Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Published byHerbert Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "Slammer Worm By : Varsha Gupta.P 08QR1A1216."— Presentation transcript:

1 Slammer Worm By : Varsha Gupta.P 08QR1A1216

2 What is slammer worm? The slammer worm is a computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic.

3 Why Slammer Was So Fast? Bandwidth constraint vs. delay constraint
Slammer 404 bytes (376 payload) UDP based-- bandwidth constraint Code Red 4K bytes TCP based – delay constraint UDP vs. TCP

4 How the Slammer Worm Spreads?
Slammer targets computers running Microsoft SQL Server 2000, and computers running Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.

5 Overview Slammer worm is also known as :
-SQLSlammer,Saphire, W32.SQLExp.Worm, Worm.SQL.Helkern, DDOS_SQLP1434.A. Released: -January25,2003,at about 5:30 a.m (GMT).

6 Overview How ? -Exploit Buffer-overflow with MS SQL/MS SQL Server Desktop Engine (known vulnerability, July 2002). Fastest worm in history. Spread world-wide in under 10 minutes. Doubled infections every 8.5 seconds. 376 bytes long.

7 Overview Platform : Microsoft SQL Server 2000
Vulnerability: Buffer overflow. Propagation : Single UDP packet. Features: Memory resident , handcoded in assembly.

8 Worm History What is worm? Self-propagating malicious code. History
Morris worm was one of the first worms distributed over Internet. Timeline of notable worms. Two examples , Code Red – 2001, MS IIS. Slammer – 2003, MS SQL.

9 Worm Composition 376 bytes long Less than 300 bytes of executable code
404 byte UDP packets,including headers Composed of 4 functional sections

10 Worm Functions Reconstruction session from buffer overflow.
Obtains(and verifies!) windows API functions addresses. Initializes pseudo-random number generator and socket structures. Continuously generates random IP addresses and sends UDP data-grams of itself.

11 Affected Operating System:
Since SQL server 2000 and MSDE can be installed on top of almost all the Microsoft Windows operating system, almost all Windows system,from windows 95 to Windows 2000 DataCenter, are affected.

12 Direct Damage Infected between 75,000 and 1,60,000 systems.
Disabled SQl server databases on infected machines. Saturated world networks with traffic. Disrupted internet connectivity worldwide.

13 Effective damage South korea was off-line
Disrupted financial institutions Airline delays and cancellations Affedted many U.S. government and commercial websites

14 Specific damage 13,000 bank of America ATMs stopped working
Continental airlines flights were cancelled and delayed ; ticketing system was inundated with traffic .Airport self-check- in kiosks stopped working

15 Propagation technique
Single UDP packet. Target port 1434(Microsoft-SQL- Monitor). Causes buffer overflow. Continuously sends itself via UDP packets to pseudo-random IP addresses , including broadcast and multicast addresses. Does not check weather target machines exist.

16 Propagation Analysis Rapid spread made timely defense impossible.
Rapid spread caused worm copies to compete. Bandwidth limited ,not latency limited(doesn’t wait to establish connection). Easy to stop at firewall.

17 Propagation speed infected more than 90 percent of vulnerable hosts within 10 minutes Achieved more than 55 million scans per second Doubled infections every 8.5 seconds Teo orders of magnitude faster than code Red

18 Propagation speed

19 Propagation Model Probes of Slammer worm from Dshield data set
Random Scanning Initially spread exponentially, slows as the worms retry infected or immune addresses Probes of Slammer worm from Dshield data set Initially matched random scanning worm Soon slowed down due to bw saturation and network failures Probe rate of Code red worm (a typical random-scanning worm)

20 Infections 30 minutes after release

21 Possible Variations Could have attacked HTTP or DNS servers.
Could have gone dormant. Could have forged source port to DNS resolution.

22 RECOVERY Disconnection from network.
Reboot the machine,or restart SQL server. Block port 1434 at external firewall Install patch.

23 Patching and Protecting Your Systems
MS has released the patch before the worm attack happens Protecting : To protect your computers run SQL Server 2000 with the SQL Server 2000 Security Tools. The SQL Server 2000 Security Tools are used to scan instances of SQL Server 2000 and detect security vulnerabilities, and then apply updates to the affected files.

24 What ISA Server Can Do To Help Stop Slammer?
We can take the following steps to configure ISA Server to help you protect your network against further infiltration by Slammer. Note that the steps detailed below assume the following: ISA Server is installed in Firewall or Integrated mode ISA Server is the only route between the Internet and the internal network IP Packet Filtering is enabled No Server Publishing rule allows UDP-1434 to the internal network

25 To help prevent outbound attacks:
Create a protocol definition Create a protocol rule

26 Create a protocol definition with the following parameters:
Set Name to SQL Enumeration Set Protocol to UDP. Set Direction to Send. Set Local Port to Any. Set Remote port to 1434

27 Create a protocol rule with the following parameters:
Set Action = Deny Set Protocol to SQL Enumeration. Set Schedule to Always. Set Applies to to All requests.

28 Reference Worm Slammer Worm A Taxonomy of Computer Worms
en.wikipedia.org/wiki/Computer _ worm Slammer Worm usversions/letter.mspx 04.html Inside the Slammer Worm, IEEE S&P 2003

29 Thank you!!

Download ppt "Slammer Worm By : Varsha Gupta.P 08QR1A1216."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Packets and Protocols Chapter Seven Real World Packet Captures.

Packets and Protocols Chapter Seven Real World Packet Captures.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google