On Saturday the 25th of January 2003, the Internet as a whole became very slow. Servers suddenly became very sluggish, or unavailable, and although this did not last for long (in most cases about 4 hours), the sudden glimpse of what a relatively simple piece of code can do was frightening.

The SQL "Slammer" Worm

What was scary about this worm was not it's malevolence (See below), but the incredible speed at which it propagated. For most people, the attack appeared to be binary in nature - either you had the worm and therefore had an almost complete Denial Of Service, or you didn't. Newscasters pointing at maps showing the spread of infection were on completely the wrong track - the worm didn't see the machines in terms of the distance between them, it simply saw the links through which it could spread. It also spread in a matter of minutes, far too short a time frame for any warning to be given.

Because the worm used UDP instead of TCP, the rate of infection was far faster than many companies would expect - leading them to believe that they were targeted specifically. The worm did not target anyone in particular. While it is possible that certain computers were initially targeted, it is unlikely that they were targeted for any reason other than that they had fast Internet connections. One server, so infected, could then infect any number of other computers, which would in turn infect more computers, making the propagation of the worm virus-like in nature.

How it worked

The design of the worm was laughably simple - Once on the infected machine, use the random number generator function to generate random numbers between 1 and 255. Then assemble a complete IP address from these numbers, and broadcast a copy of the worm out to that IP address on port 1434 UDP. Repeat. No damage was done to that machine, nor any other infected machine. The damage came from the fact that the computer was trying to reach a random address as often as it possible could - on a gigabit network interface, this was about 100 000 packets a second, or 300 megabytes of traffic every second. This was enough to take down most networks, but things became even more stressed whenever a packet was generated with 255 values in it, as these broadcast out to every interface on the network. A similar attack using TCP instead of UDP would have been far slower, as TCP is a connection-oriented protocol. Because of it's simplicity the worm was also laughably easy to remove - since it was entirely memory-based, it could be removed simply by rebooting the machine. Once the relevant patches were applied, the system could be considered clean.


The worm worked on a vulnerability in SQL Server - a vulnerability that was not only known about, but for which there was also a fix. Microsoft had had a patch available for 6 months. Why was this patch not applied? When it comes to applying patches, system administrators soon find that while it is possible to patch your software with every available fix as soon as it comes out, this soon becomes more trouble than it is worth. Sometimes the patches bring in new flaws and vulnerabilities, and there is also a chance that they may render the entire machine inoperable. In the end, it is better to face a possible outage from an attack than to experience possible outages every time a patch is applied. What many people do not realise is that a version of SQL Server also ships with MSDE (Microsoft Database Embedded) applications, such as Visio, McAffee's Virus Manager, some Cisco Software management products, Visual FoxPro and many others. All of these products were vulnerable to the attack, and it is therefore NOT the servers on the Internet that were primarily responsible for this attack - it was the desktop machines. In any corporation there are usually less than ten servers, but there are hundreds of client computers, any number of which could be running a MSDE application without even realising it.


After any such incident, there is always a lot of finger pointing, and this one was no different. Microsoft was blamed - though their public statement clearly points out that the patch was available to anyone from July 2002. They showed, I feel remarkable restraint in not writing "I did warn you and you didn't listen - nah nah nah nah" in large letters all over the page. On the other hand, it was their software that had the vulnerability in the first place. Many governments and corporations felt that they were targeted specifically due to the incredible speed at which the worm spread through their network - not realising that the worm used UDP, which is far faster than TCP. Universities were blamed for the large volume of infected packets that came through their links, but people failed to realise that if a machine was infected, it would use any line available, and the volume is determined directly by the speed of the line available. So the universities, which had high-speed connections, broadcast more than any local home user. Everybody told everybody else to remember to always apply patches, forgetting that the reason that patches are not applied is because occasional outages such as that caused by the Slammer worm are preferable to the more frequent outages caused by the constant application of patches. Ultimately, no major damage was done, and the systems in question sit, newly patched and waiting for the next attack exploiting another vulnerability. The most violent attack on the internet yet was over so quickly that most people didn't even know it had happened.