time)– One could think it was a lesson, but history proves us

wrong (How many email worms do you get per day?)

8

?