Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
Inside the Slammer Worm
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer Worm", IEEE Security and Privacy, vol. 1, no. 4, pp. 33--39, Aug 2003.

Support for this work was provided by NSF, DARPA, Silicon Defense, Cisco Systems, AT&T, NIST, and CAIDA members.

|   View full paper:    HTML    Original Analysis    |  Citation:    BibTeX    Resource Catalog   |

Inside the Slammer Worm

David Moore1
Vern Paxson3, 5
Stefan Savage2
Colleen Shannon1
Stuart Staniford4
Nicholas Weaver4, 6

CAIDA, San Diego Supercomputer Center, University of California San Diego


Department of Computer Science and Engineering,
University of California, San Diego


Lawrence Berkeley National Laboratory (LBNL)


Silicon Defense


The ICSI Center for Internet Research - ICIR


University of California, Berkeley

The Slammer worm spread so quickly that human response was ineffective. In January 2003, it packed a benign payload, but its disruptive capacity was surprising. Why was it so effective and what new challenges does this new breed of worm pose?

Slammer (sometimes called Sapphire) was the fastest computer worm in history. As it began spreading throughout the Internet, the worm infected more than 90 percent of vulnerable hosts within 10 minutes, causing significant disruption to financial, transportation, and government institutions and precluding any human-based response. In this article, we describe how it achieved its rapid growth, dissect portions of the worm to study some of its flaws, and look at our defensive effectiveness against it and its successors.

Slammer began to infect hosts slightly before 05:30 UTC on Saturday, 25 January 2003, by exploiting a buffer-overflow vulnerability in computers on the Internet running Microsoft's SQL Server or Microsoft SQL Server Desktop Engine (MSDE) 2000. David Litchfield of Next Generation Security Software discovered this underlying indexing service weakness in July 2002; Microsoft released a patch for the vulnerability before the vulnerability was publicly disclosed ( Exploiting this vulnerability, the worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and unforeseen consequences such as canceled airline flights, interference with elections, and ATM failures.

Keywords: network telescope, security
  Last Modified: Tue Nov-17-2020 04:46:56 UTC
  Page URL: