Network admins the world over had a bad weekend in late January 2003. That’s when the SQL Slammer took the world by storm and, in the process, reminded everyone of a harsh truth: A security patch does no good if it’s not installed.
One of the fastest-spreading (if not the fastest) worms in history, SQL Slammer used only 376 bytes of code to exploit a vulnerability in Microsoft SQL Server 2000 software. The worm was able to attack 75,000 servers in as few as 10 minutes, triggering denial of service attacks that took down ATMs, newspaper publishing and even 911 services in the state of Washington.
Beginning in the wee hours of January 25, 2003, packet loss across the internet stood at about 20 percent, with normal rates of 1 percent, according to one monitoring firm. South Korea was hit particularly hard, with most websites effectively shut down for half the day.
SQL Slammer was preventable
Six months prior, UK database security expert David Litchfield had been hired to determine how a client’s SQL servers could be exploited. He did so with aplomb, wrote up the results and shared them with Microsoft.
As Litchfield recounts, Microsoft was responsive and pulled developers off of other projects to create a security patch—and gave Litchfield the green light to speak about the incident at a Black Hat Security Briefing. He did, with the warning that everyone needed to install the patch.
Many people did not listen – but SQL Slammer’s still-unknown creator did.
And while you would think the events of January 2003 would have driven everyone to eventually install the patch, they did not. SQL Slammer has made a few repeat performances, including one in November and December 2016, with worm traffic coming from Vietnam, China and Mexico.
Photo: Volodymyr Nikitenko / Shutterstock