The Spread of the Sapphire/Slammer Worm

1. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer The Spread of the Sapphire/Slammer Worm

2. Sapphire Worm • Fastest computer worm in history • Doubled size every 8.5 seconds • 90% of vulnerable hosts within 10 minutes • aka Slammer • January 25 2003 • Microsoft's SQL Server • Flaw was discovered in July 2002 • Patch was releasaed before it was announced • 75000 hosts

3. Why? • Patch was released half a year before outbreak • Service is generally not publicly used (port 1434) • If users were not so ignorant, this worm had never existed • Firewalls were known before • Also their benefit • Vulnerability was known • All effected systems did not apply patch

4. Saphire: A Random Scanning Worm • Exponential rapidly • Random constant spread (RCS) modle • Spread initially conformed to the RCS, before it began to saturate • Bandwith-limited (only one way communication) • Send and never care • latency limited • Send and wait for response (RTT) • 30,000 scans/second

5. Pseudo Random Number Generator (PRNG) • X' = (X * a + b) mod m • Very efficient • Reasonable good distributional properties • Implementation flaws • One worm didn't scan the full network • However, all worms together still reached the full network

6. Spread and Operator Response • 55 million scans per second across the Internet in under 3 minutes • Destination port was fix (UDP port 1434) • Not widely used • Easy to block • Constant scan rate • Easy to identify

7. Conclusions • Speed is not dependent on protocol • Smaller population as a target and therefor thread • 20,000 nodes in under one hour • What would happen if it stopped scanning after 10 minutes? • Hard to identify attack • Hard to identify infected machines • World got aware of the thread (at least for some time) • One could think it was a lesson, but history proves us wrong (How many email worms do you get per day?)

8. ?