Taking Down the Internet Dmitry O Gryaznov Sr

Date: Sat, 25 Jan 2003 05: 34: 07 GMT • South Korea “disappears” •

W 32/SQLSlammer • Only 376 bytes long • Exploits a buffer overflow in MS

Mass-mailing viruses • Send thousands of copies by E-mail • Can affect mailservers badly

Sample SMTP session Client Server (connects to TCP port 25) 220 SMTP ready HELO

Code. Red and likes • Exploit vulnerabilities in TCP servers (e. g. a buffer

Sample HTTP session Client Server (connects to TCP port 80) GET /us/index. asp HTTP/1.

Code. Red. c (aka Code. Red II) 8 1/9/2022

Slammer • Connectionless UDP, “shoot and forget” • A single infected PC exhausts 100

Is it possible to take down the Internet? • 100 -200 thousand Slammer-infected computers

The Wild. List Asia 17 1/9/2022 Source: Wild. List Org.

The Wild. List Israel 18 1/9/2022 Source: Wild. List Org.

The Wild. List India 19 1/9/2022 Source: Wild. List Org.

The Wild. List Japan - Seiji Murakami (IPA) 20 1/9/2022 Source: Wild. List Org.

The Wild. List Korea 21 1/9/2022 Source: Wild. List Org.

The Wild. List Australia 22 1/9/2022 Source: Wild. List Org.

The Wild. List Asia 23 1/9/2022 Source: Wild. List Org.

Slides: 24

Download presentation

Taking Down the Internet Dmitry O. Gryaznov, Sr. Research Architect Page ,

Date: Sat, 25 Jan 2003 05: 34: 07 GMT • South Korea “disappears” • Troubles with U. S. ATMs and flights ticketing • General Internet slowdown: up to 20% of IP packets lost 1 1/9/2022

W 32/SQLSlammer • Only 376 bytes long • Exploits a buffer overflow in MS SQL Server • Spreads by sending itself to UDP port 1434 at random IP addresses 2 1/9/2022

Mass-mailing viruses • Send thousands of copies by E-mail • Can affect mailservers badly • Need to connect to a mailserver and follow a mail protocol • Require a user 3 1/9/2022

Sample SMTP session Client Server (connects to TCP port 25) 220 SMTP ready HELO mydomain. net 250 Welcome MAIL FROM: <me@mydomain. net> 250 Sender OK RCPT TO: <you@yourdomain. net> 250 Recipient OK DATA 354 Send the data (message content). 250 Accepted for delivery QUIT 221 Bye 4 1/9/2022

Typical daily @mm chart 5 1/9/2022

Code. Red and likes • Exploit vulnerabilities in TCP servers (e. g. a buffer overflow in MS IIS) • Need to connect to a server and follow a protocol (e. g. HTTP) • Do NOT require a user • Do not affect the Internet noticeably 6 1/9/2022

Sample HTTP session Client Server (connects to TCP port 80) GET /us/index. asp HTTP/1. 0 Host: www. somewhere. net HTTP/1. 1 200 OK Server: Microsoft-IIS/5. 0 Last-Modified: Tue, 23 Sep 2003 00: 41: 05 GMT Content-Length: 43585 Content-Type: text/html Connection: close (43585 bytes of data) 7 1/9/2022

Code. Red. c (aka Code. Red II) 8 1/9/2022

Slammer • Connectionless UDP, “shoot and forget” • A single infected PC exhausts 100 Mbps bandwidth – over 30, 000 “shots” per second; could attack each and every computer on the Internet in less than a day • Much faster in reality – “chain reaction”; took 10 -15 minutes to reach its saturation level at 100 -200 thousand infected computers worldwide 9 1/9/2022

Slammer hits per hour 10 1/9/2022

Slammer hits per minute 11 1/9/2022

Slammer hits per 10 seconds 12 1/9/2022

Slammer: First 5 minutes 13 1/9/2022

Slammer: First 5 minutes 14 1/9/2022

Is it possible to take down the Internet? • 100 -200 thousand Slammer-infected computers – 20% IP packets lost • 1, 000 computers - ? • 580, 000 Internet users worldwide • Over 14, 000 different “backdoors” in Usenet in May-June 2003; millions of readers • IRC, P 2 P, etc. 15 1/9/2022

Slammer: First 5 minutes 16 1/9/2022

The Wild. List Asia 17 1/9/2022 Source: Wild. List Org.

The Wild. List Israel 18 1/9/2022 Source: Wild. List Org.

The Wild. List India 19 1/9/2022 Source: Wild. List Org.

The Wild. List Japan - Seiji Murakami (IPA) 20 1/9/2022 Source: Wild. List Org.

The Wild. List Korea 21 1/9/2022 Source: Wild. List Org.

The Wild. List Australia 22 1/9/2022 Source: Wild. List Org.

The Wild. List Asia 23 1/9/2022 Source: Wild. List Org.