Presentation is loading. Please wait.

Presentation is loading. Please wait.

ETRI meeting (Feb 16, 2005) -- Dongkee LEE 1 Sapphire/Slammer worm impact on Internet routing Dongkee LEE.

Published byHarvey Stewart Modified over 8 years ago

Similar presentations

Presentation on theme: "ETRI meeting (Feb 16, 2005) -- Dongkee LEE 1 Sapphire/Slammer worm impact on Internet routing Dongkee LEE."— Presentation transcript:

1 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr) 1 Sapphire/Slammer worm impact on Internet routing Dongkee LEE

2 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)2Overview.  Introduction to Sapphire/Slammer worm.  Analysis methods  Results  Discussion

3 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)3 Sapphire worm Also called Slammer, SQLSlammer, W32.Slammer  Began at 5:30 AM (UTC) on Saturday Jan 25 th.  System affected Microsoft SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000 Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376 bytes and send them to randomly chosen IP address on port 1434/udp. - CERT Advisory CA-2003-04 reference [1], [2]

4 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)4 Sapphire worm Sat Jan 05:29:00 2003 (UTC) Infected with Sapphire: 0 Most vulnerable machines was infected with 10-minutes of the worm’s release. Sat Jan 06:30:00 2003 (UTC) Infected with Sapphire: 74855 reference [1], [2]

5 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)5 Sapphire worm Cause considerable harm simply by overloading networks and taking database servers out of operation. Many individual sites lost connectivity as their access bandwidth was saturated by local copies of the worm. Outbound traffic to external addresses on UDP port 1434. Large amount of ICMP Unreachable messages aimed at server systems. SQL resolution service failure. Performance degradation. Scanning.

6 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)6 Previous works 정보통신망 침해사고 합동조사단 – ‘ 정보통신망 침해사고 조사결과 ’ But, How about Sapphire impact on ‘Internet Routing’ ?

7 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)7 Routeviews - 1  University of Oregon – Route Views project. Routing information repository for … Analysis of BGP routing table dynamics. Work on routing table growth. Analysis of geographic cope of routing announcements.  Routeviews routers route-views.eqix.routeviews.orgroute-views.isc.routeviews.org route-views.linx.routeviews.orgroute-views.oregon-ix.net route-views.wide.routeviews.orgroute-views2.oregon-ix.net route-views3.routeviews.org reference http://routeviews.org

8 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)8 Routeviews - 2 peer list – http://routeviews.org/peers/http://routeviews.org/peers/ route-views2.oregon-ix has no Korean peers. reference http://routeviews.org

9 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)9 Korean ASes  http://www.cidr-report.org/autnums.html, 362 Korean ASes http://www.cidr-report.org/autnums.html  8 Major Korean ASes AS4766 KORNETAS3786 DACOM AS9457 DREAMXAS9277 THRUNET AS9318 HANANETAS7563, 9768 PUBNET AS4670, 4664 SHINBIROAS9848 ENTERPRISENET  16 Other Korean ASes AS17832 6KANETAS4663 ELIMNET AS10038 FWINetAS17864 HANVITINB AS9695 KITINETAS5051 KOLNET AS9488 KRENAS1237, 7623, 17579 KREONET AS9701 KRLINEAS7557 KTNET AS9316 PUBNETPLUSAS9689 QRIXNET AS10171 SKTelinkAS10049 SKNETWORKS AS9644 SKSpeedNetAS6619 SAMSUNGNETWORKS reference NIDA and ISIS

10 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)10Scripts http://an.kaist.ac.kr/~dklee/research/iram/ BGP4MP|1044083314|A|217.75.96.60|16150 |208.254.200.0/22|16150 8434 3549 14745 16791 |IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|NAG|| BGP4MP|1044083314|A|217.75.96.60|16150 |63.73.10.0/24|16150 8434 3549 14745 16791 |IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|AG|63.96.63.2| BGP4MP|1044083315|A|66.185.128.1|1668 |202.3.156.0/24|1668 1239 4637 9225 7473 17557 |IGP|66.185.128.1|0|25||NAG|| BGP4MP|1044083315|W|129.250.0.6|2914|193.52.14.0/24 BGP4MP|1044083315|W|129.250.0.6|2914|193.52.15.0/24 BGP4MP|1044083315|W|129.250.0.6|2914|193.52.16.0/23 Announced prefix AS-PATHorigin-AS

11 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)11Results BGP Updates (Announcements and Withdrawals) reference [6]

12 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)12Results BGP (origin) matched Announcements BGP Announcements and Withdrawals are increased during Sapphire impact. reference [6]

13 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)13Results BGP RIB Entries About 15000 prefixes are transited by Korean ASes. Number prefixes can be accessed through Korea from abroad.

