SQL Slammer[a] is a 2003 computer worm that caused a denial of service on some Internet hosts and dramatically slowed general Internet traffic and crashing routers all around the world. It spread rapidly, infecting most of its 75,000 victims within 10 minutes.
The program exploited a buffer overflow bug in Microsoft's SQL Server and Desktop Engine database products. Although the MS02-039 patch had been released six months earlier, many organizations had not yet applied it.
The most infected regions were Europe, North America, and Asia (including East Asia and southern Asia (India) etc. ).[2]
The worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield, who had initially discovered the buffer overflow vulnerability that the worm exploited.[3] It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service listening on UDP port 1434, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free of charge removal utility, or it can even be removed by restarting SQL Server (although the machine would likely be reinfected immediately).
The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on 24 July 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.[4]
The worm began to be noticed early on 25 January 2003[b] as it slowed systems worldwide. The slowdown was caused by the collapse of numerous routers under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers crashed (became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the routing table"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed or in some cases stopped altogether. Because the SQL Slammer worm was so small in size, sometimes it was able to get through when legitimate traffic was not.
Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over the sessionlessUDP protocol, and the entire worm (only 376 bytes) fits inside a single packet.[9][10] As a result, each infected host could simply "fire and forget" packets as rapidly as possible.
NotesEdit
^Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, W32/SQLSlammer and Helkern.[1]
^Public disclosure began with Michael Bacarella posting a message to the Bugtraq security mailing list entitled "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"[5] at 07:11:41 UTC on 25 January 2003. Similar reports were posted by Robert Boyle at 08:35 UTC[6] and Ben Koshy at 10:28 UTC[7] An early analysis released by Symantec is timestamped 07:45 GMT.[8]
^Bacarella, Michael (25 January 2003). "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!". Bugtraq. Retrieved 29 November 2012.
^Boyle, Robert (25 January 2003). . Neohapsis Archives. Archived from the original on 19 February 2009. Retrieved 29 November 2008.
^Koshy, Ben (25 January 2003). . Neohapsis Archives. Archived from the original on 19 February 2009. Retrieved 29 November 2008.
^"SQLExp SQL Server Worm Analysis" (PDF). DeepSight™ Threat Management System Threat Analysis. 28 January 2003.
^Moore, David et al. "The Spread of the Sapphire/Slammer Worm". CAIDA (Cooperative Association for Internet Data Analysis).{{cite web}}: CS1 maint: uses authors parameter (link)
^Serazzi, Giuseppe; Zanero, Stefano (2004). "Computer Virus Propagation Models" (PDF). In Calzarossa, Maria Carla; Gelenbe, Erol (eds.). Performance Tools and Applications to Networked Systems. Lecture Notes in Computer Science. Vol. 2965. pp. 26–50.
External linksEdit
News
BBC NEWS Technology Virus-like attack hits web traffic
MS SQL Server Worm Wreaking Havoc
Wired 11.07: Slammed! A layman's explanation of the Slammer code.
Announcement
Microsoft Security Bulletin MS02-039 and Patch
. Carnegie Mellon University Software Engineering Institute. Archived from the original on 1 February 2003. Retrieved 22 September 2019.{{cite web}}: CS1 maint: unfit URL (link)
Analysis
Inside the Slammer Worm IEEE Security and Privacy Magazine, David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver
Multiple Vulnerabilities in Microsoft SQL Server - Carnegie-Mellon Software Engineering Institute
August 30, 2023
slammer, 2003, computer, worm, that, caused, denial, service, some, internet, hosts, dramatically, slowed, general, internet, traffic, crashing, routers, around, world, spread, rapidly, infecting, most, victims, within, minutes, program, exploited, buffer, ove. SQL Slammer a is a 2003 computer worm that caused a denial of service on some Internet hosts and dramatically slowed general Internet traffic and crashing routers all around the world It spread rapidly infecting most of its 75 000 victims within 10 minutes The program exploited a buffer overflow bug in Microsoft s SQL Server and Desktop Engine database products Although the MS02 039 patch had been released six months earlier many organizations had not yet applied it The most infected regions were Europe North America and Asia including East Asia and southern Asia India etc 2 Contents 1 Technical details 2 Notes 3 References 4 External linksTechnical details EditThe worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield who had initially discovered the