On January 25, 2003 at approximately 05:30 UTC, the Internet was hit by possibly the worst worm since the Morris Worm of 1988. Note that that is a qualitative judgement; others may disagree and there is no real objective way to compare the two. In fact, the Internet of November, 1988 was very different than the Internet of January, 2003.
What made the Slammer worm of 2003 so terrible? Well, it flooded many of the network connections that make the Internet operate to such an extent that much of the Internet was totally unable to function for several hours. In fact, many consumer Internet connections were out for considerably longer. Not only did it affect folks directly using the Internet, however, but it also caused failures in things like Automated Teller Machine networks and internal corporate networks which may use the Internet to carry some or all of their traffic.
It was fortunate that there was no malicious payload with this worm; it didn’t cause any direct damage to software or data and it was an easy fix to correct the problem. If it would have had malicious payload, there would have been significant problems as of the start of business on Monday.
This worm attacked a vulnerability in Microsoft’s SQL Server 2000 and caused an infected system to send probes to random destinations as fast as possible, thus clogging many networks almost instantly. This also caused very rapid spread of the worm, to the point that it brought the Internet to its knees in about a minute. It should be noted that most of the major connections were still operating but service was degraded somewhat. It was mostly the leaf sites on the Internet that disappeared. Of course, a rather large portion of the sites on the Internet are leaf sites so for most people, the Internet had crashed.
Perhaps the most tragic part of this incident is that it was totally preventable. There was a patch for the vulnerability available for six months prior. In addition, if the servers themselves had been properly protected by firewalls, none of this would have happened. One can’t help but to wonder if the network administrators that run Internet sites will learn anything from this. Of course, it is fairly obvious that, human nature being as it is, nothing is going to change. I suppose the real question to ask is not whether this will ever happen again but how long before it happens again.
All I can say is that I hope I don’t have to spend too many more sleepless nights fixing network outages due to malicious individuals. Unfortunately just running a service does leave it potentially vulnerable.
As a final note, though, it should be stated that the interet is clearly more robust than it was in 1988 as it took much less time to recover almost to the status quo. This trend is not a bad thing but it requires human awareness and effort to keep the improvement trend going. Here’s to continued improvement of the Internet.
January 28, 2003 CE… UTC