Upload
dionne
View
79
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Slammer Worm. By : Varsha Gupta.P 08QR1A1216. What is slammer worm?. The slammer worm is a computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. Why Slammer Was So Fast?. Bandwidth constraint vs. delay constraint - PowerPoint PPT Presentation
Citation preview
Slammer Worm
By :
Varsha Gupta.P
08QR1A1216
• The slammer worm is a computer
virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic.
What is slammer worm?
Why Slammer Was So Fast?Bandwidth constraint vs. delay constraint
◦ Slammer 404 bytes (376 payload) UDP based-- bandwidth constraint
◦ Code Red 4K bytes TCP based – delay constraint
◦ UDP vs. TCP
How the Slammer Worm Spreads?
Slammer targets computers running Microsoft SQL Server 2000, and computers running Microsoft Desktop Engine (MSDE) 2000.
The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.
Overview Slammer worm is also known as : -SQLSlammer,Saphire,
W32.SQLExp.Worm, Worm.SQL.Helkern, DDOS_SQLP1434.A.
Released: -January25,2003,at about
5:30 a.m (GMT).
Overview How ? -Exploit Buffer-overflow with MS SQL/MS SQL Server Desktop Engine (known vulnerability, July 2002). Fastest worm in history. Spread world-wide in under 10
minutes. Doubled infections every 8.5 seconds. 376 bytes long.
OverviewPlatform : Microsoft SQL Server
2000Vulnerability: Buffer overflow.Propagation : Single UDP packet.Features: Memory resident ,
handcoded in assembly.
Worm HistoryWhat is worm?
◦ Self-propagating malicious code.History
◦ Morris worm was one of the first worms distributed over Internet.
◦ Timeline of notable worms. http://en.wikipedia.org/wiki/Timeline_of_n
otable_computer_viruses_and_wormsTwo examples ,
◦ Code Red – 2001, MS IIS.◦ Slammer – 2003, MS SQL.
Worm Composition376 bytes longLess than 300 bytes of
executable code404 byte UDP packets,including
headersComposed of 4 functional
sections
Worm FunctionsReconstruction session from
buffer overflow.Obtains(and verifies!) windows
API functions addresses.Initializes pseudo-random
number generator and socket structures.
Continuously generates random IP addresses and sends UDP data-grams of itself.
Affected Operating System:
Since SQL server 2000 and MSDE 2000 can be installed on top of almost all the Microsoft Windows operating system, almost all Windows system,from windows 95 to Windows 2000 DataCenter, are affected.
Direct Damage Infected between 75,000 and
1,60,000 systems. Disabled SQl server databases on
infected machines. Saturated world networks with
traffic. Disrupted internet connectivity
worldwide.
Effective damageSouth korea was off-lineDisrupted financial institutionsAirline delays and cancellationsAffedted many U.S. government
and commercial websites
Specific damage13,000 bank of America ATMs
stopped workingContinental airlines flights were
cancelled and delayed ; ticketing system was inundated with traffic .Airport self-check-in kiosks stopped working
Propagation techniqueSingle UDP packet.Target port 1434(Microsoft-SQL-
Monitor).Causes buffer overflow.Continuously sends itself via UDP
packets to pseudo-random IP addresses , including broadcast and multicast addresses.
Does not check weather target machines exist.
Propagation AnalysisRapid spread made timely
defense impossible.Rapid spread caused worm
copies to compete.Bandwidth limited ,not latency
limited(doesn’t wait to establish connection).
Easy to stop at firewall.
Propagation speedinfected more than 90 percent of
vulnerable hosts within 10 minutes
Achieved more than 55 million scans per second
Doubled infections every 8.5 seconds
Teo orders of magnitude faster than code Red
Propagation speed
Propagation Model• Random Scanning
– Initially spread exponentially, slows as the worms retry infected or immune addresses
Probe rate of Code red worm(a typical random-scanning worm)
Probes of Slammer worm from Dshield data set• Initially matched random scanning worm• Soon slowed down due to bw saturation and network failures
Infections 30 minutes after release
Possible VariationsCould have attacked HTTP or
DNS servers.Could have gone dormant.Could have forged source port to
DNS resolution.
Disconnection from network.Reboot the machine,or restart
SQL server.Block port 1434 at external
firewallInstall patch.
RECOVERY
Patching and Protecting Your Systems
Patch: MS has released the patch before the
worm attack happens
Protecting : To protect your computers run SQL Server 2000 with the SQL Server 2000 Security Tools.
•The SQL Server 2000 Security Tools are used to scan instances of SQL Server 2000 and detect security vulnerabilities, and then apply updates to the affected files.
What ISA Server Can Do To Help Stop Slammer?We can take the following steps to configure ISA Server to help you protect your network against further infiltration by Slammer.
Note that the steps detailed below assume the following:
•ISA Server is installed in Firewall or Integrated mode•ISA Server is the only route between the Internet and the internal network•IP Packet Filtering is enabled•No Server Publishing rule allows UDP-1434 to the internal network
To help prevent outbound attacks:
Create a protocol definitionCreate a protocol rule
Create a protocol definition with the following parameters:
•Set Name to SQL Enumeration•Set Protocol to UDP.•Set Direction to Send.•Set Local Port to Any.•Set Remote port to 1434
Create a protocol rule with the following parameters:
•Set Action = Deny•Set Protocol to SQL Enumeration.•Set Schedule to Always.•Set Applies to to All requests.
ReferenceWorm
◦A Taxonomy of Computer Worms ◦en.wikipedia.org/wiki/Computer _ worm
Slammer Worm◦http://www.microsoft.com/sql/prodinf
o/previousversions/letter.mspx◦http://www.cert.org/advisories/CA-20
03-04.html◦Inside the Slammer Worm, IEEE S&P
2003
Thank you!!