buffer overflow vulnerability that the worm exploited 3 It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service listening on UDP port 1434 the host immediately becomes infected and begins spraying the Internet with more copies of the worm program Home PCs are generally not vulnerable to this worm unless they have MSDE installed The worm is so small that it does not contain code to write itself to disk so it only stays in memory and it is easy to remove For example Symantec provides a free of charge removal utility or it can even be removed by restarting SQL Server although the machine would likely be reinfected immediately The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on 24 July 2002 A patch had been available from Microsoft for six months prior to the worm s launch but many installations had not been patched including many at Microsoft 4 The worm began to be noticed early on 25 January 2003 b as it slowed systems worldwide The slowdown was caused by the collapse of numerous routers under the burden of extremely high bombardment traffic from infected servers Normally when traffic is too high for routers to handle the routers are supposed to delay or temporarily stop network traffic Instead some routers crashed became unusable and the neighbour routers would notice that these routers had stopped and should not be contacted aka removed from the routing table Routers started sending notices to this effect to other routers they knew about The flood of routing table update notices caused some additional routers to fail compounding the problem Eventually the crashed routers maintainers restarted them causing them to announce their status leading to another wave of routing table updates Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables and ordinary data traffic slowed or in some cases stopped altogether Because the SQL Slammer worm was so small in size sometimes it was able to get through when legitimate traffic was not Two key aspects contributed to SQL Slammer s rapid propagation The worm infected new hosts over the sessionless UDP protocol and the entire worm only 376 bytes fits inside a single packet 9 10 As a result each infected host could simply fire and forget packets as rapidly as possible Notes Edit Other names include W32 SQLExp Worm DDOS SQLP1434 A the Sapphire Worm SQL HEL W32 SQLSlammer and Helkern 1 Public disclosure began with Michael Bacarella posting a message to the Bugtraq security mailing list entitled MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434 5 at 07 11 41 UTC on 25 January 2003 Similar reports were posted by Robert Boyle at 08 35 UTC 6 and Ben Koshy at 10 28 UTC 7 An early analysis released by Symantec is timestamped 07 45 GMT 8 References Edit Symantec W32 SQLExp Worm Mezquita Ty 12 February 2020 SQL Slammer Virus Harbinger of things to come CyberHoot Leyden John 6 February 2003 Slammer Why security benefits from proof of concept code Register Retrieved 29 November 2008 Microsoft Attacked By Worm Too Wired Bacarella Michael 25 January 2003 MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434 Bugtraq Retrieved 29 November 2012 Boyle Robert 25 January 2003 Peace of Mind Through Integrity and Insight Neohapsis Archives Archived from the original on 19 February 2009 Retrieved 29 November 2008 Koshy Ben 25 January 2003 Peace of Mind Through Integrity and Insight Neohapsis Archives Archived from the original on 19 February 2009 Retrieved 29 November 2008 SQLExp SQL Server Worm Analysis PDF DeepSight Threat Management System Threat Analysis 28 January 2003 Moore David et al The Spread of the Sapphire Slammer Worm CAIDA Cooperative Association for Internet Data Analysis a href Template Cite web html title Template Cite web cite web a CS1 maint uses authors parameter link Serazzi Giuseppe Zanero Stefano 2004 Computer Virus Propagation Models PDF In Calzarossa Maria Carla Gelenbe Erol eds Performance Tools and Applications to Networked Systems Lecture Notes in Computer Science Vol 2965 pp 26 50 External links EditNewsBBC NEWS Technology Virus like attack hits web traffic MS SQL Server Worm Wreaking Havoc Wired 11 07 Slammed A layman s explanation of the Slammer code AnnouncementMicrosoft Security Bulletin MS02 039 and Patch CERT Advisory CA 2003 04 MS SQL Server Worm Carnegie Mellon University Software Engineering Institute Archived from the original on 1 February 2003 Retrieved 22 September 2019 a href Template Cite web html title Template Cite web cite web a CS1 maint unfit URL link Symantec Security Response W32 SQLExp WormAnalysisInside the Slammer Worm IEEE Security and Privacy Magazine David Moore Vern Paxson Stefan Savage Colleen Shannon Stuart Staniford and Nicholas WeaverTechnical detailsWorm code disassembled at the Wayback Machine archived 22 July 2011 Multiple Vulnerabilities in Microsoft SQL Server Carnegie Mellon Software Engineering Institute Retrieved from https en wikipedia org w index php title SQL Slammer amp oldid 1146402163, wikipedia, wiki, book, books, library,
