ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
1
Sapphire/Slammer worm Sapphire/Slammer worm impactimpact
on Internet routingon Internet routing
Dongkee LEE
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
2
Overview.Overview.
Introduction to Sapphire/Slammer worm.
Analysis methods
Results Discussion
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
3
Sapphire wormSapphire worm
Also called Slammer, SQLSlammer, W32.Slammer Began at 5:30 AM (UTC) on Saturday Jan 25th. System affected
Microsoft SQL Server 2000Microsoft Desktop Engine (MSDE) 2000
Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376 bytes and send them to randomly chosen IP address on port 1434/udp.
- CERT Advisory CA-2003-04
reference [1], [2]
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
4
Sapphire wormSapphire wormSat Jan 05:29:00 2003 (UTC)Infected with Sapphire: 0
Most vulnerable machines was infected with 10-minutes of the worm’s release.
Sat Jan 06:30:00 2003 (UTC)Infected with Sapphire: 74855
reference [1], [2]
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
5
Sapphire wormSapphire worm
Cause considerable harm simply by overloading networks and
taking database servers out of operation.
Many individual sites lost connectivity as their access bandwidth
was saturated by local copies of the worm.
Outbound traffic to external addresses on UDP port 1434.
Large amount of ICMP Unreachable messages aimed at server systems.
SQL resolution service failure.
Performance degradation.
Scanning.
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
6
Previous worksPrevious works
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
0 2 4 6 8 10 12 14 16 18 20 22
시 간
(Mbps)
트래
픽량
-> (24 )국내 국제 일
-> (24 )국제 국내 일-> (25 )국내 국제 일
-> (25 )국제 국내 일
정보통신망 침해사고 합동조사단 – ‘정보통신망 침해사고 조사결과’
But, How about Sapphire impact on ‘Internet Routing’ ?
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
7
Routeviews - 1Routeviews - 1 University of Oregon – Route Views project.
Routing information repository for …Analysis of BGP routing table dynamics.Work on routing table growth.Analysis of geographic cope of routing announcements.
Routeviews routers
route-views.eqix.routeviews.org route-views.isc.routeviews.orgroute-views.linx.routeviews.org route-views.oregon-ix.netroute-views.wide.routeviews.org route-views2.oregon-ix.netroute-views3.routeviews.org
reference http://routeviews.org
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
8
Routeviews - 2Routeviews - 2
route-views2.oregon-ix.net
< updates
< updates
< updates
< updates
< updates
< updates< updates
< updates
ftp://archive.routeviews.org/bgpdata
BGP UPDATES / 15min
BGP RIB Snapshot / 2hour
...AccretiveAS11608
AOLAS1668
APAN/tppr-tokyoAS7660
ATTAS7018
CENICAS2152
DCS.netAS21202
SprintAS1239
UUNETAS2905
BGP RIB Route Information Base... update
< updates< updates
TelstraAS1221
VerioAS2914
peer list – http://routeviews.org/peers/route-views2.oregon-ix has no Korean peers.
reference http://routeviews.org
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
9
Korean ASesKorean ASes http://www.cidr-report.org/autnums.html , 362 Korean ASes 8 Major Korean ASes
AS4766 KORNET AS3786 DACOM
AS9457 DREAMX AS9277 THRUNET
AS9318 HANANET AS7563, 9768 PUBNET
AS4670, 4664 SHINBIRO AS9848 ENTERPRISENET
16 Other Korean ASesAS17832 6KANET AS4663 ELIMNET
AS10038 FWINet AS17864 HANVITINB
AS9695 KITINET AS5051 KOLNET
AS9488 KREN AS1237, 7623, 17579 KREONET
AS9701 KRLINE AS7557 KTNET
AS9316 PUBNETPLUS AS9689 QRIXNET
AS10171 SKTelink AS10049 SKNETWORKS
AS9644 SKSpeedNet AS6619 SAMSUNGNETWORKS
reference NIDA and ISIS
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
10
ScriptsScripts
http://an.kaist.ac.kr/~dklee/research/iram/
Any Korean ASes appear in AS-PATH ?
Korean AS is a origin AS of this entry?
Yes: matched.
Yes: origin-matched.
List RIB/ Update dump files.Process Binary to Machine
readable ASCII transformation.
BGP4MP|1044083314|A|217.75.96.60|16150|208.254.200.0/22|16150 8434 3549 14745 16791|IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|NAG||
BGP4MP|1044083314|A|217.75.96.60|16150|63.73.10.0/24|16150 8434 3549 14745 16791|IGP|217.75.96.60|0|0|3549:300 3549:4917 3549:30840 16150:65305 16150:65317 16150:65321|AG|63.96.63.2|BGP4MP|1044083315|A|66.185.128.1|1668|202.3.156.0/24|1668 1239 4637 9225 7473 17557|IGP|66.185.128.1|0|25||NAG||
BGP4MP|1044083315|W|129.250.0.6|2914|193.52.14.0/24BGP4MP|1044083315|W|129.250.0.6|2914|193.52.15.0/24BGP4MP|1044083315|W|129.250.0.6|2914|193.52.16.0/23
Announced prefix AS-PATH origin-AS
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
11
ResultsResults
BGP Updates (Announcements and Withdrawals)
reference [6]
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
12
ResultsResults
BGP (origin) matched Announcements
BGP Announcements and Withdrawals are increased during Sapphire impact.
reference [6]
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
13
ResultsResults
BGP RIB Entries
About 15000 prefixes are transited by Korean ASes.
Number prefixes can be accessed through Koreafrom abroad.
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
14
ResultsResults
BGP RIB Origin matched entries - 1
D1
D2D3
S E50 hours
S D104 hoursD1 R112 hoursR1 D204 hoursD2 R202 hoursR2 D312 hours
R1 R2
16 hours
14 hours
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
15
ResultsResults
BGP RIB Origin matched entries - 2
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
16
ResultsResults
BGP RIB Origin matched entries - 3
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
19
ResultsResults
Totally Blackout-ed Korean ASes
About 15/213 ASes are totally blackouted during Sapphire/Slammer impact.
Stub AS
AS P1
Peering sessionX
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
20
ResultsResults
Other Non-Korean ASes
Similar phenomenon is also observed from Other Non-Korean ASes
D1
D2 D3
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
21
DiscussionsDiscussions
During Sapphire/Slammer worm impact, massive increase in the number of BGP updates and
decrease in BGP RIB entries is observed.
There are 3 unrecognized dipping points in RIB snapshots.
‘D1’ isn’t surprising. But, Why ‘D2’ and ‘D3’ ?
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
22
DiscussionsDiscussions
BGP doesn’t show sufficient statistics,
BGP Withdrawals do not contain ‘AS-PATH’,mapping between BGP withdrawals and RIB
counts is ambiguous.
Routing data of Korea isn’t accessible.Well organized monitoring infra. is needed.
ETRI meeting (Feb 16, 2005) -- Dongkee LEE ([email protected])
23
ReferencesReferences
[1] Analysis of the Sapphire Worm – A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UCSD CSE - http://www.caida.org/analysis/security/sapphire/
[2] CERT Advisory CA-2003-04 MS-SQL Server Worm.[3] Sapphire worm code disassembled –
http://www.eeye.com/html/Research/Flash/sapphire.txt[4] University of Oregon – Route Views Project page –
http://routeviews.org[5] 정보통신망 침해사고 합동조사단 , 정보통신망 침해사고 조사결과 .[6] RIPE NCC RIS, Sapphire/Slammer Worm Impact on Internet
Performance – http://www.ripe.net/ttm/Documents/worm/index.html