Main Page | See live article | Alphabetical index

SQL slammer worm

The SQL slammer worm is a computer virus (technically, a "worm program") that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within 10 minutes. Although titled "SQL slammer worm", the program did not make use of SQL. It exploited two buffer overflow bugs in Microsoft's flagship SQL Server database product. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, and W32/SQLSlammer.

Table of contents
1 Impact
2 Technical Details
3 See Also
4 External links


Sites monitoring the traffic of the Internet such as Internet Storm Center reported significant slowdowns globally, resembling the impact of the Code Red worm in the summer of 2001.

Yonhap news agency in South Korea reported on the Internet services had been shut down for hours on Saturday, January 25, 2003 nationwide. The impact was mitigated by the fact that it occurred over the weekend.

The same attack was reported throughout most of Asia, Europe, and North America. Anti-virus software maker Symantec estimated that at least 22,000 systems were affected worldwide. Though some reports indicated that the root nameservers had been brought down, this was not true.

Technical Details

The worm continuously sends traffic to randomly generated IP addresses, attempting to send itself to hosts that are running the Microsoft SQL Server Resolution Service, causing them to spray the Internet with more copies of the worm program.

Home PCss are generally not vulnerable to this worm, as they are usually not running SQL Server. The worm stays only in memory and not in disk space, so it is easy to remove. For example, Symantec provides a free removal utility (see external link below).

The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on July 24, 2002. A patch has been available from Microsoft for the past six months, but many installations had not been patched -- including some at Microsoft.

The slowdown was caused by the fact that several routers collapsed under the burden of extremely high bombardment traffic from infected servers. Normally, when this happens, the routers are supposed to slow down traffic. Instead, some routers crashed, and as the routers used some variant of the link-state routing protocol, the notice that these routers had stopped and should be removed from the routing tables of all other routers started to propagate througout the Internet (flooding). When the routers eventually came back to the network after being restarted the routing tables had to be updated again in the same fashion. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether.

SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver.

See Also

External links


Announcement: Analysis Technical Details