Friday, May 7, 2010

How SQL Slammer Works

Slammer owes its speed to UDP, an Internet protocol that's lighter and quicker than the TCP used for Web sites, email, and file downloads. TCP requires sender and receiver to acknowledge each other in a handshake before exchanging information; UDP can carry a message in a single, one-way packet. Microsoft's SQL Server 2000 software has a UDP-powered directory service that lets applications automatically find the right database. Moreover, SQL code comes built into other programs the company sells. Many Slammer victims didn't even realize they were running SQL.

The worm takes advantage of a common software bug called a buffer overflow. Buffers overflow when a data string is written into memory without its length being checked by the program. If the string is too long, the tail end of the data overwrites the program's own code.

The genius of Slammer is how it uses an attack on just one type of software as leverage for a general attack on the Web itself. Machines infected by the worm swiftly spam the Net with randomly addressed traffic, hitting other vulnerable servers. As the number of computers spewing Slammer packets rises, the situation reaches critical mass, potentially creating a denial of service attack on all 4 billion IP addresses on the Net. Sounds crazy, but Slammer is fast enough to pull it off.

Slammer's code is a set of instructions as simple as "Lather, rinse, repeat." The program itself is only 376 bytes, not much longer than this paragraph. Yet its design reveals a sophisticated knowledge of computers and the Net. Here's a step-by-step guide.

STEP ONE Get Inside
Slammer masquerades as a single UDP packet, one that would normally be a harmless request to find a specific database service. The first byte in the string - 04 - tells SQL Server that the data following it is the name of the online database being sought. Microsoft's tech specs dictate that this name be at most 16 bytes long and end in a telltale 00. But in the Slammer packet, the bytes run on, craftily coded so there is no 00 among them. As a result, the SQL software pastes the whole thing into memory.

STEP TWO Reprogram the Machine
The initial string of 01 characters spills past the 128 bytes of memory reserved for the SQL Server request and into the computer's stack next door. "Stack" is programmer-speak for an orderly list of information the computer shuffles to remind itself what to do next, like tidy paperwork on a desk. The first thing the computer does after opening Slammer's too-long UDP "request" is overwrite its own stack with new instructions that Slammer has disguised as a routine query. The computer reprograms itself without realizing it.

STEP THREE Choose Victims at Random
Slammer generates a random IP address, targeting another computer that could be anywhere on the Internet. To randomize, Slammer deploys a time-honored programmer's trick: It looks up the number of milliseconds that have elapsed on the CPU's system clock since it was booted and interprets the number as an IP address.

STEP FOUR Replicate
The envelope is addressed, now it just needs to be stuffed. Slammer points to its own code as the data to send. The infected computer writes out a new copy of the worm and licks the UDP stamp.

After sending off the first tainted packet, Slammer loops around immediately to send another to a different computer. It doesn't waste a single millisecond. Instead of making another call to the system clock to get the time, it just shuffles the bits of the IP address already in memory to create a new one. Slammer's one bug is buried here: The reshuffling leaves a few digits in the address unchanged. It hardly matters, though, since the computer is now spewing packets as fast as its network cable can carry them away. A home PC could cram a couple hundred copies onto its broadband link every second. Corporate data centers became nasty breeding grounds, launching tens of thousands per second.Slammer commandeered just 75,000 SQL machines. But because it replicated so fast, the worm was able to take down millions more, kicking them offline with a flood of meaningless traffic.

The Fire Next Time
Security specialists have long harbored nightmare scenarios of a "Warhol worm" that could crash the Net in 15 minutes. Slammer proved they weren't dreaming. No months of reconnaissance, no compiled lists of vulnerable computers, no massive server farm required to launch the attack. Just one packet - UDP is definitely the way to go.

The scary truth is there's plenty of UDP software waiting to be hijacked by a middling programmer. Kazaa. Xbox. How about the code that controls the domain-name system itself? The 350,000 DNS servers that link our computers form an interconnected UDP network that we can't do without. A Slammer-like attack on DNS would bring the Internet to a standstill in less time than it takes to read this article. Lucky for us, unlike Microsoft's Swiss cheese SQL Server, the open source DNS code doesn't have any such holes.

No comments:

Post a Comment

Dear Reader, if you like My Blog content, feel free to comment on our blog posts.