Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

the attack was not on the net but on

From: Dave Farber <dave () farber net>
Date: Sat, 25 Jan 2003 11:22:59 -0500

------ Forwarded Message
From: Rich Kulawiec <rsk () gsp org>
Date: Sat, 25 Jan 2003 10:16:07 -0500
To: Dave Farber <dave () farber net>
Subject: Re: [IP] more on Net Attack

On Sat, Jan 25, 2003 at 09:29:54AM -0500, Dave Farber wrote:

Sites monitoring the health of the Internet reported significant slowdowns
globally. Experts said the electronic attack bore remarkable similarities to
the "Code Red" virus during the summer of 2001 which also ground online
traffic to a halt.


The most remarkable similarity is that -- AGAIN -- the Internet has not
been attacked.  The very poorly designed and implemented products of
the Microsoft Corporation have been attacked.

And those of us who have chosen not to use those products because of
their abysmal security record -- which now spans decades -- still have
to pay the price for the negliglence of other people who failed to make
the same choice, even in the face of overwhelming evidence.

It appears that this worm infects MS SQL servers (unknown as yet which
version/OS combinations) on ports 1433/1434 (not clear yet if one, either,
or both), and that those servers then begin emitting traffic at a very
high rate -- if not the maximum rate that their hardware/software will
allow, certainly something in the ballpark.  This saturates networks,
routers, etc.  They also try to infect other systems.  The NANOG mailing
list is full of traffic on this topic, and I'm sure others (like the
"incidents" list at securityfocus) will soon be buzzing with it as well.

My best guess at this point is that anyone running such a server should
probably shut it down until enough packet captures and dissasembly have
been done to understand the precise nature of the attack and develop
a fix.  It would probably also not be a bad idea for anyone operating
a router or firewall and who doesn't need to pass traffic on 1433 or 1434
to block those ports (if they haven't already).

---Rsk


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: