Interesting People mailing list archives
the attack was not on the net but on
From: Dave Farber <dave () farber net>
Date: Sat, 25 Jan 2003 11:22:59 -0500
------ Forwarded Message From: Rich Kulawiec <rsk () gsp org> Date: Sat, 25 Jan 2003 10:16:07 -0500 To: Dave Farber <dave () farber net> Subject: Re: [IP] more on Net Attack On Sat, Jan 25, 2003 at 09:29:54AM -0500, Dave Farber wrote:
Sites monitoring the health of the Internet reported significant slowdowns globally. Experts said the electronic attack bore remarkable similarities to the "Code Red" virus during the summer of 2001 which also ground online traffic to a halt.
The most remarkable similarity is that -- AGAIN -- the Internet has not been attacked. The very poorly designed and implemented products of the Microsoft Corporation have been attacked. And those of us who have chosen not to use those products because of their abysmal security record -- which now spans decades -- still have to pay the price for the negliglence of other people who failed to make the same choice, even in the face of overwhelming evidence. It appears that this worm infects MS SQL servers (unknown as yet which version/OS combinations) on ports 1433/1434 (not clear yet if one, either, or both), and that those servers then begin emitting traffic at a very high rate -- if not the maximum rate that their hardware/software will allow, certainly something in the ballpark. This saturates networks, routers, etc. They also try to infect other systems. The NANOG mailing list is full of traffic on this topic, and I'm sure others (like the "incidents" list at securityfocus) will soon be buzzing with it as well. My best guess at this point is that anyone running such a server should probably shut it down until enough packet captures and dissasembly have been done to understand the precise nature of the attack and develop a fix. It would probably also not be a bad idea for anyone operating a router or firewall and who doesn't need to pass traffic on 1433 or 1434 to block those ports (if they haven't already). ---Rsk ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- the attack was not on the net but on Dave Farber (Jan 25)