Slammer Worm

29
Slammer Worm By : Varsha Gupta.P 08QR1A1216

description

Slammer Worm. By : Varsha Gupta.P 08QR1A1216. What is slammer worm?. The slammer worm is a computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. Why Slammer Was So Fast?. Bandwidth constraint vs. delay constraint - PowerPoint PPT Presentation

Transcript of Slammer Worm

Page 1: Slammer Worm

Slammer Worm

By :

Varsha Gupta.P

08QR1A1216

Page 2: Slammer Worm

• The slammer worm is a computer

virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic.

What is slammer worm?

Page 3: Slammer Worm

Why Slammer Was So Fast?Bandwidth constraint vs. delay constraint

◦ Slammer 404 bytes (376 payload) UDP based-- bandwidth constraint

◦ Code Red 4K bytes TCP based – delay constraint

◦ UDP vs. TCP

Page 4: Slammer Worm

How the Slammer Worm Spreads?

Slammer targets computers running Microsoft SQL Server 2000, and computers running Microsoft Desktop Engine (MSDE) 2000.

The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.

Page 5: Slammer Worm

Overview Slammer worm is also known as : -SQLSlammer,Saphire,

W32.SQLExp.Worm, Worm.SQL.Helkern, DDOS_SQLP1434.A.

Released: -January25,2003,at about

5:30 a.m (GMT).

Page 6: Slammer Worm

Overview How ? -Exploit Buffer-overflow with MS SQL/MS SQL Server Desktop Engine (known vulnerability, July 2002). Fastest worm in history. Spread world-wide in under 10

minutes. Doubled infections every 8.5 seconds. 376 bytes long.

Page 7: Slammer Worm

OverviewPlatform : Microsoft SQL Server

2000Vulnerability: Buffer overflow.Propagation : Single UDP packet.Features: Memory resident ,

handcoded in assembly.

Page 8: Slammer Worm

Worm HistoryWhat is worm?

◦ Self-propagating malicious code.History

◦ Morris worm was one of the first worms distributed over Internet.

◦ Timeline of notable worms. http://en.wikipedia.org/wiki/Timeline_of_n

otable_computer_viruses_and_wormsTwo examples ,

◦ Code Red – 2001, MS IIS.◦ Slammer – 2003, MS SQL.

Page 9: Slammer Worm

Worm Composition376 bytes longLess than 300 bytes of

executable code404 byte UDP packets,including

headersComposed of 4 functional

sections

Page 10: Slammer Worm

Worm FunctionsReconstruction session from

buffer overflow.Obtains(and verifies!) windows

API functions addresses.Initializes pseudo-random

number generator and socket structures.

Continuously generates random IP addresses and sends UDP data-grams of itself.

Page 11: Slammer Worm

Affected Operating System:

Since SQL server 2000 and MSDE 2000 can be installed on top of almost all the Microsoft Windows operating system, almost all Windows system,from windows 95 to Windows 2000 DataCenter, are affected.

Page 12: Slammer Worm

Direct Damage Infected between 75,000 and

1,60,000 systems. Disabled SQl server databases on

infected machines. Saturated world networks with

traffic. Disrupted internet connectivity

worldwide.

Page 13: Slammer Worm

Effective damageSouth korea was off-lineDisrupted financial institutionsAirline delays and cancellationsAffedted many U.S. government

and commercial websites

Page 14: Slammer Worm

Specific damage13,000 bank of America ATMs

stopped workingContinental airlines flights were

cancelled and delayed ; ticketing system was inundated with traffic .Airport self-check-in kiosks stopped working

Page 15: Slammer Worm

Propagation techniqueSingle UDP packet.Target port 1434(Microsoft-SQL-

Monitor).Causes buffer overflow.Continuously sends itself via UDP

packets to pseudo-random IP addresses , including broadcast and multicast addresses.

Does not check weather target machines exist.

Page 16: Slammer Worm

Propagation AnalysisRapid spread made timely

defense impossible.Rapid spread caused worm

copies to compete.Bandwidth limited ,not latency

limited(doesn’t wait to establish connection).

Easy to stop at firewall.

Page 17: Slammer Worm

Propagation speedinfected more than 90 percent of

vulnerable hosts within 10 minutes

Achieved more than 55 million scans per second

Doubled infections every 8.5 seconds

Teo orders of magnitude faster than code Red

Page 18: Slammer Worm

Propagation speed

Page 19: Slammer Worm

Propagation Model• Random Scanning

– Initially spread exponentially, slows as the worms retry infected or immune addresses

Probe rate of Code red worm(a typical random-scanning worm)

Probes of Slammer worm from Dshield data set• Initially matched random scanning worm• Soon slowed down due to bw saturation and network failures

Page 20: Slammer Worm

Infections 30 minutes after release

Page 21: Slammer Worm

Possible VariationsCould have attacked HTTP or

DNS servers.Could have gone dormant.Could have forged source port to

DNS resolution.

Page 22: Slammer Worm

Disconnection from network.Reboot the machine,or restart

SQL server.Block port 1434 at external

firewallInstall patch.

RECOVERY

Page 23: Slammer Worm

Patching and Protecting Your Systems

Patch: MS has released the patch before the

worm attack happens

Protecting : To protect your computers run SQL Server 2000 with the SQL Server 2000 Security Tools.

•The SQL Server 2000 Security Tools are used to scan instances of SQL Server 2000 and detect security vulnerabilities, and then apply updates to the affected files.

Page 24: Slammer Worm

What ISA Server Can Do To Help Stop Slammer?We can take the following steps to configure ISA Server to help you protect your network against further infiltration by Slammer.

Note that the steps detailed below assume the following:

•ISA Server is installed in Firewall or Integrated mode•ISA Server is the only route between the Internet and the internal network•IP Packet Filtering is enabled•No Server Publishing rule allows UDP-1434 to the internal network

Page 25: Slammer Worm

To help prevent outbound attacks:

Create a protocol definitionCreate a protocol rule

Page 26: Slammer Worm

Create a protocol definition with the following parameters:

•Set Name to SQL Enumeration•Set Protocol to UDP.•Set Direction to Send.•Set Local Port to Any.•Set Remote port to 1434

Page 27: Slammer Worm

Create a protocol rule with the following parameters:

•Set Action = Deny•Set Protocol to SQL Enumeration.•Set Schedule to Always.•Set Applies to to All requests.

Page 28: Slammer Worm

ReferenceWorm

◦A Taxonomy of Computer Worms ◦en.wikipedia.org/wiki/Computer _ worm

Slammer Worm◦http://www.microsoft.com/sql/prodinf

o/previousversions/letter.mspx◦http://www.cert.org/advisories/CA-20

03-04.html◦Inside the Slammer Worm, IEEE S&P

2003

Page 29: Slammer Worm

Thank you!!