worm blog: Analysis of the “SQL Slammer” worm and its effects on Indiana University and related institutions

« Some presentations from DIMACS Workshop on Large-Scale Internet Attacks | Main | Computer Worms: Past, Present and Future »

Analysis of the “SQL Slammer” worm and its effects on Indiana University and related institutions

This writeup is interesting, because it shows how a large university detected and dealt with the SQLSlammer worm. There's a lot of information on how a distributed setup played a role in mitigating this problem.

On November 2nd 1988 Robert Morris, then a Cornell University computer science graduate student, released the first Internet worm. Morris’s Worm, as it was known, exploited known flaws in the finger and sendmail services as well as in common webs of trust inherent in the rlogin facility. The worm’s only activity was that of replicating itself to as many hosts as possible. Towards that end, the worm searched local files (such as /etc/hosts) to identify machines to infect as well as scanning likely addresses in the local network. The worm did not damage files or otherwise disrupt operation of the infected machines; however the traffic volume generated by its replication attempts severely disrupted the global Internet, local enterprise networks, and the processing ability of the infected machines themselves. The Morris worm infected roughly 10 percent of Internet computers and cost an estimated 100 million dollars (156 million in 2003 dollars) to clean up.

Like the Morris worm, Slammer’s only disruptive activity was the traffic associated with its replication. SQL Slammer infected less than one in a thousand Internet computers, but its effect was much more dramatic. Slammer targeted random hosts, which is relatively inefficient, however a Slammer infected computer would try as many as 25,000 target addresses a second. The simplicity of the infection method, which required only a single packet to infect a vulnerable computer and, like Morris, exploited a known vulnerability, combined with the speed at which potential computers where probed, allowed Slammer to reach global proportions in less than eight minutes (it doubled in size every 8 seconds). Current estimates put the cost of Slammer at approximately one billion dollars – an order of magnitude more expensive than the Morris worm in constant dollars.

Source: Analysis of the “SQL Slammer” worm and its effects on Indiana University and related institutions, by Gregory Travis, Ed Balas, David Ripley, and Steven Wallace.

September 16, 2005 in papers, SQLSlammer | Permalink
Tell others: digg submit | del.icio.us this | Reddit