1 / 23

Sapphire worm impact on Internet routing

This article discusses the impact of the Sapphire Worm on Internet routing, including analysis methods, results, and future works. It also provides information on Korean ASes and their involvement in the worm's propagation.

lfrank
Download Presentation

Sapphire worm impact on Internet routing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sapphire worm impact on Internet routing Dongkee Lee Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  2. Overview • Introduction to Sapphire worm • Analysis methods • Results • Discussion • Future works Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  3. Sapphire worm reference [1], [2] Also called Slammer, SQLSlammer, W32.Slammer • Began at 5:30 AM (UTC) on Saturday Jan 25th. • System affected Microsoft SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000 Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376 bytes and send them to randomly chosen IP address on port 1434/udp. - CERT Advisory CA-2003-04 Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  4. Sapphire worm reference [1], [2] Sat Jan 05:29:00 2003 (UTC) Infected with Sapphire: 0 Most vulnerable machines was infected with 10-minutes of the worm’s release. Sat Jan 06:30:00 2003 (UTC) Infected with Sapphire: 74855 Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  5. Sapphire worm Cause considerable harm simply by overloading networks and taking database servers out of operation. Many individual sites lost connectivity as their access bandwidth was saturated by local copies of the worm. Outbound traffic to external addresses on UDP port 1434. Large amount of ICMP Unreachable messages aimed at server systems. SQL resolution service failure. Performance degradation. Scanning. Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  6. Routeviews - 1 reference http://routeviews.org • University of Oregon – Routeviews project. Routing information repository for … Analysis of BGP routing table dynamics. Work on routing table growth. Analysis of geographic cope of routing announcements. • Routeviews routers route-views.eqix.routeviews.org route-views.isc.routeviews.org route-views.linx.routeviews.org route-views.oregon-ix.net route-views.wide.routeviews.org route-views2.oregon-ix.net route-views3.routeviews.org Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  7. Routeviews - 2 reference http://routeviews.org peer list – http://routeviews.org/peers/ route-views2.oregon-ix has no Korean peers. Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  8. Korean ASes reference NIDA and ISIS • http://www.cidr-report.org/autnums.html , 362 Korean ASes • 8 Major Korean ASes AS4766 KORNET AS3786 DACOM AS9457 DREAMX AS9277 THRUNET AS9318 HANANET AS7563, 9768 PUBNET AS4670, 4664 SHINBIRO AS9848 ENTERPRISENET • 16 Other Korean ASes AS17832 6KANET AS4663 ELIMNET AS10038 FWINet AS17864 HANVITINB AS9695 KITINET AS5051 KOLNET AS9488 KREN AS1237, 7623, 17579 KREONET AS9701 KRLINE AS7557 KTNET AS9316 PUBNETPLUS AS9689 QRIXNET AS10171 SKTelink AS10049 SKNETWORKS AS9644 SKSpeedNet AS6619 SAMSUNGNETWORKS Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  9. Scripts http://an.kaist.ac.kr/~dklee/research/iram/ Announced prefix AS-PATH origin-AS BGP4MP|1044083314|A|217.75.96.60|16150 |208.254.200.0/22|16150 8434 3549 14745 16791 |IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|NAG|| BGP4MP|1044083314|A|217.75.96.60|16150 |63.73.10.0/24|16150 8434 3549 14745 16791 |IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|AG|63.96.63.2| BGP4MP|1044083315|A|66.185.128.1|1668 |202.3.156.0/24|1668 1239 4637 9225 7473 17557 |IGP|66.185.128.1|0|25||NAG|| BGP4MP|1044083315|W|129.250.0.6|2914|193.52.14.0/24 BGP4MP|1044083315|W|129.250.0.6|2914|193.52.15.0/24 BGP4MP|1044083315|W|129.250.0.6|2914|193.52.16.0/23 Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  10. Results reference [6] BGP Updates (Announcements and Withdrawals) Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  11. Results reference [6] BGP (origin) matched Announcements BGP Announcements and Withdrawals are increased during Sapphire impact. Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  12. Results BGP RIB Entries Number prefixes can be accessed through Korea from abroad. About 15000 prefixes are transited by Korean ASes. Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  13. Results BGP RIB Origin matched entries - 1 S  D1 04 hours D1 R112 hours R1 D2 04 hours D2 R2 02 hours R2 D312 hours S E 50 hours R2 R1 D3 D2 14 hours 16 hours D1 Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  14. Results BGP RIB Origin matched entries - 2 Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  15. Results BGP RIB Origin matched entries - 3 Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  16. Results Korean Top 8 ASes Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  17. Results Other Korean ASes Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  18. Results Totally Blackout-ed Korean ASes About 15/213 ASes are totally blackouted during Sapphire/Slammer impact. AS P1 Peering session X Stub AS Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  19. Results Other Non-Korean ASes Similar phenomenon is also observed from Other Non-Korean ASes D2 D3 D1 Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  20. Discussions During Sapphire/Slammer worm impact, massive increase in the number of BGP updates and decrease in BGP RIB entries is observed. There are 3 unrecognized dipping points in RIB snapshots. ‘D1’ isn’t surprising. But, Why ‘D2’ and ‘D3’ ? Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  21. Discussions BGP doesn’t show sufficient statistics, BGP Withdrawals do not contain ‘AS-PATH’, mapping between BGP withdrawals and RIB counts is ambiguous. Routing data of Korea isn’t accessible. Well organized monitoring infra. is needed. Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  22. References [1] Analysis of the Sapphire Worm – A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UCSD CSE - http://www.caida.org/analysis/security/sapphire/ [2] CERT Advisory CA-2003-04 MS-SQL Server Worm. [3] Sapphire worm code disassembled – http://www.eeye.com/html/Research/Flash/sapphire.txt [4] University of Oregon – Route Views Project page – http://routeviews.org [5] 정보통신망 침해사고 합동조사단, 정보통신망 침해사고 조사결과. [6] RIPE NCC RIS, Sapphire/Slammer Worm Impact on Internet Performance – http://www.ripe.net/ttm/Documents/worm/index.html Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

  23. The END Retreat (late Winter, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

More Related