Analysis on Internet shutdown by slammer worm on Jan. 25th

(Informal summary of Korean government's report)

 

1. Progress

- Slammer worm came in from US, Australia and elsewhere on 14:10 25th of January (KST).

- Vulnerable MS SQL servers were infected.

- Infected servers started to attack other computers by generating 10,000 ~ 50,000 attacking packets per second.

- Volume of traffic increased explosively.

- Internet connection lines not only for universities, research institutes and companies which had infected servers, but also other nearby users were blocked.

 

2. Cause

 

- Increased traffic generated by Slammer worm which abuses vulnerability of Windows SQL server

- As there was no root server in Korea, domestic DNS servers were overloaded while international connections were saturated.

- Wide spread high bandwidth network and IDC (Internet data center)

- End users are not aware of security issues so that they do not apply patches and update vaccine software.

 

3. Countermeasures

 

- Raise awareness of security

- Introduce root DNS server within Korea

- Establish early forecast and alert system through Internet traffic management

- Grant IDC to respond emergency