The Spread of the Sapphire/Slammer Worm

1
The Spread of the Sapphire/Slammer Worm

• D. Moore, V. Paxson, S. Savage, C. Shannon, S.
  Staniford, N. Weaver
• Presented by Stefan Birrer

2
Sapphire Worm

• Fastest computer worm in history
• Doubled size every 8.5 seconds
• 90 of vulnerable hosts within 10 minutes
• aka Slammer
• January 25 2003
• Microsoft's SQL Server
• Flaw was discovered in July 2002
• Patch was releasaed before it was announced
• 75000 hosts

3
Why?

• Patch was released half a year before outbreak
• Service is generally not publicly used (port
  1434)
• If users were not so ignorant, this worm had
  never existed
• Firewalls were known before
• Also their benefit
• Vulnerability was known
• All effected systems did not apply patch

4
Saphire A Random Scanning Worm

• Exponential rapidly
• Random constant spread (RCS) modle
• Spread initially conformed to the RCS, before it
  began to saturate
• Bandwith-limited (only one way communication)
• Send and never care
• latency limited
• Send and wait for response (RTT)
• 30,000 scans/second

5
Pseudo Random Number Generator (PRNG)

• X' (X a b) mod m
• Very efficient
• Reasonable good distributional properties
• Implementation flaws
• One worm didn't scan the full network
• However, all worms together still reached the
  full network

6
Spread and Operator Response

• 55 million scans per second across the Internet
  in under 3 minutes
• Destination port was fix (UDP port 1434)
• Not widely used
• Easy to block
• Constant scan rate
• Easy to identify

7
Conclusions

• Speed is not dependent on protocol
• Smaller population as a target and therefor
  thread
• 20,000 nodes in under one hour
• What would happen if it stopped scanning after 10
  minutes?
• Hard to identify attack
• Hard to identify infected machines
• World got aware of the thread (at least for some
  time)
• One could think it was a lesson, but history
  proves us wrong (How many email worms do you get
  per day?)

8

• ?