RESEARCH TRIANGLE PARK — The world dodged a major bullet on Jan. 25 when the “Slammer” or “Sapphire” worm wreaked devastation on the Internet.

Will industry and governments learn the lessons?

A new report out from the Cooperative Association for Internet Data Analysis (CAIDA) and analysis from a security firm in the United Kingdom should be required reading for every CEO, CIO, CFO and systems administrator.

First, the scary technical material from CAIDA, a technical group.

“The Sapphire Worm was the fastest computer worm in history,” begins the report from CAIDA. Get your attention?

“As it began spreading throughout the Internet, it doubled in size every 8.5 seconds.

“It infected more than 90 percent of vulnerable hosts within 10 minutes.”

Amazing, isn’t it, how a program launched (who knows where) finds one vulnerable SQL Microsoft server on the Internet on which (who knows why) a “patch” to close a known vulnerability wasn’t installed and BOOM!, as John Madden would say, it’s worm party time.

“The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures,” the CAIDA team wrote.

That number may not seem large when compared to the “Code Red Worm” of 2001 which struck 359,000 hosts, according to CAIDA. But Slammer/Sapphire’s speed clogged Internet arteries faster someone can download a photo on a dialup connection.

“Propagation speed was Sapphire’s novel feature,” wrote the team of David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford and Nicholas Weaver. “In the first minute, the infected population doubled in size every 8.5 seconds. The worm achieved its full scanning rate (over 55 million scans per second) after three minutes, after which the growth slowed down somewhat because significant portions of the network did not have enough bandwidth to allow it to operate.” (Emphasis added.)

Some people discounted reports last year that a super worm could “devour” the Internet in 15 minutes. Is Slammer a preview of that? People already have started calling such a super worm as a “Warhol” — as in 15 minutes of fame — or “flash.”

“Most vulnerable machines were infected within 10 minutes of the worm’s release,” the group added. “Although worms with this rapid propagation had been predicted on theoretical grounds, the spread of Sapphire provides the first real incident demonstrating the capabilities of a high-speed worm –In comparison, the Code Red worm population had a leisurely doubling time of about 37 minutes.”

Fortunately, the CAIDA group added, Sapphire “did not contain a malicious payload.” It merely grew and grew and grew until traffic stopped — a denial-of-service attack. What if it had somehow been designed to attack, erase and/or capture data like a virus?

As Chris Harper of Secure Enterprise Computing in Raleigh told Local Tech Wire last week, the boundaries between viruses and worms are disappearing.

CAIDA ended its report with a stern warning:

“It is important to realize that if the worm had carried a malicious payload, had attacked a more widespread vulnerability, or had targeted a more popular service, the effects would likely have been far more severe.”

Sapphire/Slammer certainly got some people’s attention. The CAIDA report was underwritten by:

  • National Science Foundation
  • DARPA (Defense Advanced Research Projects Agency)
  • Silicon Defense

  • Cisco Systems
  • AT&T
  • NIST (National Institute of Standards and Security)
  • CAIDA members

To view the report, go to:

www.caida.org/outreach/papers/2003/sapphire

More damage to come?

Mi2g, a security firm in the United Kingdom, said Sapphire/Slammer cost between $945 million and $1.15 billion economic damage over that weekend. Mi2g rated it the ninth worse attack in terms of monetary costs.

But DK Matai, the firm’s CEO, said Sapphire/Slammer should not be overlooked simply because costs weren’t necessarily large.

“Slammer’s impact on emergency services, the Internet backbone, airlines and financial services was short-lived but remarkable given the absence of any destructive payload,” he said in comments quoted by EarthWeb. “In the next few months, Slammer variants could emerge which are capable of being used in a blended threat scenario alongside physical attacks by radicals. This could achieve a significant multiplier effect given the dependence and demonstrable lack of preparedness of the globally networked society.”