ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

1

Sapphire/Slammer worm Sapphire/Slammer worm impactimpact

on Internet routingon Internet routing

Dongkee LEE

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

2

Overview.Overview.

Introduction to Sapphire/Slammer worm.

Analysis methods

Results Discussion

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

3

Sapphire wormSapphire worm

Also called Slammer, SQLSlammer, W32.Slammer Began at 5:30 AM (UTC) on Saturday Jan 25th. System affected

Microsoft SQL Server 2000Microsoft Desktop Engine (MSDE) 2000

Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376 bytes and send them to randomly chosen IP address on port 1434/udp.

- CERT Advisory CA-2003-04

reference [1], [2]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

4

Sapphire wormSapphire wormSat Jan 05:29:00 2003 (UTC)Infected with Sapphire: 0

Most vulnerable machines was infected with 10-minutes of the worm’s release.

Sat Jan 06:30:00 2003 (UTC)Infected with Sapphire: 74855

reference [1], [2]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

5

Sapphire wormSapphire worm

Cause considerable harm simply by overloading networks and

taking database servers out of operation.

Many individual sites lost connectivity as their access bandwidth

was saturated by local copies of the worm.

Outbound traffic to external addresses on UDP port 1434.

Large amount of ICMP Unreachable messages aimed at server systems.

SQL resolution service failure.

Performance degradation.

Scanning.

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

6

Previous worksPrevious works

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

0 2 4 6 8 10 12 14 16 18 20 22

시 간

(Mbps)

트래

픽량

-> (24 )국내 국제 일

-> (24 )국제 국내 일-> (25 )국내 국제 일

-> (25 )국제 국내 일

정보통신망 침해사고 합동조사단 – ‘정보통신망 침해사고 조사결과’

But, How about Sapphire impact on ‘Internet Routing’ ?

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

7

Routeviews - 1Routeviews - 1 University of Oregon – Route Views project.

Routing information repository for …Analysis of BGP routing table dynamics.Work on routing table growth.Analysis of geographic cope of routing announcements.

Routeviews routers

route-views.eqix.routeviews.org route-views.isc.routeviews.orgroute-views.linx.routeviews.org route-views.oregon-ix.netroute-views.wide.routeviews.org route-views2.oregon-ix.netroute-views3.routeviews.org

reference http://routeviews.org

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

8

Routeviews - 2Routeviews - 2

route-views2.oregon-ix.net

< updates

< updates

< updates

< updates

< updates

< updates< updates

< updates

ftp://archive.routeviews.org/bgpdata

BGP UPDATES / 15min

BGP RIB Snapshot / 2hour

...AccretiveAS11608

AOLAS1668

APAN/tppr-tokyoAS7660

ATTAS7018

CENICAS2152

DCS.netAS21202

SprintAS1239

UUNETAS2905

BGP RIB Route Information Base... update

< updates< updates

TelstraAS1221

VerioAS2914

peer list – http://routeviews.org/peers/route-views2.oregon-ix has no Korean peers.

reference http://routeviews.org

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

9

Korean ASesKorean ASes http://www.cidr-report.org/autnums.html , 362 Korean ASes 8 Major Korean ASes

AS4766 KORNET AS3786 DACOM

AS9457 DREAMX AS9277 THRUNET

AS9318 HANANET AS7563, 9768 PUBNET

AS4670, 4664 SHINBIRO AS9848 ENTERPRISENET

16 Other Korean ASesAS17832 6KANET AS4663 ELIMNET

AS10038 FWINet AS17864 HANVITINB

AS9695 KITINET AS5051 KOLNET

AS9488 KREN AS1237, 7623, 17579 KREONET

AS9701 KRLINE AS7557 KTNET

AS9316 PUBNETPLUS AS9689 QRIXNET

AS10171 SKTelink AS10049 SKNETWORKS

AS9644 SKSpeedNet AS6619 SAMSUNGNETWORKS

reference NIDA and ISIS

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

10

ScriptsScripts

http://an.kaist.ac.kr/~dklee/research/iram/

Any Korean ASes appear in AS-PATH ?

Korean AS is a origin AS of this entry?

Yes: matched.

Yes: origin-matched.

List RIB/ Update dump files.Process Binary to Machine

readable ASCII transformation.

BGP4MP|1044083314|A|217.75.96.60|16150|208.254.200.0/22|16150 8434 3549 14745 16791|IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|NAG||

BGP4MP|1044083314|A|217.75.96.60|16150|63.73.10.0/24|16150 8434 3549 14745 16791|IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|AG|63.96.63.2|BGP4MP|1044083315|A|66.185.128.1|1668|202.3.156.0/24|1668 1239 4637 9225 7473 17557|IGP|66.185.128.1|0|25||NAG||

BGP4MP|1044083315|W|129.250.0.6|2914|193.52.14.0/24BGP4MP|1044083315|W|129.250.0.6|2914|193.52.15.0/24BGP4MP|1044083315|W|129.250.0.6|2914|193.52.16.0/23

Announced prefix AS-PATH origin-AS

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

11

ResultsResults

BGP Updates (Announcements and Withdrawals)

reference [6]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

12

ResultsResults

BGP (origin) matched Announcements

BGP Announcements and Withdrawals are increased during Sapphire impact.

reference [6]

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

13

ResultsResults

BGP RIB Entries

About 15000 prefixes are transited by Korean ASes.

Number prefixes can be accessed through Koreafrom abroad.

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

14

ResultsResults

BGP RIB Origin matched entries - 1

D1

D2D3

S E50 hours

S D104 hoursD1 R112 hoursR1 D204 hoursD2 R202 hoursR2 D312 hours

R1 R2

16 hours

14 hours

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

15

ResultsResults

BGP RIB Origin matched entries - 2

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

16

ResultsResults

BGP RIB Origin matched entries - 3

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

17

ResultsResults

Korean Top 8 ASes

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

18

ResultsResults

Other Korean ASes

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

19

ResultsResults

Totally Blackout-ed Korean ASes

About 15/213 ASes are totally blackouted during Sapphire/Slammer impact.

Stub AS

AS P1

Peering sessionX

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

20

ResultsResults

Other Non-Korean ASes

Similar phenomenon is also observed from Other Non-Korean ASes

D1

D2 D3

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

21

DiscussionsDiscussions

During Sapphire/Slammer worm impact, massive increase in the number of BGP updates and

decrease in BGP RIB entries is observed.

There are 3 unrecognized dipping points in RIB snapshots.

‘D1’ isn’t surprising. But, Why ‘D2’ and ‘D3’ ?

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

22

DiscussionsDiscussions

BGP doesn’t show sufficient statistics,

BGP Withdrawals do not contain ‘AS-PATH’,mapping between BGP withdrawals and RIB

counts is ambiguous.

Routing data of Korea isn’t accessible.Well organized monitoring infra. is needed.

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

23

ReferencesReferences

[1] Analysis of the Sapphire Worm – A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UCSD CSE - http://www.caida.org/analysis/security/sapphire/

[2] CERT Advisory CA-2003-04 MS-SQL Server Worm.[3] Sapphire worm code disassembled –

http://www.eeye.com/html/Research/Flash/sapphire.txt[4] University of Oregon – Route Views Project page –

http://routeviews.org[5] 정보통신망 침해사고 합동조사단 , 정보통신망 침해사고 조사결과 .[6] RIPE NCC RIS, Sapphire/Slammer Worm Impact on Internet

Performance – http://www.ripe.net/ttm/Documents/worm/index.html

ETRI meeting (Feb 16, 2005) -- Dongkee LEE (dklee@an.kaist.ac.kr)

24

The END