Slammer worm and the face of things to come...

by Kalyan Varma

On 24th January 2003, at 5:30 am, the slammer worm broke out. It was the fastest spreading computer worm in history. It spread throughout the Internet and infected most of the vulnerable hosts that could be found within ten minutes.

The worm targeting SQL Server computers is self-propagating malicious code that exploits the vulnerability in Microsoft SQL server. This vulnerability allows for the execution of arbitrary code on the SQL Server computer due to a stack buffer overflow.
Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376-bytes and send them to randomly chosen IP addresses on port 1434/udp. If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate. Beyond the scanning activity for new hosts, the current variant of this worm has no other payload.

Activity of this worm is readily identifiable on a network by the presence of 376-byte UDP packets. These packets will appear to be originating from seemingly random IP addresses and destined for port 1434/udp.

What makes this worm special ?

UDP was chosen as the protocol for the Slammer worm. This was pretty much the 1st time udp was chosen over tcp.

Well... lets see.. what does udp has to offer ?

UDP, not requiring acknowledgement, has much better throughput.

UDP, does not include the overhead needed to detect realiability and maintain connection-oriented sematics

UDP packets require considerably less processing at the transmitting and receiving hosts.

UDP is less heavy on the OS.

and most of all one does not need root access to spoof a UDP packet.

So UDP becomes a perfect candidate for dos/worm . A machine on the internet can pump 10 times the more number of udp packets then tcp. The worm does not need root privlages on the machine to flood the network now.. Just construct a packet with random source IP and dump it into the network.

What makes a UDP based flood even more interesting is this..

When a packet is sent to a udp port on machine and if no service is running on that port, then the destination machine sends back an ICMP Host/Port Unreachable message. This basically amplifies the whole attack. So its a win-win situation for the worm. If the port is open.. then go ahead and run the exploit and spread. If the port is closed.. then that machine will flood the source.

When you are dumping 10,000 packets per second into the network... and after that gets amplified... well thats a lot of traffic.

So this raises the obvious question.. what next ?

Only time will tell ....