Page Two

By Dennis Fisher  |  Posted 2003-01-27 Print this article Print

: Slammer Source Code Provides Clues"> The worm, known variously as Slammer and Sapphire, hit the Internet around 12:30 a.m. Eastern on Saturday and began spreading quickly. Within the first hour, it had infected more than 50,000 machines, Rouland said. It continued to spread throughout the day Saturday and has now found its way into more than 200,000 machines, experts say. Its infection rate was much faster than the Code Red worm of 2001, even though there are far fewer SQL servers on the Internet than there are Web servers running the Microsoft Corp. IIS software that Code Red attacked. But, while Code Red continued to spread for several days, Slammer was contained relatively quickly. The shorter life-cycle is due to several factors, but much of it has to do with quick reactions from ISPs and large network operators who all agreed to block traffic on port 1434, which is the port Slammer uses to infect machines. This kind of wholesale filtering is virtually unheard of and would not have been possible with Code Red. Also, government agencies reacted much more quickly to Slammer than they did to previous attacks, thanks mainly to experience and help from private-sector security firms.
"There was quite a bit of activity going on here," said Sachs. "We first saw it, I think at the [National Communications System] at about 1 a.m., and by 3 a.m. or 4 a.m. everyone who needed to know was out of bed and notified."
Others agreed that the cooperation among the various ISACs, government agencies and private firms was key to the worms containment. "I was the first one to call the [National Infrastrucutre Protection Center] and that was at about 3:45 a.m., and we had a pretty good handle on the analysis by then," said Pete Allor, director of operations for the Information Technology Information Sharing and Access Center and manager of the threat intelligence service at ISS. "We had the packet captures early, and the analysis was pretty straightforward. We talked to the Financial Services ISAC, [and] worked closely with the telecom folks, all of them."


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel