Educause Security Discussion mailing list archives
Fwd: [IP] The Spread of the Sapphire/Slammer SQL Worm
From: Dan Updegrove <updegrove () MAIL UTEXAS EDU>
Date: Fri, 31 Jan 2003 21:00:29 -0600
Colleagues - This study supports inferences we made from our log files -- most of the penetration damage had been done within the first 10 minutes! Regards, Dan
-----Original Message----- From: vern () ee lbl gov Date: Fri, 31 Jan 2003 17:13:14 To:nanog () merit edu Subject: The Spread of the Sapphire/Slammer SQL Worm We have completed our preliminary analysis of the spread of the Sapphire/Slammer SQL worm. This worm required roughly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more. This remarkable speed, nearly two orders of magnitude faster than Code Red, was the result of a bandwidth-limited scanner. Since Sapphire didn't need to wait for responses, each copy could scan at the maximum rate that the processor and network bandwidth could support. There were also two noteworthy bugs in the pseudo-random number generator which complicated our analysis and limited our ability to estimate the total infection but did not slow the spread of the worm. The full analysis is available at http://www.caida.org/analysis/security/sapphire/ http://www.silicondefense.com/sapphire/ http://www.cs.berkeley.edu/~nweaver/sapphire/ David Moore, CAIDA & UCSD CSE Vern Paxson, ICIR & LBNL Stefan Savage, UCSD CSE Colleen Shannon, CAIDA Stuart Staniford, Silicon Defense Nicholas Weaver, Silicon Defense and UC Berkeley EECS ------ End of Forwarded Message
VP for Information Technology Phone (512) 232-9610 The University of Texas at Austin Fax (512) 232-9607 FAC 248 (Mail code: G9800) d.updegrove () its utexas edu P.O. Box 7407 http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Fwd: [IP] The Spread of the Sapphire/Slammer SQL Worm Dan Updegrove (Jan 31)
- <Possible follow-ups>
- Re: Fwd: [IP] The Spread of the Sapphire/Slammer SQL Worm H. Morrow Long (Feb 01)