Brought to you by our friends at the SANS Institute.
Special Invitation for Monday January 27 Web Broadcast

The SQL Slammer Worm: Ask The Experts

SANS has organized an "ask the experts" session so you can get your
questions answered about the new SQL worm that caused so much damage
over the weekend (and is still causing damage.)

Time: 3:00 PM EST (2000 UTC)
You must register right away if you want to come. We have only 2,500
slots (6,000 registered for our last web broadcast so we must cut
off the registrations as soon as 2,500 people register).

How to register:
Please visit to sign up.

An archive of the audiocast will be available after the event at this
same URL if you are unable to participate during the live broadcast.

The panel includes technical experts from SANS, the White House Office
of Cyberspace Security, and from leading security vendors that were
working all weekend to try to understand and develop means of blocking
the worm.

This is an important event in educating management. It is another case
that proves that asking every user to install the correct patches in
a timely fashion is futile. There are better solutions we'll discuss
in the web broadcast.

Below is a preliminary analysis of the worm. Please email us (at with a (completely confidential) brief report of
the damage that you experienced (your ISP was down, you couldn't get
money from your ATM, etc.) from this worm. By combining these stories,
we may be able to put an actual cost on the problem and thereby help
justify better security.

Also please send us one or two questions about SQL Slammer in advance
of the briefing so we can make sure we get popular questions answered.


MS-SQL Server Worm (also called Sapphire, SQL Slammer, SQL Hell)


A worm launched Saturday morning January 25, about 12:30 AM (EST),
takes advantage of a buffer overflow vulnerability in Microsoft SQL
Server 2000. The SQL vulnerability was initially reported in July
of 2002. The worm is also being called Sapphire, SQL Slammer, and
SQL Hell.

Microsoft reports that the worm also infects MSDE 2000 systems,
typically used by software developers.

The worm attempts to infect systems at (approximately) randomly
generated IP addresses. The worm has no back doors or code for
flooding like other worms (Code Red). However, by using UDP packets
for infection, the worm allows infected machines to generate huge
amounts of traffic; even greater than that produced by most code
written specifically for flooding. Thus, in attempting to infect
other systems, the worm has powerful denial of service capabilities.

The worm resides in memory, and not on disk, so it can be eliminated
using a system reboot. However, if the defensive perimeter is not
upgraded to block offending udp packets or the system is not patched,
it will be quickly reinfected.

The worm uses UDP port 1434, so the impact of the worm can be
reduced by blocking inbound and outbound traffic destined for UDP
port 1434. Sites should use caution when blocking all traffic to this
port, since it is legitimately used by Microsoft SQL services. Some
sites have reported high levels of UDP traffic to port 1433 as well.

A CERT Advisory said the worm has caused various levels of network
degradation across the Internet. One news story reported that
ATMs of Bank of America were impacted by the worm. According to the
various reports, about 35,000 hosts had been infected as of Saturday.
Incidents.Org reports 120,000 IP addresses infected by Sunday at 10 AM
(EST). preliminary analysis of worm (includes a packet trace):

Original Vulnerability Analysis by David Litchfield:

CERT Advisory:

Microsoft Advisory:

Cisco Security Notice (Recommendations):

Cisco Security Advisory:

Microsoft Security Bulletin (originally posted July 24, 2002):