As an addendum, you may want to look at http://average.matrix.net/ for
graphical info on the severity of this attack across the entire net.
I've not heard if this a concentrated effort against the US or the 'Net
in general. Data from the MIDS site suggests it hit the whole net.
Which makes sense since so many systems are interconnected, or folks get
a vanity domain name from offshore sources, obscuring where folks really
are.
CNN and our campus security folks both suggest it's similar in some ways
to Code Red.
Our campus is now connected to the world. However, we're not all
connected together back on-campus, as we've a large number of Microsoft
systems with SQL Server that have to be secured or disconnected before
the buildings they're in can be reattached.
Gerry
Kevin R. Tyle wrote:
Hi all,
There appears to be a major DDoS attack going on since last
night, which is causing some pretty significant problems on
the Internet all over the globe. In terms of the Unidata feeds,
we have been seeing some problems feeding from a few sites.
The problem appears to be a worm that is hitting unpatched
MS SQL server machines.
Even NCEP is being hit, as we can see from the latest message
from the SDM desk:
NCEP IS EXPERIENCING INTERNAL AND EXTERNAL WEB ACCESS
PROBLEMS AND NCEP ACCESS TO SUITLAND WHERE MUCH OF
THE SATELLITE PRODUCTS ORIGINATE A FOR OUR MODEL RUNS.
SUPPORT PERSONNEL SAY THAT ANOTHER HOUR MAYBE NEEDED
TO FULLY RECOVER THE COMMS SYSTEM...SORRY FOR THE
DELAY...
I've attached below the first account of this attack from
the Bugtraq list . . .
--Kevin
______________________________________________________________________
Kevin Tyle, Systems Administrator **********************
Dept. of Earth & Atmospheric Sciences ktyle@xxxxxxxxxxxxxxxx
University at Albany, ES-235 518-442-4571 (voice)
1400 Washington Avenue 518-442-5825 (fax)
Albany, NY 12222 **********************
______________________________________________________________________
---------- Forwarded message ----------
Date: Sat, 25 Jan 2003 02:11:41 -0500
From: Michael Bacarella <mbac@xxxxxxxxxxxx>
To: nylug-talk@xxxxxxxxx, wwwac@xxxxxxxxxxxxxxx, linux-elitists@xxxxxxx
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
Resent-From: mbac@xxxxxxxxxxxx
Resent-To: bugtraq@xxxxxxxxxxxxxxxxx
I'm getting massive packet loss to various points on the globe.
I am seeing a lot of these in my tcpdump output on each
host.
02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port
ms-sql-m unreachable [tos 0xc0
It looks like there's a worm affecting MS SQL Server which is
pingflooding addresses at some random sequence.
All admins with access to routers should block port 1434 (ms-sql-m)!
Everyone running MS SQL Server shut it the hell down or make
sure it can't access the internet proper!
I make no guarantees that this information is correct, test it
out for yourself!
--
Gerry Creager -- gerry.creager@xxxxxxxx
Network Engineering -- AATLT, Texas A&M University
Office: 979.458.4020 FAX: 979.847.8578
Cell: 979.229.5301 Pager: 979.228.0173
From owner-ldm-users@xxxxxxxxxxxxxxxx 25 2003 Jan -0500 15:11:10
Date: 25 Jan 2003 15:11:10 -0500
From: Jeff Wolfe <wolfe@xxxxxxxxxxx>
In-Reply-To: <3E32DDB3.9080505@xxxxxxxx>
To: ldm-users@xxxxxxxxxxxxxxxx
Subject: Re: Major Internet Disruptions since last night
Received: (from majordo@localhost)
by unidata.ucar.edu (UCAR/Unidata) id h0PKBDp29790
for ldm-users-out; Sat, 25 Jan 2003 13:11:13 -0700 (MST)
Received: from pangaea.ems.psu.edu (pangaea.ems.psu.edu [128.118.52.83])
by unidata.ucar.edu (UCAR/Unidata) with ESMTP id h0PKBB629727
for <ldm-users@xxxxxxxxxxxxxxxx>; Sat, 25 Jan 2003 13:11:11 -0700 (MST)
Organization: UCAR/Unidata
Keywords: 200301252011.h0PKBB629727
Received: from isostasy (isostasy [128.118.52.2])
by pangaea.ems.psu.edu (Postfix) with ESMTP id 84D181285
for <ldm-users@xxxxxxxxxxxxxxxx>; Sat, 25 Jan 2003 15:11:10 -0500 (EST)
References:
<Pine.GSO.4.33.0301251450360.4320-100000@xxxxxxxxxxxxxxxxxxxxxx>
<3E32DDB3.9080505@xxxxxxxx>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.8
Message-Id: <1043525470.3170.58.camel@isostasy>
Mime-Version: 1.0
Sender: owner-ldm-users@xxxxxxxxxxxxxxxx
Precedence: bulk
On Sat, 2003-01-25 at 13:55, Gerry Creager wrote:
As an addendum, you may want to look at http://average.matrix.net/ for
graphical info on the severity of this attack across the entire net.
I've not heard if this a concentrated effort against the US or the 'Net
in general. Data from the MIDS site suggests it hit the whole net.
Which makes sense since so many systems are interconnected, or folks get
a vanity domain name from offshore sources, obscuring where folks really
are.
CNN and our campus security folks both suggest it's similar in some ways
to Code Red.
Our campus is now connected to the world. However, we're not all
connected together back on-campus, as we've a large number of Microsoft
systems with SQL Server that have to be secured or disconnected before
the buildings they're in can be reattached.
The worm had(has?) a very small payload, only 300 or so bytes. It's
enough to compromise an unpatched MS SQL server (patch released 7/2002)
over UDP port 1434. Once compromised, the worm enters an infinite loop
and generates pseudo-random IP addresses to send itself to. The UDP
flows are generated as fast as the system is able to send packets.
Flow based routers like Cisco 6500s running buggy code are unable to
deal with the massive amount of unique flows and crash, which further
complicating matters.
All in all, a pretty nasty worm. Most major NSPs are now filtering port
1434 and the number of scans we're seeing has dropped accordingly.
There will probably be a lot of news media interest, but good info about
the worm can be found here:
http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html
-JEff