The Slammer worm, more commonly known as the SQL Slammer worm, is infamously known for its DoS (denial-of-service) attack on various internet hosts. The attack occurred on January 25, 2003 at 5:30 pm, infecting more than 75,000 machines within ten minutes. Despite the name, the Slammer worm didn’t use the SQL language as its method exploitation; instead, it exploited a buffer overflow condition in the Microsoft-branded SQL sever and other database products.
Internet Storm Center and other sites monitoring internet traffic reported significant performance issues throughout the globe, similar to the impact of the Code Red Worm that struck in 2001. Yonhap, a news agency in South Korea, reported that several internet services worldwide were shut down for sometime on January 25, 2003. The Slammer worm was also detected throughout most of North America, Asia and Europe. The overall impact was somewhat mitigated by the fact that the worm struck over the weekend.
The exploitation of the MSDE (Microsoft SQL Server Desktop Engine) tremendously increased the number of infected systems. This combined with the fact that many home PC users were unaware of MSDE’s presence essentially worsened the impact.
How the Slammer Worm Propagated
According to several analysis of the worm, its propagation followed an exponential path with a doubling rate of 8.5 seconds in the earlier stages of the attack. This was only reduced by failure of several networks due to the DoS attack caused by the all of the Slammer’s traffic. A router is designed to delay or temporarily halt traffic when it becomes too much to handle. The Slammer worm caused these routers to crash instead, forcing neighboring routers to remove them from their routing table. This process was spread from router to router, causing the flooding of multiple routing tables, which eventually caused other routers fail. The routers were soon restarted, announcing their status and sparking another wave of updates in various routing tables. Shortly thereafter, large portions of internet bandwidth were consumed as the routers were in constant communication with one another trying to update their tables. Because the Slammer worm was small in size, it was able to get through the network, putting the internet as standstill.
Attack on Networks
The slammer worm was more of a network scare than a threat to personal users. Home computers typically were not vulnerable to infection unless they had MSDE installed on their system. The Slammer worm is so small that it contains no code that allows it to be written to a hard disk, meaning that is has to stay resident in the memory, making the infection fairly easy to remove. Symantec Corporation and several other security vendors offer free utilities that effectively remove the worm.
The Slammer worm is the first known example of a Warhol worm, a rapidly propagating internet threat first hypothesized in 2002 by Nicholas Weaver. This assumption is made by the two key elements that contributed to worm’s rate of propagation: it infected new machines over UDP (User Datagram Protocol) and the entire program was small enough to fit inside of a single packet. This gave an infected host the ability to distribute at least hundreds of packets per second.