Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
Inside the Slammer Worm
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer Worm", IEEE Security and Privacy, vol. 1, no. 4, pp. 33--39, Aug 2003.

Support for this work was provided by NSF, DARPA, Silicon Defense, Cisco Systems, AT&T, NIST, and CAIDA members.

|   View full paper:    HTML    Original Analysis    |  Citation:    BibTeX   |

Inside the Slammer Worm

David Moore1
Vern Paxson4, 6
Stefan Savage2
Colleen Shannon1
Stuart Staniford5
Nicholas Weaver3, 5
1

CAIDA, San Diego Supercomputer Center, University of California San Diego

2

Department of Computer Science and Engineering,
University of California, San Diego

3

EECS Department, University of California, Berkeley

4

Lawrence Berkeley National Laboratory - LBNL

5

Silicon Defense

6

The ICSI Center for Internet Research - ICIR

The Slammer worm spread so quickly that human response was ineffective. In January 2003, it packed a benign payload, but its disruptive capacity was surprising. Why was it so effective and what new challenges does this new breed of worm pose?

Slammer (sometimes called Sapphire) was the fastest computer worm in history. As it began spreading throughout the Internet, the worm infected more than 90 percent of vulnerable hosts within 10 minutes, causing significant disruption to financial, transportation, and government institutions and precluding any human-based response. In this article, we describe how it achieved its rapid growth, dissect portions of the worm to study some of its flaws, and look at our defensive effectiveness against it and its successors.

Slammer began to infect hosts slightly before 05:30 UTC on Saturday, 25 January 2003, by exploiting a buffer-overflow vulnerability in computers on the Internet running Microsoft's SQL Server or Microsoft SQL Server Desktop Engine (MSDE) 2000. David Litchfield of Next Generation Security Software discovered this underlying indexing service weakness in July 2002; Microsoft released a patch for the vulnerability before the vulnerability was publicly disclosed (www.microsoft.com/security/slammer.asp). Exploiting this vulnerability, the worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and unforeseen consequences such as canceled airline flights, interference with elections, and ATM failures.

Keywords: network telescope, security
  Last Modified: Wed Oct-11-2017 17:03:50 PDT
  Page URL: http://www.caida.org/publications/papers/2003/sapphire2/index.xml