14 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)14Results BGP RIB Origin matched entries - 1 D1 D2 D3 SE 50 hours S  D104 hours D1  R112 hours R1  D204 hours D2  R202 hours R2  D312 hours R1 R2 16 hours 14 hours

15 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)15Results BGP RIB Origin matched entries - 2

16 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)16Results BGP RIB Origin matched entries - 3

17 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)17Results Korean Top 8 ASes

18 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)18Results Other Korean ASes

19 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)19Results Totally Blackout-ed Korean ASes About 15/213 ASes are totally blackouted during Sapphire/Slammer impact. Stub AS AS P1 Peering session X

20 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)20Results Other Non-Korean ASes Similar phenomenon is also observed from Other Non-Korean ASes D1 D2D3

21 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)21Discussions During Sapphire/Slammer worm impact, massive increase in the number of BGP updates and decrease in BGP RIB entries is observed. There are 3 unrecognized dipping points in RIB snapshots. ‘D1’ isn’t surprising. But, Why ‘D2’ and ‘D3’ ?

22 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)22Discussions BGP doesn’t show sufficient statistics, BGP Withdrawals do not contain ‘AS-PATH’, mapping between BGP withdrawals and RIB counts is ambiguous. Routing data of Korea isn’t accessible. Well organized monitoring infra. is needed.

23 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)23References [1] Analysis of the Sapphire Worm – A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UCSD CSE - http://www.caida.org/analysis/security/sapphire/ http://www.caida.org/analysis/security/sapphire/ [2] CERT Advisory CA-2003-04 MS-SQL Server Worm. [3] Sapphire worm code disassembled – http://www.eeye.com/html/Research/Flash/sapphire.txt http://www.eeye.com/html/Research/Flash/sapphire.txt [4] University of Oregon – Route Views Project page – http://routeviews.orghttp://routeviews.org [5] 정보통신망 침해사고 합동조사단, 정보통신망 침해사고 조사결과. [6] RIPE NCC RIS, Sapphire/Slammer Worm Impact on Internet Performance – http://www.ripe.net/ttm/Documents/worm/index.html http://www.ripe.net/ttm/Documents/worm/index.html

24 ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)24  The END

Download ppt "ETRI meeting (Feb 16, 2005) -- Dongkee LEE 1 Sapphire/Slammer worm impact on Internet routing Dongkee LEE."

Similar presentations

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.
Measurement: Techniques, Strategies, and Pitfalls Nick Feamster CS 7260 February 7, 2007.

Measurement: Techniques, Strategies, and Pitfalls Nick Feamster CS 7260 February 7, 2007.
Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.

Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.
Routing Basics.

Routing Basics.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
BGP route propagation between neighboring domains Renata Teixeira Laboratoire LIP6 – CNRS University Pierre et Marie Curie – Paris 6 with Steve Uhlig (Delft.

BGP route propagation between neighboring domains Renata Teixeira Laboratoire LIP6 – CNRS University Pierre et Marie Curie – Paris 6 with Steve Uhlig (Delft.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
1 Experimental Study of Internet Stability and Wide-Area Backbone Failure Craig Labovitz, Abha Ahuja Merit Network, Inc. 1998. Presented by Changchun Zou.

1 Experimental Study of Internet Stability and Wide-Area Backbone Failure Craig Labovitz, Abha Ahuja Merit Network, Inc Presented by Changchun Zou.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.

Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.
Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.

Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.
Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)

Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
BGP in 2009 Geoff Huston APNIC May 2009. Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.

BGP in 2009 Geoff Huston APNIC May Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada ISP-Friendly Peer Matching without ISP Collaboration Mohamed Hefeeda (Joint.

Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada ISP-Friendly Peer Matching without ISP Collaboration Mohamed Hefeeda (Joint.
Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.

Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK

Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK

Similar presentations

Ads by Google