22-09-2016, 02:54 PM
[attachment=71480]
Sapphire Worm
Fastest computer worm in history
Doubled size every 8.5 seconds
90% of vulnerable hosts within 10 minutes
aka Slammer
January 25 2003
Microsoft's SQL Server
Flaw was discovered in July 2002
Patch was releasaed before it was announced
75000 hosts
Why?
Patch was released half a year before outbreak
Service is generally not publicly used (port 1434)
If users were not so ignorant, this worm had never existed
Firewalls were known before
Also their benefit
Vulnerability was known
All effected systems did not apply patch
Saphire: A Random Scanning Worm
Exponential rapidly
Random constant spread (RCS) modle
Spread initially conformed to the RCS, before it began to saturate
Bandwith-limited (only one way communication)
Send and never care
latency limited
Send and wait for response (RTT)
30,000 scans/second
Pseudo Random Number Generator (PRNG)
X' = (X * a + b) mod m
Very efficient
Reasonable good distributional properties
Implementation flaws
One worm didn't scan the full network
However, all worms together still reached the full network
Spread and Operator Response
55 million scans per second across the Internet in under 3 minutes
Destination port was fix (UDP port 1434)
Not widely used
Easy to block
Constant scan rate
Easy to identify
Conclusions
Speed is not dependent on protocol
Smaller population as a target and therefor thread
20,000 nodes in under one hour
What would happen if it stopped scanning after 10 minutes?
Hard to identify attack
Hard to identify infected machines
World got aware of the thread (at least for some time)
One could think it was a lesson, but history proves us wrong (How many email worms do you get per day?)
Sapphire Worm
Fastest computer worm in history
Doubled size every 8.5 seconds
90% of vulnerable hosts within 10 minutes
aka Slammer
January 25 2003
Microsoft's SQL Server
Flaw was discovered in July 2002
Patch was releasaed before it was announced
75000 hosts
Why?
Patch was released half a year before outbreak
Service is generally not publicly used (port 1434)
If users were not so ignorant, this worm had never existed
Firewalls were known before
Also their benefit
Vulnerability was known
All effected systems did not apply patch
Saphire: A Random Scanning Worm
Exponential rapidly
Random constant spread (RCS) modle
Spread initially conformed to the RCS, before it began to saturate
Bandwith-limited (only one way communication)
Send and never care
latency limited
Send and wait for response (RTT)
30,000 scans/second
Pseudo Random Number Generator (PRNG)
X' = (X * a + b) mod m
Very efficient
Reasonable good distributional properties
Implementation flaws
One worm didn't scan the full network
However, all worms together still reached the full network
Spread and Operator Response
55 million scans per second across the Internet in under 3 minutes
Destination port was fix (UDP port 1434)
Not widely used
Easy to block
Constant scan rate
Easy to identify
Conclusions
Speed is not dependent on protocol
Smaller population as a target and therefor thread
20,000 nodes in under one hour
What would happen if it stopped scanning after 10 minutes?
Hard to identify attack
Hard to identify infected machines
World got aware of the thread (at least for some time)
One could think it was a lesson, but history proves us wrong (How many email worms do you get per day?)