- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
A just-completed study into the Slammer worm that hit the Internet a week ago has concluded what many people already suspected: Slammer represented a significant milestone in the evolution of worms and was by far the fastest-spreading worm yet seen.
The study was conducted by a group of experts representing the Cooperative Association for Internet Data Analysis (CAIDA), International Computer Science Institute, Silicon Defense, University of California at Berkeley's Electrical Engineering and Computer Sciences department and the University of California at San Diego Computer Science and Engineering department.
During the first three minutes of the worm's spread, the number of infected machines doubled roughly every 8.5 seconds, the study found. This is more than 250 times faster than Code Red, which hit in mid-2001 and had a doubling time of 37 minutes, according to the report. The worm hit its full scanning rate of around 55 million [m] scans per second at around three minutes after the attack began at roughly 05:30 GMT on Saturday.
The result of this fast spread was that within 10 minutes of the start of the attack the majority of the estimated 75,000 machines that were hit had been infected, said the report.
Slammer's spread was considerably faster for several reasons, said the report. First, it was small. At just 376 bytes in size, the worm and required headers fit inside a 404-byte UDP packet. Code Red was 4K bytes in size, while the Nimda worm was around 37K bytes.
The worm also worked differently than Code Red. Slammer generated random IP addresses and despatched itself to those addresses without scanning to find out whether the target machine was running either of the two pieces of software that were vulnerable to attack: Microsoft's SQL Server 2000 database and Microsoft SQL Server 2000 Data Engine. Because of its random nature, the worm would hit all vulnerable machines, given enough time.
However, the speed with which it propagated appears to have contributed to its downfall. Spread of the worm eventually began to slow because bandwidth from infected machines to the Internet could not support the exponential growth in IP packets being generated, the report said.
Its signature, attacking a specific port on vulnerable systems, was also easy to detect and network-level blocking of the ports in question was effective in slowing the worm.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment