You want to go to the site itself to see the pictures, at least. They're
impressive. :-).
Cheers,
RAH
---
http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
The
Spread of the Sapphire/Slammer Worm
By (in alphabetical order)
David
Moore
Vern Paxson
Stefan Savage
Colleen Shannon
Stuart Staniford
Nicholas Weaver
CAIDA
UCSD CSE
ICIR
LBNL
UCSD CSE
CAIDA
Silicon Defense
Silicon Defense
UC Berkeley EECS
Introduction
The
Sapphire Worm was the fastest computer worm in history. As it began
spreading throughout the Internet, it doubled in size every 8.5 seconds.
It infected more than 90 percent of vulnerable hosts within 10 minutes.
The worm (also called Slammer) began to infect hosts slightly before
05:30 UTC on Saturday, January 25. Sapphire exploited a buffer overflow
vulnerability in computers on the Internet running Microsoft's SQL Server
or MSDE 2000 (Microsoft SQL Server Desktop Engine). This weakness in an
underlying indexing service was discovered in July 2002; Microsoft released
a patch for the vulnerability before it was announced[ 1]. The worm
infected at least 75,000 hosts, perhaps considerably more, and caused
network outages and such unforeseen consequences as canceled airline
flights, interference with elections, and ATM failures. Several
disassembled versions of the source code of the worm are available. [ 2].
Figure 1: The geographic spread of Sapphire in the 30 minutes after
release. The diameter of each circle is a function of the logarithm of the
number of infected machines, so large circles visually underrepresent the
number of infected cases in order to minimize overlap with adjacent
locations. For some machines, only the country of origin can be determined
(rather than a specific city).
Propagation speed was Sapphire's novel
feature: in the first minute, the infected population doubled in size every
8.5 (±1) seconds. The worm achieved its full scanning rate (over 55
million scans per second) after approximately three minutes, after which
the rate of growth slowed down somewhat because significant portions of the
network did not have enough bandwidth to allow it to operate unhindered.
Most vulnerable machines were infected within 10-minutes of the worm's
release. Although worms with this rapid propagation had been predicted on
theoretical grounds [ 5], the spread of Sapphire provides the first real
incident demonstrating the capabilities of a high-speed worm. By
comparison, it was two orders magnitude faster than the Code Red worm,
which infected over 359,000 hosts on July 19th, 2001 [ 3]. In comparison,
the Code Red worm population had a leisurely doubling time of about 37
minutes.
While Sapphire did not contain a malicious payload, it caused
considerable harm simply by overloading networks and taking database
servers out of operation. Many individual sites lost connectivity as their
access bandwidth was saturated by local copies of the worm and there were
several reports of Internet backbone disruption [ 4] (although most
backbone providers appear to have remained stable throughout the epidemic).
It is important to realize that if the worm had carried a malicious
payload, had attacked a more widespread vulnerability, or had targeted a
more popular service, the effects would likely have been far more severe.
This document is a preliminary analysis of the Sapphire worm, principally
focused on determining the speed and scope of its spread and the mechanisms
that were used to achieve this result.
Sapphire: A Random Scanning Worm
Sapphire's spreading strategy is based on random scanning -- it selects
IP addresses at random to infect, eventually finding all susceptible hosts.
Random scanning worms initially spread exponentially rapidly, but the rapid
infection of new hosts becomes less effective as the worm spends more
effort retrying addresses that are either already infected or immune. Thus
as with the Code Red worm of 2001, the proportion of infected hosts follows
a classic logistic form of initially exponential growth in a finite system
[ 5,3]. We refer to this as the random constant spread (RCS) model.
Figure 2: Code Red was a typical scanning worm. This graph shows Code
Red's probe rate during its re-emergence on August 1, 2001 as seen by the
Chemical Abstract Service, matched against the RCS model of worm behavior.
Sapphire's spread initially conformed to the RCS model, but in the later
stages it began to saturate networks with its scans, and bandwidth
consumption and network outages caused site-specific variations in the
observed spread of the worm. A dataset from the DShield project [ 8] fit
to a RCS model is shown below. The model fits extremely well up to a
certain point when the probe rate abruptly levels out. This change in
growth of the probe rate is due to the combined effects of bandwidth
saturation and network failure (some networks shut down under the extreme
load).
Figure 3: The early
