Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | koushiksrivastava |
View: | 237 times |
Download: | 0 times |
of 29
8/3/2019 Slammer Worm Ppt1
1/29
Slammer WormSlammer Worm
By :Varsha Gupta.P
08QR1A1216
8/3/2019 Slammer Worm Ppt1
2/29
8/3/2019 Slammer Worm Ppt1
3/29
Why Slammer Was So Fast?Why Slammer Was So Fast?
y Bandwidth constraint vs. delay constraint
Slammer 404 bytes (376 payload) UDP based--
bandwidth constraint
Code Red 4K bytesT
CP based
delay constraint UDP vs.TCP
8/3/2019 Slammer Worm Ppt1
4/29
How the Slammer Worm Spreads?How the Slammer Worm Spreads?
y Slammer targets computers running
Microsoft SQL Server 2000, and
computers running Microsoft Desktop
Engine (MSDE) 2000.
y The worm sends 376 bytes to UDP port
1434, the SQL Server Resolution Service
Port.
8/3/2019 Slammer Worm Ppt1
5/29
OverviewOverview
Slammer worm is also known as :
y -SQLSlammer,Saphire,
W32.SQLExp.Worm, Worm.SQL.Helkern,
DDOS_SQLP1434.A.
Released:
y -January25,2003,at about 5:30 a.m
(GMT).
8/3/2019 Slammer Worm Ppt1
6/29
OverviewOverview
How ?
-Exploit Buffer-overflow with MS SQL/MS
SQL Server Desktop Engine (known vulnerability,
July 2002).Fastest worm in history.
Spread world-wide in under 10 minutes.
Doubled infections every 8.5 seconds.376 bytes long.
8/3/2019 Slammer Worm Ppt1
7/29
8/3/2019 Slammer Worm Ppt1
8/29
Worm HistoryWorm History
y What is worm?
Self-propagating malicious code.
y History
Morris worm was one of the first worms distributedover Internet.
Timeline of notable worms.
x http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
y Two examples , Code Red 2001, MS IIS.
Slammer2003, MS SQL.
8/3/2019 Slammer Worm Ppt1
9/29
Worm CompositionWorm Composition
y 376 bytes long
y Less than 300 bytes of executable code
y
404 byte UDP packets,including headersy Composed of 4 functional sections
8/3/2019 Slammer Worm Ppt1
10/29
Worm FunctionsWorm Functions
y Reconstruction session from buffer
overflow.
y Obtains(and verifies!) windows API
functions addresses.
y Initializes pseudo-random number
generator and socket structures.
y Continuously generates random IPaddresses and sends UDP data-grams of
itself.
8/3/2019 Slammer Worm Ppt1
11/29
Affected Operating System:Affected Operating System:
Since SQL server 2000 and MSDE 2000
can be installed on top of almost all the
Microsoft Windows operating system,
almost all Windows system,from windows
95 to Windows 2000 DataCenter, are
affected.
8/3/2019 Slammer Worm Ppt1
12/29
Direct DamageDirect Damage
Infected between 75,000 and 1,60,000
systems.
Disabled SQl server databases on infected
machines.
Saturated world networks with traffic.
Disrupted internet connectivity
worldwide.
8/3/2019 Slammer Worm Ppt1
13/29
Effective damageEffective damage
y South korea was off-line
y Disrupted financial institutions
y Airline delays and cancellations
y Affedted many U.S. government and
commercial websites
8/3/2019 Slammer Worm Ppt1
14/29
8/3/2019 Slammer Worm Ppt1
15/29
8/3/2019 Slammer Worm Ppt1
16/29
Propagation AnalysisPropagation Analysis
y Rapid spread made timely defense
impossible.
y Rapid spread caused worm copies to
compete.
y Bandwidth limited ,not latency
limited(doesnt wait to establish
connection).y Easy to stop at firewall.
8/3/2019 Slammer Worm Ppt1
17/29
Propagation speedPropagation speed
y infected more than 90 percent of
vulnerable hosts within 10 minutes
y Achieved more than 55 million scans per
second
y Doubled infections every 8.5 seconds
y Teo orders of magnitude faster than code
Red
8/3/2019 Slammer Worm Ppt1
18/29
Propagation speedPropagation speed
8/3/2019 Slammer Worm Ppt1
19/29
8/3/2019 Slammer Worm Ppt1
20/29
Infections 30 minutes after releaseInfections 30 minutes after release
8/3/2019 Slammer Worm Ppt1
21/29
Possible VariationsPossible Variations
y Could have attacked HTTP or DNS
servers.
y Could have gone dormant.
y Could have forged source port to DNS
resolution.
8/3/2019 Slammer Worm Ppt1
22/29
y Disconnection from network.
y Reboot the machine,or restart SQL
server.
y Block port 1434 at external firewall
y Install patch.
RECOVERYRECOVERY
8/3/2019 Slammer Worm Ppt1
23/29
Patching and Protecting Your Systems
Patch:
MS has released the patch before the worm attackhappens
Protecting :To protect your computers run SQL Server 2000
with the SQL Server 2000 SecurityTools.
The SQL Server 2000 Security
Tools are used to scaninstances of SQL Server 2000 and detect security
vulnerabilities, and then apply updates to the affected files.
8/3/2019 Slammer Worm Ppt1
24/29
What ISA Server Can DoTo Help Stop
Slammer?
We can take the following steps to configure ISA Server to
help you protect your network against further infiltration
by Slammer.
Note that the steps detailed below assume the following:
ISA Server is installed in Firewall or Integrated mode
ISA Server is the only route between the Internet and the
internal networkIP Packet Filtering is enabled
No Server Publishing rule allows UDP-1434 to the
internal network
8/3/2019 Slammer Worm Ppt1
25/29
To help prevent outbound attacks:
Create a protocol definition
Create a protocol rule
8/3/2019 Slammer Worm Ppt1
26/29
Create a protocol definition with
the following parameters:
Set Name to SQL Enumeration
Set Protocol to UDP.
Set Direction to Send.Set Local Port to Any.
Set Remote port to 1434
8/3/2019 Slammer Worm Ppt1
27/29
Create a protocol rule with thefollowing parameters:
Set Action = Deny
Set Protocol to SQL Enumeration.
Set Schedule to Always.
Set Applies to to All requests.
8/3/2019 Slammer Worm Ppt1
28/29
ReferenceReference
y Worm
ATaxonomy ofComputer Worms
en.wikipedia.org/wiki/Computer _worm
y Slammer Worm
http://www.microsoft.com/sql/prodinfo/previo
usversions/letter.mspx
http://www.cert.org/advisories/CA-2003-04.html
Inside the Slammer Worm, IEEE S&P 2003
8/3/2019 Slammer Worm Ppt1
29/29
Thank you!!