Massive Internet outage was preventable

Jan. 26, 2003 at 5:43 AM

WASHINGTON, Jan. 26 (UPI) -- A massive Internet outage that swept across Asia and slowed down service in the United States and northern Europe subsided Sunday, caused by a so-called "Slammer" message worm that could easily have been avoided, experts said.

Reports of a near universal shutdown of the Internet in South Korea Saturday were accompanied by widespread problems in the United States that shut down some automatic bank teller machine networks, held up e-mail, cut voice-over-Internet service and disrupted many private businesses, including some newspapers.

Hong Kong, South Korea, the northeastern United States and northern Europe appeared to be hit the hardest. Japan and Latin America were the least affected, according to Matrix NetSystems, an Austin, Texas, company that constantly monitors Internet traffic worldwide.

"The overall effect of these worldwide performance problems are severe, with more than 30% packet loss globally at the beginning of the event," the company said. "The performance problems seem to be subsiding for the time being" as system operators reacted, either shutting down their servers or installing necessary security fixes.

As is typical with malicious worm software, its origin could not be immediately determined.

Although the impact varied from region to region, the outage overall appeared to be the worst for the Internet in at least 18 months.

The worm, which unlike a computer virus merely duplicates itself, did its damage by clogging communications from server to server, overloading the capacity of the Internet in many key locations.

Although the worm did not spread instructions to harm hard drive storage or trigger other types of secondary damage, it denied or slowed Internet service to untold thousands of users. The effect was a massive "denial of service," a huge overload sometimes purposely directed against single Web sites but this time spread worldwide.

Services like "voice over IP" that are capacity intensive were hurt the most, experts said.

The effect of the spread of the worm appeared to peak about 5 a.m. EST Saturday after hitting two previous peaks in the United States in the previous two hours.

The worm was dubbed the "Slammer," and exploited a weakness in the widely used Microsoft SQL 2000 server software, a security flaw identified by Microsoft in July of last year.

But system operators who had not previously downloaded free repair software since then found the problem suddenly caught up with them Saturday, sometimes in a devastating system stoppage.

News of the worm's initial appearance about 12:30 a.m. Saturday spread quickly among the Internet service providers through the day. But many operators who needed to download and install the fix from Microsoft sites found the worm was getting in the way, jamming the downloads.

A Beaverton, Wisc., firm, Network Associates, that provides network maintenance services said it assigned a "high risk assessment" to what it called the "W32/SQL Slammer." It said the invasive software exploited a weakness on "hundreds of servers" running the Microsoft software associated with UDP ports 1433 and 1434.

As soon as the worm infected one server the "talkative" invader spewed messages to many other servers instructing them to relay still more messages onward in an ever escalating wave of signals.

Another network maintenance firm, St. Paul, Minnesota's Shavlik, offered free diagnostic tools to detect missing SQL Server security patches so vulnerable servers could be located quickly.

Matrix NetSystems, at matrixnetsystems.com, provided several constantly updated screens by which network administrators could track worldwide latency -- the delays being imposed on transmission of Internet signals -- as well as packet loss and reachability.

"While Web users experienced delays, the underlying Internet was largely unaffected," the company said. "The signature of this event," it continued, "is similar to that of the Goner Worm that struck in December 2001."

Others compared the widespread effect to that of the "Code Red" worm which also afflicted servers running Microsoft software in July of 2001, that time targeting port 80.

Follow us on Facebook, Twitter, and Instagram for more news from UPI.com
Related UPI Stories
Trending Stories