U.S. Military Role in SQL Slammer Worm Attack
Exhibit A: Exclusive empirical data tracking the SQL Slammer worm.
Jan. 28, 2003By Doctor Electron
Net Census data reveals the probable major U.S. military role as a victim, as an unwitting agent rapidly spreading the recent SQL Slammer worm and finally, as a helper in limiting the internet crisis.
Before the recent SQL Slammer worm activity, Net Census estimates about 4.7 million SQL servers on TCP port 1433 worldwide, based on two data sets using different methods of random sampling. For perspective on this value, SQL servers are about as common as directory name servers (DNS) on the planet. And there is about one SQL server for every four web page servers, as shown in the table below.
Legend: U.S. military internet address funneling described in this report affects the estimates shown for other ports. Please see the next report presenting ports by top level domain -- .mil, .com, .net, .org, .edu, etc.
On Saturday, Jan. 25, 2003, our sampling showed this number of SQL servers was down to 38% of normal. By Sunday to the present, active SQL servers have stablized at about 23% of normal activity. Thus, more than three-quarters of SQL servers worldwide have been shut down. At this writing, our data show that this lowered level of SQL activity remains.
Comparing before (SQLb) and after (SQLa) the worm attack, the table shows some 3 million internet addresses associated with SQL database services were disabled. This is like two out of three people on the face of the earth disappear over night. A statistician is not needed to confirm that something happened.
Thus, the major response of computer operators to this worm infestation has been to disable their servers. Who are these operators? Corporations, other businesses? In part, as reported by news media, but that is not yet the major story.
These operators appear to be primarily the U.S. military. Net Census evidence supports this conclusion, and the result is clear. The U.S. armed forces not only played a major helpful role in stemming the internet traffic jam caused by the SQL Slammer worm, but also may be largely responsible for the uncharacteristically rapid spread of the worm due to inadvisable internet practices documented by Net Census.
This is the major story, featuring why the internet behavior of the biggest player produced the super-rapid worm spread that mystified experts.
Before the worm attack, ten percent of internet addresses with SQL servers had host names ordinarily obtained from directory name servers. For example, "mycompany.com" is a host name. Over the weekend, that number has more than doubled to about 25%. This clue is a good place to start.
Now consider other exclusive Net Census data.
First, U.S. military installations listen on numerous ports connected to the internet covering a vast number of internet addresses. This internet presence is far greater than would be expected by the size of the organization itself -- and it may well be the largest organization in the world. This effect is so pronounced that survey research by Net Census must tabulate all internet address space used by the U.S. military to allow separate analysis of data in U.S. military and in other categories. There is nothing objectionable about this presence, especially in view of the vital functions of the military. It is just that from a research point of view, this factor needs to be assessed or reported results might be seriously distorted.
At this writing, considering over 10,800 responsive networks each containing over 64,000 internet addresses, 5% are reported to be .mil (U.S. military) by internet authorities. But this 5% accounts for 22% of all responses observed from computers connected to the internet worldwide. These figures are further magnified by the fact that far less than one half of the known .mil networks contribute to this phenomenon.
For example, do Microsoft executives have records of some 4.7 million SQL servers out there? What would that revenue be? Microsoft figures on licensed users -- reportedly only about one million -- are a fraction of the number of internet addresses responding to the SQL server port number observed by Net Census. Why?
It appears that U.S. military installations will channel connection requests to huge ranges of internet addresses to a smaller number of actual servers. It is as if the military sucks in as many requests for SQL and other services as it can, perhaps to make lists of parties scanning for them. This may be a productive intelligence gathering activity, but, again, it would have to be accounted for in survey research.
On the other hand, this apparent practice of funneling an enormous range of internet addresses to a smaller number of servers can have its disadvantages. Scanning for more victims is exactly where the SQL Slammer worm excels. Hence, these U.S. military computers would be most likely infected by the virus early on and then act as agents to further spread it. Given the vast extent of U.S. military computer networks, one does not have to be a rocket scientist to see that the major agent spreading the SQL Slammer worm most probably was the U.S. military.
Imagine you randomly dial phone numbers. Sometimes a specific non-military party answers the phone. If a huge number of randomly selected phone numbers connect you to a single desk at a U.S. military site, you have the sort of funneling practice described. If that connection to the military desk automatically generates millions of calls to other random phone numbers, the multiplier effect possible is tremendous -- exactly as reported in the media. Further, those secondary phone calls are also likely to be funneled back to another military site. And there is no shortage of those. More multiplication of random calls follows.
So the seemingly indiscriminate sucking in of internet connection requests by U.S. military installations -- reported first by Net Census -- is a very questionable practice.
Second, the proportion of U.S. military internet addresses that sport a host name is much less than other categories of internet citizens -- from businesses to other countries. In fact, it is only 23% of the average for non-military networks. Now we are getting somewhere. Remember that clue above about the doubling of SQL servers with obtainable host names over the weekend during the SQL Slammer worm activity?
This clue with the points above strongly suggest that it was primarily the U.S. military lending a helping hand in this internet crisis. The dramatic increase in the host name percent indicates a major change in the composition of operators of SQL server computers. Since most of the U.S. military servers are private without public host names available, it follows that most of the SQL servers that were shut down over the weekend were operated by the U.S. military.
This may be both good and bad news. Good in that the computer systems of the military can be quickly managed to turn off the flood of UDP packets on the SQL-related port 1434. The bad news, if any, might be that it was not primarily non-military system managers who were leading the incident management or patching the bug with a fix that Microsoft had provided months previously.
Since the Net Census database cited above can be created by many internet observers, an obvious question arises. Did the perpetrator(s) of the SQL Slammer worm know about the major presence on the internet of U.S. military computer systems with SQL servers? Did they already identify the peculiar address funneling practice of the U.S. military, as reported by Net Census, which could be used maliciously to turn these systems into potent attack agents in worm propagation? If they could write the worm code, one might assume that they also had the ability to discover these simple statistical facts. The methods used to collect this data are not particularly difficult -- further supporting this assumption.
In brief, if we assume that the attacker(s) were aware of the facts cited above from the Net Census database, it follows that the U.S. military may have been an intended target or even "the" target in this episode. If so, this clearly moves beyond the hacker/cracker area into frank terrorism.
In any case, there remains the perhaps ironic result that in the early stages of this attack on the internet, U.S. military computers most likely participated in a big way in the spread of the worm on the internet. Was the strategy "Make the giant shoot himself in the foot and fire at bystanders, too"? Probably this scenario overestimates the capability of the attacker(s). Let's hope so.
Net Census suggests that the U.S. government review the practice of internet address funneling described above. This appears to be a significant security risk for the internet.
What genius decided to route multiple internet addresses to single military host computers? The most common situation is to have one address per computer. The military, however, should go further in reversing this funneling practice so that the ratio of internet addresses to military host computers is far less than one. Then the U.S. military will not itself be such a threat to U.S. and world internet services when scanning worms like SQL Slammer drop in to visit.
PostScript:
In the past, Net Census has asked the major law enforcement, intelligence and Department of Defense agencies of the U.S. if there is a review office concerning media publications which may have national security relevance. Such an office might review voluntarily submitted materials prior to publication and advise media editors concerning any perceived issues. With the spotlight on "homeland security", one might think one would receive an immediate response.Your turn. Guess what the response was. Tick, tick. You got it. Apparently, there is no "national security review desk" which may be consulted by publishers prior to publication of articles.
Notes:
Please contact Net Census for detailed empirical data tracking the SQL Slammer worm attack as well as lists of SQL servers. Research methods used are described in several articles on the Net Census web site.
With the exception of NetBios name service and web page servers (port 80), certain U.S. military networks practice dramatic levels of internet address funneling on ftp, ssh, telnet, smtp, https, socks, http proxy, sql and other ports, according to Net Census data. A more detailed report is in preparation.
Many host computers will accept packets destined for typical services, such as SQL, although a functional server for that service may not be present. This factor is assumed to be fairly constant comparing among various service ports and would not affect the results or analysis as reported. Net Census also has data addressing this issue.To search for more information on "internet address funneling" -- a phrase coined for this report -- by the U.S. military or others, the technical terms of "virtual IP address", "packet routing" or "address masking" may help.
Copyright © 2003 Global Services
Original publication: Jan. 28, 2003Back to Net Census