kalyanvarma.net :: tech :: security :: DDos | Search |
Slammer worm and the face of things to come... by Kalyan Varma
On 24th January 2003, at 5:30 am, the slammer worm broke out. It was the fastest spreading computer worm in history. It spread throughout the Internet and infected most of the vulnerable hosts that could be found within ten minutes.
The worm targeting SQL Server computers is self-propagating malicious code that exploits the vulnerability in Microsoft SQL server. This vulnerability allows for the execution of arbitrary code on the SQL Server computer due to a stack buffer overflow. Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376-bytes and send them to randomly chosen IP addresses on port 1434/udp. If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate. Beyond the scanning activity for new hosts, the current variant of this worm has no other payload. Activity of this worm is readily identifiable on a network by the presence of 376-byte UDP packets. These packets will appear to be originating from seemingly random IP addresses and destined for port 1434/udp. What makes this worm special ?UDP was chosen as the protocol for the Slammer worm. This was pretty much the 1st time udp was chosen over tcp. Well... lets see.. what does udp has to offer ? So UDP becomes a perfect candidate for dos/worm . A machine on the internet can pump 10 times the more number of udp packets then tcp. The worm does not need root privlages on the machine to flood the network now.. Just construct a packet with random source IP and dump it into the network. What makes a UDP based flood even more interesting is this.. When a packet is sent to a udp port on machine and if no service is running on that port, then the destination machine sends back an ICMP Host/Port Unreachable message. This basically amplifies the whole attack. So its a win-win situation for the worm. If the port is open.. then go ahead and run the exploit and spread. If the port is closed.. then that machine will flood the source. When you are dumping 10,000 packets per second into the network... and after that gets amplified... well thats a lot of traffic. So this raises the obvious question.. what next ? Only time will tell .... |