Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:

 

Sapphire/Slammer worm shatters previous speed records for spreading through the Internet

05.02.2003


A team of network security experts in California has determined that the computer worm that attacked and hobbled the global Internet eleven days ago was the fastest computer worm ever recorded. In a technical paper released today, the experts report that the speed and nature of the Sapphire worm (also called Slammer) represent significant and worrisome milestones in the evolution of computer worms.

Computer scientists at the University of California, San Diego and its San Diego Supercomputer Center (SDSC), Eureka-based Silicon Defense, the University of California, Berkeley, and the nonprofit International Computer Science Institute in Berkeley, found that the Sapphire worm doubled its numbers every 8.5 seconds during the explosive first minute of its attack. Within 10 minutes of debuting at 5:30 a.m. (UTC) Jan. 25 (9:30 p.m. PST, Jan. 24) the worm was observed to have infected more than 75,000 vulnerable hosts. Thousands of other hosts may also have been infected worldwide. The infected hosts spewed billions of copies of the worm into cyberspace, significantly slowing Internet traffic, and interfering with many business services that rely on the Internet.

“The Sapphire/Slammer worm represents a major new threat in computer worm technology, demonstrating that lightning-fast computer worms are not just a theoretical threat, but a reality,” said Stuart Staniford, president and founder of Silicon Defense. “Although this particular computer worm did not carry a malicious payload, it did a lot of harm by spreading so aggressively and blocking networks.”



The Sapphire worm’s software instructions, at 376 bytes, are about the length of the text in this paragraph, or only one-tenth the size of the Code Red worm, which spread through the Internet in July 2001. Sapphire’s tiny size enabled it to reproduce rapidly and also fit into a type of network “packet” that was sent one-way to potential victims, an aggressive approach designed to infect all vulnerable machines rapidly and saturate the Internet’s bandwidth, the experts said. In comparison, the Code Red worm spread much more slowly not only because it took longer to replicate, but also because infected machines sent a different type of message to potential victims that required them to wait for responses before subsequently attacking other vulnerable machines.

The Code Red worm ended up infecting 359,000 hosts, in contrast to the approximately 75,000 machines that Sapphire hit. However, Code Red took about 12 hours to do most of its dirty work, a snail’s pace compared with the speedy Sapphire. The Code Red worm sent six copies of itself from each infected machine every second, in effect “scanning” the Internet randomly for vulnerable machines. In contrast, the speed with which the diminutive Sapphire worm copied itself and scanned the Internet for additional vulnerable hosts was limited only by the capacity of individual network connections.

“For example, the Sapphire worm infecting a computer with a one-megabit-per-second connection is capable of sending out 300 copies of itself each second,” said Staniford. A single computer with a 100-megabit-per-second connection, found at many universities and large corporations, would allow the worm to scan 30,000 machines per second.

“The novel feature of this worm, compared to all the other worms we’ve studied, is its incredible speed: it flooded the Internet with copies of itself so aggressively that it basically clogged the available bandwidth and interfered with its own growth,” said David Moore, an Internet researcher at SDSC’s

Cooperative Association for Internet Data Analysis (CAIDA) and a Ph.D. candidate at UCSD under the direction of Stefan Savage, an assistant professor in the Department of Computer Science and Engineering. “Although our colleagues at Silicon Defense and UC Berkeley had predicted the possibility of such high-speed worms on theoretical grounds, Sapphire is the first such incredibly fast worm to be released by computer hackers into the wild,” said Moore.

Sapphire exploited a known vulnerability in Microsoft SQL servers used for database management, and MSDE 2000, a mini version of SQL for desktop use. Although Microsoft had made a patch available, many machines did not have the patch installed when Sapphire struck. Fortunately, even the successfully attacked machines were only temporarily out of service.

“Sapphire’s greatest harm was caused by collateral damage—a denial of legitimate service by taking database servers out of operation and overloading networks,” said Colleen Shannon, a CAIDA researcher. “At Sapphire’s peak, it was scanning 55 million hosts per second, causing a computer version of freeway gridlock when all the available lanes are bumper-to-bumper.” Many operators of infected computers shut down their machines, disconnected them from the Internet, installed the Microsoft patch, and turned them back on with few, if any, ill effects.

The team in California investigating the attack relied on data gathered by an array of Internet “telescopes” strategically placed at network junctions around the globe. These devices sampled billions of information-containing “packets” analogous to the way telescopes gather photons.

With the Internet telescopes, the team found that nearly 43 percent of the machines that became infected are located in the United States, almost 12 percent are in South Korea, and more than 6 percent are in China.

Despite the worm’s success in wreaking temporary havoc, the technical report analyzing Sapphire states that the worm’s designers made several "mistakes” that significantly reduced the worm’s distribution capability.

For example, the worm combined high-speed replication with a commonly used random number generator to send messages to every vulnerable server connected to the Internet. This so-called scanning behavior is much like a burglar randomly rattling doorknobs, looking for one that isn’t locked. However, the authors made several mistakes in adapting the random number generator. Had not there been enough correct instructions to compensate for the mistakes, the errors would have prevented Sapphire from reaching large portions of the Internet.

