logging in or signing up Slammer Kiska Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1070 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: November 20, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: rijeshvn (9 month(s) ago) please allow me to download Saving..... Post Reply Close Saving..... Edit Comment Close By: akanda5 (13 month(s) ago) send ppts Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Analysis of the W32.Slammer Worm: Analysis of the W32.Slammer Worm Mikhail AkhmeteliW32.Slammer Overview: W32.Slammer Overview Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm Released: January 25, 2003, at about 5:30 a.m. (GMT) Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8.5 seconds 376 bytes long Overview (continued): Overview (continued) Platform: Microsoft SQL Server 2000 Vulnerability: Buffer overflow Patch available for 6 months Propagation: Single UDP packet Features: Memory resident, hand-coded in assembly Direct Damage: Direct Damage Infected between 75,000 and 160,000 systems Disabled SQL Server databases on infected machines Saturated world networks with traffic Disrupted Internet connectivity world-wideEffective Damage: Effective Damage South Korea was taken off-line Disrupted financial institutions Airline delays and cancellations Affected many U.S. government and commercial websitesSpecific Damage: Specific Damage 13,000 Bank of America ATMs stopped working Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport self-check-in kiosks stopped working Activated Cisco router bugs at Internet backbonesPropagation Technique: Propagation Technique Single UDP packet Targets port 1434 (Microsoft-SQL-Monitor) Causes buffer overflow Continuously sends itself via UDP packets to pseudo-random IP addresses, including broadcast and multicast addresses Does not check whether target machines existRecovery: Recovery Disconnect from network Reboot the machine, or restart SQL Server Block port 1434 at external firewall Install patchPropagation Speed: Propagation Speed Infected 90% of vulnerable machines within 10 minutes Doubled infections every 8.5 seconds Achieved 55 million scans per second Two orders of magnitude faster than Code RedPropagation Speed: Propagation Speed Source: http://www.caida.org/analysis/security/sapphire/Infections 30 Minutes After Release: Infections 30 Minutes After Release Source: http://www.caida.org/analysis/security/sapphire/Propagation Analysis: Propagation Analysis Rapid spread made timely defense impossible Rapid spread caused worm copies to compete Bandwidth limited, not latency limited (doesn’t wait to establish connection) Easy to stop at firewallPossible Variations: Possible Variations Could have attacked HTTP or DNS servers Could have gone dormant Could have forged source port to DNS resolutionWorm Composition: Worm Composition 376 bytes long Less than 300 bytes of executable code 404 byte UDP packets, including headers Composed of 4 functional sections Worm Functions: Worm Functions Reconstructs session from buffer overflow Obtains (and verifies!) Windows API function addresses Initializes pseudo-random number generator and socket structures Continuously generates random IP addresses and sends UDP data-grams of itself Packet Capture: Packet Capture Reconstruct session Get Windows API addresses Initialize PRNG and socket Send Packets Buffer OverflowReferences: References eEye Digital Security. http://www.eeye.com/html/Research/Flash/sapphire.txt Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html Internet Storm Center. http://isc.incidents.org/analysis.html?id=180 The Washington Post. http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html C|NET News.com. http://news.com.com/2100-1001-982135.html You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Slammer Kiska Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1070 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: November 20, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: rijeshvn (9 month(s) ago) please allow me to download Saving..... Post Reply Close Saving..... Edit Comment Close By: akanda5 (13 month(s) ago) send ppts Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Analysis of the W32.Slammer Worm: Analysis of the W32.Slammer Worm Mikhail AkhmeteliW32.Slammer Overview: W32.Slammer Overview Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm Released: January 25, 2003, at about 5:30 a.m. (GMT) Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8.5 seconds 376 bytes long Overview (continued): Overview (continued) Platform: Microsoft SQL Server 2000 Vulnerability: Buffer overflow Patch available for 6 months Propagation: Single UDP packet Features: Memory resident, hand-coded in assembly Direct Damage: Direct Damage Infected between 75,000 and 160,000 systems Disabled SQL Server databases on infected machines Saturated world networks with traffic Disrupted Internet connectivity world-wideEffective Damage: Effective Damage South Korea was taken off-line Disrupted financial institutions Airline delays and cancellations Affected many U.S. government and commercial websitesSpecific Damage: Specific Damage 13,000 Bank of America ATMs stopped working Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport self-check-in kiosks stopped working Activated Cisco router bugs at Internet backbonesPropagation Technique: Propagation Technique Single UDP packet Targets port 1434 (Microsoft-SQL-Monitor) Causes buffer overflow Continuously sends itself via UDP packets to pseudo-random IP addresses, including broadcast and multicast addresses Does not check whether target machines existRecovery: Recovery Disconnect from network Reboot the machine, or restart SQL Server Block port 1434 at external firewall Install patchPropagation Speed: Propagation Speed Infected 90% of vulnerable machines within 10 minutes Doubled infections every 8.5 seconds Achieved 55 million scans per second Two orders of magnitude faster than Code RedPropagation Speed: Propagation Speed Source: http://www.caida.org/analysis/security/sapphire/Infections 30 Minutes After Release: Infections 30 Minutes After Release Source: http://www.caida.org/analysis/security/sapphire/Propagation Analysis: Propagation Analysis Rapid spread made timely defense impossible Rapid spread caused worm copies to compete Bandwidth limited, not latency limited (doesn’t wait to establish connection) Easy to stop at firewallPossible Variations: Possible Variations Could have attacked HTTP or DNS servers Could have gone dormant Could have forged source port to DNS resolutionWorm Composition: Worm Composition 376 bytes long Less than 300 bytes of executable code 404 byte UDP packets, including headers Composed of 4 functional sections Worm Functions: Worm Functions Reconstructs session from buffer overflow Obtains (and verifies!) Windows API function addresses Initializes pseudo-random number generator and socket structures Continuously generates random IP addresses and sends UDP data-grams of itself Packet Capture: Packet Capture Reconstruct session Get Windows API addresses Initialize PRNG and socket Send Packets Buffer OverflowReferences: References eEye Digital Security. http://www.eeye.com/html/Research/Flash/sapphire.txt Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html Internet Storm Center. http://isc.incidents.org/analysis.html?id=180 The Washington Post. http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html C|NET News.com. http://news.com.com/2100-1001-982135.html