Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Will The Next Slammer Strike?

Posted by timothy on from the not-to-pick-on-anyone dept.

scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."

6 of 408 comments (clear)

  1. Re:Could someone explain... by Anonymous Coward · · Score: 5, Informative

    ATMs are not connected to the internet, but to the bank's private network, which, yes, runs over TCP/IP. So a computer that got infected and had access to the internal network would be enough to crash those reachable ATMs.

    Brett Glass : http://www.brettglass.com

  2. Re:Could someone explain... by MoTec · · Score: 5, Informative

    Many ATMs use a phone line to connect to the network to run the transaction so if the phone lines are down so is the ATM. Some use leased lines or other communication technologies but a POTS line does the job and is often cheapest.

  3. Re:Government Funding of Security/Virus Prevention by damiam · · Score: 5, Informative
    I think we ought to make virus-protection code public

    It is.

    who can't afford 50 bucks on a virus scanner or decent firewall software

    Then don't pay 50 bucks.

    I saw Nimda infections up until the end of last year

    Norton and McAfee both provided free available Nimda removal tools. Besides, if you can afford IIS, you can afford a virus scanner.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  4. Analysis of the Slammer/Sapphire worm by Istealmymusic · · Score: 5, Informative
    This was posted on BugTraq:
    From: "Nicholas Weaver"
    Date: Fri, 31 Jan 2003 6:09 PM
    To: bugtraq@securityfocus.com
    Subject: The Spread of the Sapphire/Slammer SQL Worm
    We have completed our preliminary analysis of the spread of the Sapphire/Slammer SQL worm. This worm required roughly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.

    This remarkable speed, nearly two orders of magnitude faster than Code Red, was the result of a bandwidth-limited scanner. Since Sapphire didn't need to wait for responses, each copy could scan at the maximum rate that the processor and network bandwidth could support.

    There were also two noteworthy bugs in the pseudo-random number generator which complicated our analysis and limited our ability to estimate the total infection but did not slow the spread of the worm.

    The full analysis is available at

    David Moore, CAIDA & UCSD CSE
    Vern Paxson, ICIR & LBNL
    Stefan Savage, UCSD CSE
    Colleen Shannon, CAIDA
    Stuart Staniford, Silicon Defense
    Nicholas Weaver, Silicon Defense and UC
    Berkeley EECS

    A must read for anyone who wants to know about this worm. Its impact was huge--90% infection of all vulnerable hosts in 10 minutes . Even some E911 systems were knocked out. The internet routers at large were saturated with 120ms latency. Twice the speed of Code Red. All this with a simple PRNG scanning algorithm.
    --
    "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
  5. Re:Could someone explain... by JediTrainer · · Score: 5, Informative

    Yes. ATMs as in bank ATMs. Cash machines.

    I don't know about most people, but the outage affected customers of CIBC Bank in Canada, who couldn't withdraw their cash from many machines throughout Ontario (the news said Toronto only, but it affected some of my family and friends in other areas too).

    Being a customer of a different bank (TD Canada Trust), I was not affected.

    --

    You can accomplish anything you set your mind to. The impossible just takes a little longer.
  6. Re:MS's own DBs were affected by Bedouin+X · · Score: 5, Informative

    They (MS) know better than anyone that applying an SQL Server hotfix is a royal pain in the ass. They just modified the initial Slammer vulnerability patch so that it has an installer. Before that you had to stop the server, backup the files, copy the new files manually into their respective directories, and then run a couple of queries in the query analyzer.

    This and MS's reputation for having to patch patches (sometime 2 or 3 times) is why people don't jump at the chance to apply one of those damn things. It took this incident for them to make installing a simple SQL Server hotfix less than a 25 minute job.

    I also downloaded SP3 4 times and every time I tried to run setup, I got a "setupsql.exe can not be found" error. I STILL don't have SP3 on my SQL server, but it's firewalled anyway so I'm not totally naked.

    --
    Dissolve... Resolve... Evolve...