The SQL Slammer worm’s entire malicious payload was only 376 bytes, small enough to fit inside a single UDP packet.
SQL Slammer’s code was just 376 bytes, enabling explosive, packet-level propagation that crippled the Internet in January 2003.
The worm was precisely 376 bytes. That minuscule footprint let it fit inside one 404-byte UDP datagram (including headers) sent to port 1434/UDP on Microsoft SQL Server.
Being under Ethernet’s 576-byte MTU, the payload avoided packet fragmentation, reached hosts intact, and maximized scanning speed—over 75,000 infections in 10 minutes.
The payload held a buffer-overflow exploit for SQL Server’s Resolution Service plus shellcode that generated random IPs and re-transmitted itself—no file-system write required.
Each infected host blasted the 376-byte UDP packet to random addresses, saturating backbone links. Small size meant thousands of packets per second per host.
Yes. IoT devices, UDP services, and misconfigured firewalls remain vulnerable. Size constraints haven’t changed; low-byte malware can still create floods.
Monitor for outbound UDP 1434 packets near 404 bytes. IDS signatures and SQL log analysis can alert on unusual traffic spikes from internal hosts.
-- BigQuery example on VPC Flow Logs
SELECT
src_ip,
COUNT(*) AS pkt_cnt
FROM `project.dataset.vpc_flow`
WHERE dest_port = 1434 AND protocol = 17 -- UDP
AND bytes_payload = 404 -- 376 + UDP/IP headers
AND timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 1 HOUR)
GROUP BY src_ip
HAVING pkt_cnt > 100;
Galaxy’s fast SQL editor lets engineers run the above query, share it in a Collection, and use the AI copilot to tweak thresholds or generate explanations.
Patch exposed services promptly, rate-limit UDP traffic, deploy egress ACLs, and use IDS rules that match payload size and port.
Slammer’s 376-byte flood crashed ATM networks, airline systems, and 911 services. It consumed ≈25% of global packet traffic within minutes.
alert udp any any -> any 1434 (msg:"SQL Slammer"; content:"|04 01 01 01|"; offset:0; depth:4; datalen:376; sid:1000001; rev:1;)
Knowing Slammer’s 376-byte size underscores that destructive malware doesn’t need to be large. Security teams must monitor small payloads, not just big binaries. Understanding this worm guides modern defenses against lightweight, UDP-based threats that firewalls may overlook.
Yes. Multiple reverse-engineering efforts confirm the worm’s shellcode is exactly 376 bytes.
404 bytes refers to the full UDP datagram (376-byte payload + 28-byte IP/UDP headers).
Import network-flow tables, run size-filtered queries, and save them in a Galaxy Collection so teammates can endorse and reuse them.
Yes. Advanced shellcode techniques fit scanning and exploit logic into a few hundred bytes, especially over UDP.
.avif)
.avif){kind=logo}
