Taking Down the Internet

Taking Down the InternetDmitry O. Gryaznov, Sr. Research Architect

04/22/23Page 2,

Date: Sat, 25 Jan 2003 05:34:07 GMT• South Korea “disappears”• Troubles with U.S. ATMs and flights

ticketing• General Internet slowdown: up to 20% of

IP packets lost

04/22/23Page 3,

W32/SQLSlammer• Only 376 bytes long• Exploits a buffer overflow in MS SQL

Server• Spreads by sending itself to UDP port

1434 at random IP addresses

04/22/23Page 4,

Mass-mailing viruses• Send thousands of copies by E-mail• Can affect mailservers badly• Need to connect to a mailserver and

follow a mail protocol• Require a user

04/22/23Page 5,

Sample SMTP sessionClient Server

(connects to TCP port 25) 220 SMTP ready

HELO mydomain.net 250 Welcome

MAIL FROM:<[email protected]> 250 Sender OK

RCPT TO:<[email protected]> 250 Recipient OK

DATA 354 Send the data

(message content) . 250 Accepted for delivery

QUIT 221 Bye

04/22/23Page 6,

Typical daily @mm chart

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

04/22/23Page 7,

CodeRed and likes• Exploit vulnerabilities in TCP servers (e.g.

a buffer overflow in MS IIS)• Need to connect to a server and follow a

protocol (e.g. HTTP)• Do NOT require a user• Do not affect the Internet noticeably

04/22/23Page 8,

Sample HTTP sessionClient Server(connects to TCP port 80)

GET /us/index.asp HTTP/1.0Host: www.somewhere.net

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Last-Modified: Tue, 23 Sep 2003 00:41:05 GMT Content-Length: 43585 Content-Type: text/html Connection: close (43585 bytes of data)

04/22/23Page 9,

CodeRed.c (aka CodeRed II)

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

04/22/23Page 10,

Slammer• Connectionless UDP, “shoot and forget”• A single infected PC exhausts 100Mbps

bandwidth – over 30,000 “shots” per second; could attack each and every computer on the Internet in less than a day

• Much faster in reality – “chain reaction”; took 10-15 minutes to reach its saturation level at 100-200 thousand infected computers worldwide

04/22/23Page 11,

Slammer hits per hour

0500

10001500200025003000

0 1 2 3 4 5 6

04/22/23Page 12,

Slammer hits per minute

050

100150

200250300

0 2 4 6 8 10 12 14 16 18 20

04/22/23Page 13,

Slammer hits per 10 seconds

0102030405060

04/22/23Page 14,

Slammer: First 5 minutes

04/22/23Page 15,

Slammer: First 5 minutes

04/22/23Page 16,

Is it possible to take down the Internet?• 100-200 thousand Slammer-infected

computers – 20% IP packets lost• 1,000,000 computers - ?• 580,000,000 Internet users worldwide• Over 14,000 different “backdoors” in Usenet

in May-June 2003; millions of readers• IRC, P2P, etc.

04/22/23Page 17,

Slammer: First 5 minutes

04/22/23Page 18,

Source: WildList Org.

The WildListThe WildList Asia Asia

020406080

100120140160180200220240

WorldwideJapanIsraelIndiaKorea

04/22/23Page 19,

Source: WildList Org.

The WildListThe WildListIsrael Israel

01020304050607080

04/22/23Page 20,

Source: WildList Org.

The WildListThe WildListIndiaIndia

01020304050607080

Jan-99

Apr-99Jul-99Oct-99

Jan-00

Apr-00Jul-00Oct-00

Jan-01

Apr-01Jul-01Oct-01

Jan-02

Apr-02Jul-02Oct-02

Jan-03

Apr-03Jul-03

04/22/23Page 21,

Source: WildList Org.

The WildListThe WildList Japan - Seiji Murakami (IPA) Japan - Seiji Murakami (IPA)

0102030405060708090

100

04/22/23Page 22,

Source: WildList Org.

The WildListThe WildListKoreaKorea

0

50

100

150

200

04/22/23Page 23,

Source: WildList Org.

The WildListThe WildList Australia Australia

0

10

20

30

40

50

60

04/22/23Page 24,

Source: WildList Org.

The WildListThe WildList Asia Asia

020406080

100120140160180200220240

WorldwideKoreaAustralia