Wired has a story by Paul Boutin on how the Slammer worm worked to”crash the Internet in 15 minutes”. The worm source code is also listed.
Slammer owes its speed to UDP, an Internet protocol that’s lighter and quicker than the TCP used for Web sites, email, and file downloads. TCP requires sender and receiver to acknowledge each other in a handshake before exchanging information; UDP can carry a message in a single, one-way packet. Microsoft’s SQL Server 2000 software has a UDP-powered directory service that lets applications automatically find the right database. Moreover, SQL code comes built into other programs the company sells. Many Slammer victims didn’t even realize they were running SQL.
The worm takes advantage of a common software bug called a buffer overflow. Buffers overflow when a data string is written into memory without its length being checked by the program. If the string is too long, the tail end of the data overwrites the program’s own code.
The genius of Slammer is how it uses an attack on just one type of software as leverage for a general attack on the Web itself. Machines infected by the worm swiftly spam the Net with randomly addressed traffic, hitting other vulnerable servers. As the number of computers spewing Slammer packets rises, the situation reaches critical mass, potentially creating a denial of service attack on all 4 billion IP addresses on the Net. Sounds crazy, but Slammer is fast enough to pull it off.