The analysis of the worm revealed no intent to harm its infected hosts. “If the authors of Sapphire had desired, they could have made a slightly larger version that could have erased the hard drives of infected machines,” said Nicholas Weaver, a researcher in the Computer Science Department at UC Berkeley. “Thankfully, that didn’t occur.”

The authors of the report are:
David Moore, CAIDA and the Department of Computer Science and Engineering at the Jacobs School of Engineering at UCSD
Vern Paxson, the International Computer Science Institute and Lawrence Berkeley National Laboratory
Stefan Savage, Department of Computer Science and Engineering at UCSD
Colleen Shannon, CAIDA
Stuart Staniford, Silicon Defense
Nicholas Weaver, Silicon Defense and the Electrical Engineering and Computer Sciences Department at UC Berkeley

For more information about the institutions and organizations involved in the report, go to the San Diego Supercomputer Center (http://www.sdsc.edu), CAIDA (http://www.caida.org), the UCSD Computer Science and Engineering Department (http://www.cs.ucsd.edu/), Silicon Defense (http://www.silicondefense.com/), the International Computer Science Institute (http://www.icsi.berkeley.edu/), and the Electrical Engineering and Computer Sciences Department at UC Berkeley (http://www.eecs.berkeley.edu/)

Rex Graham | EurekAlert!
Further information:
http://www.ucsd.edu/
http://www.silicondefense.com/sapphire/

More articles from Information Technology:

nachricht No more traffic blues for information transfer: decongesting wireless channels
11.11.2019 | Tokyo University of Science

nachricht A new quantum data classification protocol brings us nearer to a future 'quantum internet'
11.11.2019 | Universitat Autonoma de Barcelona

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: New Pitt research finds carbon nanotubes show a love/hate relationship with water

Carbon nanotubes (CNTs) are valuable for a wide variety of applications. Made of graphene sheets rolled into tubes 10,000 times smaller than a human hair, CNTs have an exceptional strength-to-mass ratio and excellent thermal and electrical properties. These features make them ideal for a range of applications, including supercapacitors, interconnects, adhesives, particle trapping and structural color.

New research reveals even more potential for CNTs: as a coating, they can both repel and hold water in place, a useful property for applications like printing,...

Im Focus: Magnets for the second dimension

If you've ever tried to put several really strong, small cube magnets right next to each other on a magnetic board, you'll know that you just can't do it. What happens is that the magnets always arrange themselves in a column sticking out vertically from the magnetic board. Moreover, it's almost impossible to join several rows of these magnets together to form a flat surface. That's because magnets are dipolar. Equal poles repel each other, with the north pole of one magnet always attaching itself to the south pole of another and vice versa. This explains why they form a column with all the magnets aligned the same way.

Now, scientists at ETH Zurich have managed to create magnetic building blocks in the shape of cubes that - for the first time ever - can be joined together to...

Im Focus: A new quantum data classification protocol brings us nearer to a future 'quantum internet'

The algorithm represents a first step in the automated learning of quantum information networks

Quantum-based communication and computation technologies promise unprecedented applications, such as unconditionally secure communications, ultra-precise...

Im Focus: Distorted Atoms

In two experiments performed at the free-electron laser FLASH in Hamburg a cooperation led by physicists from the Heidelberg Max Planck Institute for Nuclear physics (MPIK) demonstrated strongly-driven nonlinear interaction of ultrashort extreme-ultraviolet (XUV) laser pulses with atoms and ions. The powerful excitation of an electron pair in helium was found to compete with the ultrafast decay, which temporarily may even lead to population inversion. Resonant transitions in doubly charged neon ions were shifted in energy, and observed by XUV-XUV pump-probe transient absorption spectroscopy.

An international team led by physicists from the MPIK reports on new results for efficient two-electron excitations in helium driven by strong and ultrashort...

Im Focus: A Memory Effect at Single-Atom Level

An international research group has observed new quantum properties on an artificial giant atom and has now published its results in the high-ranking journal Nature Physics. The quantum system under investigation apparently has a memory - a new finding that could be used to build a quantum computer.

The research group, consisting of German, Swedish and Indian scientists, has investigated an artificial quantum system and found new properties.

All Focus news of the innovation-report >>>

Anzeige

Anzeige

VideoLinks
Industry & Economy
Event News

High entropy alloys for hot turbines and tireless metal-forming presses

05.11.2019 | Event News

Smart lasers open up new applications and are the “tool of choice” in digitalization

30.10.2019 | Event News

International Symposium on Functional Materials for Electrolysis, Fuel Cells and Metal-Air Batteries

02.10.2019 | Event News

 
Latest News

Small RNAs link immune system and brain cells

13.11.2019 | Life Sciences

New Pitt research finds carbon nanotubes show a love/hate relationship with water

13.11.2019 | Materials Sciences

Magnets for the second dimension

12.11.2019 | Machine Engineering

VideoLinks
Science & Research
Overview of more VideoLinks >>>