Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigational Links

Institutional links

Microsoft SQL Server 2000 "Slammer" Worm - Impact Paper

Incident Analysis Number: IA03-001
March 12, 2003

Purpose

This paper will examine the impact of the SQL Server 2000 "Slammer" worm on global critical infrastructure (CI) elements. The information in this paper could be used to illustrate how interdependent CI elements in disparate industry sectors have become increasingly underpinned by networked computer technologies.

Audience

This paper has been written in order to assess the scope and impact of the Slammer worm. As such, it is primarily intended for CI stakeholders who rely on computer network technologies for their enterprises.

Note

The analysis in this publication is based primarily on media reports, with limited government and private sector reports and accounts.

Executive Summary

  • On 25 June 2002, Microsoft issued a patch for a vulnerability in the company's SQL Server 2000. The U.S. Federal Computer Incident Response Center (FedCIRC) and CERT-CC issued subsequent advisories regarding the Microsoft warning.
  • At 05:30 UTC on 25 January 2003, a memory-resident worm, dubbed "Slammer", began propagating itself "in the wild". The SQL worm exploited a vulnerability in Microsoft's SQL 2000 servers Resolution Service running on port 1434 UDP. Once the worm infected network servers and terminals, it sent UDP packets to random Internet protocol (IP) addresses and infected other SQL servers. The worm caused significant egress traffic from port 1434 UDP and effectively created a denial-of-service (DoS) attack.
  • Most experts agree that the worm likely began propagating itself somewhere in East Asia.
  • The Slammer worm surprised many by demonstrating the degree of interdependency that has developed between CI sectors. Critical infrastructure sectors are increasingly reliant on online services. Due to this reliance, network servers that are left unchecked or inadequately secured, and are subsequently compromised, can negatively impact a CI sector's operating system.
  • The Canadian Bankers Association (CBA) reported that a small number of Canadian Automated Teller Machines (ATMs) were offline intermittently. In North America, ATM availability experienced intermittent interruptions during the peak propagation period of the worm. In East Asia, the banking and financial sectors experienced significant interruption as a result of the SQL Slammer worm, and online financial transactions were, in many cases, rendered inaccessible.
  • Global Internet traffic was significantly compromised by the Slammer worm. As a result of the magnitude of informational requests made by this worm, 5 of the 13 Domain Name Servers (DNS) were taken offline for approximately 4-5 hours; this situation helped exacerbate the global Internet slowdown. Voice over Internet Protocols (VoIP) and other capacity intensive services were significantly impacted.
  • Little impact was felt in the critical mission systems of the energy and utilities sectors. The worm did not contain a malicious payload, which might have affected their systems.
  • A 9-1-1 call centre outside Seattle, Washington, which services 14 fire departments, 2 police stations and a community of 164,000 people, was taken offline as a result of the worm. There were no reported instances of similar effects in Canada.
  • Several major U.S. airports had to delay or cancel flights as their online automated booking procedures were negatively impacted by the Internet slowdown.
  • Several U.S. government network servers and web sites were affected by the worm. Users attempting to access online services from them experienced difficulty.

Click here to download full text of report (PDF 497KB)

top of page

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2008-12-08
Top of Page
Top of Page
Important Notices