SQL Slammer is a 2003
computer worm that caused a
denial of service
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connec ...
on some
Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
hosts and dramatically slowed general
Internet traffic
Internet traffic is the flow of data within the entire Internet, or in certain network links of its constituent networks. Common traffic measurements are total volume, in units of multiples of the byte, or as transmission rates in bytes per cert ...
. It spread rapidly, infecting most of its 75,000 victims within ten minutes.
The program exploited a
buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memo ...
bug in Microsoft's
SQL Server and
Desktop Engine database products. Although th
MS02-039patch had been released six months earlier, many organizations had not yet applied it.
The most infected regions were Europe, North America, and Asia (including East Asia and India).
Technical details
The worm was based on proof of concept code demonstrated at the
Black Hat Briefings
Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...
by
David Litchfield
David Litchfield (born 1975) is a British security expert and The Director of Information Security Assurance for Apple. Anne Saita, writing for ''Information Security'' magazine, called him along with his brother Mark Litchfield, "World's Best Bu ...
, who had initially discovered the buffer overflow vulnerability that the worm exploited. It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of
Microsoft SQL Server
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which ...
Resolution Service listening on UDP port 1434, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
Home
PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free of charge removal utility, or it can even be removed by restarting SQL Server (although the machine would likely be reinfected immediately).
The worm was made possible by a
software security vulnerability
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
in SQL Server first reported by Microsoft on 24 July 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.
The worm began to be noticed early on 25 January 2003 as it slowed systems worldwide. The slowdown was caused by the collapse of numerous
routers under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers ''crashed'' (became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the
routing table
In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with th ...
"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed or in some cases stopped altogether. Because the SQL Slammer worm was so small in size, sometimes it was able to get through when legitimate traffic was not.
Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over the
sessionless UDP protocol, and the entire worm (only 376 bytes) fits inside a single packet.
As a result, each infected host could simply "fire and forget" packets as rapidly as possible.
Notes
References
External links
;News
BBC NEWS Technology Virus-like attack hits web trafficMS SQL Server Worm Wreaking HavocA layman's explanation of the Slammer code.
;Announcement
Microsoft Security Bulletin MS02-039 and Patch*
;Analysis
Inside the Slammer WormIEEE Security and Privacy Magazine, David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver
;Technical details
*
- Carnegie-Mellon Software Engineering Institute
{{DEFAULTSORT:Sql Slammer
Exploit-based worms
Denial-of-service attacks
Hacking in the 2000s
Cybercrime in India