Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on more on SQL attack

From: Dave Farber <dave () farber net>
Date: Sat, 25 Jan 2003 17:28:01 -0500

------ Forwarded Message
From: Martyn_Williams () idg com
Date: Sat, 25 Jan 2003 18:47:09 +0000
To: dave () farber net
Subject: FYI, more on SQL attack


http://www.infoworld.com/articles/hn/xml/03/01/25/030125hnsqlnetupd.xml

Slammer slugs Internet, down but not out

By Stacy Cowley and Martyn Williams
January 25, 2003 10:29 am PT

 update  A NEW WORM attacking a known vulnerability in Microsoft SQL 2000
Web servers that has been slowing down or halting Internet traffic
worldwide could prove as tricky a nemesis as security foes 'Code Red' and
'Nimda,' according to firms tracking the outbreak.

Half a dozen security outlets have issued bulletins describing worm W32/SQL
Slammer, dubbed 'Slammer.' Using a buffer overflow to take over a server,
the worm sends out a flood of packets, an effect similar to a
denial-of-service attack.

Network Associates Inc.'s Anti-Virus Emergency Response Team (AVERT)
estimates that 150,000 to 200,000 servers worldwide have already been
infected.

When the attack began around 5:30 a.m. GMT (12:30 a.m. EST), packet loss
across the Internet approached 20 percent, according to monitoring firm
Matrix NetSystems Inc., in Austin. Packet loss rates are usually less than
1 percent.

One of the countries worst affected was South Korea, where most of the
nation's fixed-line and mobile Internet users were unable to access Web
sites for nearly half of the day.

"The networks of Internet service providers in South Korea were partially
down from about 2:30 p.m. today," said Lee Kin Tae, a technical assistant
at the Korean Computer Emergency Response Team (CERT) in Seoul. "From
around that time, most people in South Korea cannot use the Internet."

Ten hours after the attack began, traffic flow was picking up, with packet
loss down to around 5 percent by Matrix NetSystems' readings.

Recovering from the worm is easy, security firms agree: Installing
Microsoft Corp.'s recently released SQL Server 2000 Service Pack 3 solves
the problem. Some also recommend system administrators consider blocking
traffic on port 1434 from unknown machines.

Firms disagree, though, on the severity of the threat posed by Slammer.
Trend Micro Inc. labels the worm "destructive" and "high risk," while
Symantec Corp. assesses its damage potential as "low." Network Associates
Inc. and eEye Digital Security Inc., one of the first to spot and dissect
the worm, both issued high-risk alerts on the worm.

While the worm may be easy to defend against, a vast number of systems
remain unprotected.

"It's probably worse than it was three or four hours ago," said AVERT Vice
President Vincent Gullotto, about 12 hours after the attack began. "This is
not going to be cleaned up any time soon."

"(Slammer) doesn't destroy, remove, hack or extract any data," said Tom
Ohlsson, Matrix NetSystems' vice president of marketing and business
development. "But it's a very, very aggressive worm about
self-replication."

Slammer's speed in spreading itself recalls another worm that rampaged
through the Net: Code Red, a scourge that appeared in mid-2001 and infected
hundreds of thousands of servers.

Despite the availability of a patch, Code Red caused $2 billion [b] in
damage, according to one research firm's estimates. New infections
continued spreading more than a year after the worm's discovery, according
to several vendors, as some vulnerable systems remained unprotected.

Slammer is "similar in terms of speed, but nowhere near as destructive" as
Code Red, Ohlsson said.

The worm is "certainly on the same level" as Code Red in terms of the
threat it poses, said AVERT's Gullotto.

A representative of the U.S. National Infrastructure Protection Center
(NIPC) confirmed the center was investigating the problems. The NIPC has
not posted any alerts on its Web site concerning the worm or vulnerability
since Microsoft first identified the weakness in July 2002.

A spokesman for the U.S. Federal Bureau of Investigation declined to
comment in detail on the Internet problems, but said, "The bureau is aware
a worm was attacking the Internet overnight and we are monitoring it."

The worm hit a day after South Korea's Ministry of Information and
Communication (MIC) issued an emergency alert on the possibility of
denial-of-service attacks, according to local media. The MIC received
reports that South Korean computers were to be used as a springboard for
attacks, said the country's Yonhap News Agency.

The Microsoft Security Bulletin concerning this vulnerability can be found
online at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp

. A CERT advisory issued Saturday concerning the vulnerability is at
http://www.cert.org/advisories/CA-2003-04.html .



------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: