SQL Slammer: The Fastest-Spreading Worm in History
A 376-byte UDP worm doubled in size every 8.5 seconds, infecting 75,000 servers in ten minutes and causing internet outages, ATM failures, and airline cancellations worldwide.
Background
Microsoft SQL Server 2000 and MSDE contained a buffer overflow vulnerability (MS02-039) patched in July 2002. Six months later, most database servers had not applied the patch.
The Attack
SQL Slammer was a single UDP packet — just 376 bytes. It exploited the buffer overflow in SQL Server's Resolution Service on port 1434, copied itself to the new host, then immediately began spraying random IP addresses with copies of itself. With no payload beyond self-replication, it was extraordinarily fast. The worm generated so much traffic it caused 13,000 ATMs to go offline in the United States, disrupted 911 dispatch systems in Seattle, and cancelled Continental Airlines flights.
Response
Because Slammer lived entirely in RAM and required no file write, traditional antivirus was ineffective. Mitigation required blocking UDP port 1434 at firewalls and applying the six-month-old patch. Recovery was rapid once firewalls were updated, but the damage during the first 10 minutes was already done.
Outcome
Slammer infected 90% of all vulnerable hosts within 10 minutes — the fastest worm ever recorded. Estimated damages reached $1.2 billion. The incident accelerated Microsoft's Trustworthy Computing initiative and prompted industry-wide debate about patch management timelines.
Key Takeaways
- Apply security patches within days of release, not months
- Firewall egress filtering can contain self-replicating threats even before patching
- Critical infrastructure (ATMs, 911, aviation) must be network-isolated from general internet
- A single unpatched protocol port can take down global infrastructure