20 Years Since the Spread of the Microsoft Sapphire/SQL Slammer Worm
canopic jug writes:
Developer Robert Graham has written a retrospective on how his proprietary software was able to detect the Microsoft Sapphire Worm, also known as SQL Slammer as it hit due to his design choices. These choices were first, a poll-mode driver instead of interrupt driven and, second, protocol analysis for recognizing the behavior signature rather than pattern matching.
An industry luminary even gave a presentation at BlackHat saying that my claimed performance (2-million packets-per-second) was impossible, because everyone knew that computers couldn't handle traffic that fast. I couldn't combat that, even by explaining with very small words "but we disable interrupts".
Now this is the norm. All network drivers are written with polling in mind. Specialized drivers like PF_RING and DPDK do even better. Networks appliances are now written using these things. Now you'd expect something like Snort to keep up and not get overloaded with interrupts. What makes me bitter is that back then, this was inexplicable magic.
I wrote an article in PoC||GTFO 0x15 that shows how my portscanner masscan uses this driver, if you want more info.
When it hit in January 2003, the Microsoft Sapphire Worm, also known as SQL Slammer, began spreading quickly across the Internet by doubling in size every 8.5 seconds, infecting than 90% of vulnerable, networked Windows systems within 10 minutes.
Read more of this story at SoylentNews.