New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)
Robert Boyle
robert at tellurian.com
Sat Jan 25 08:35:48 UTC 2003
Everyone,
I don't know what is causing this, but we had several customer machines
(which we don't manage) affected tonight. The common thread is that all
were running an unpatched MS SQL Server. This new worm seems to create
MASSIVE network traffic which propagates outbound. Somehow it seems to be
amplified at each of our Cisco routers. In our colo facility, we had 3
"infected" servers on 10Base-T connections - after this traffic hit our
core router, the traffic increased from just under 30Mbits/sec inbound from
our colo switch to 80+Mbits/sec outbound over ALL transit and peering
connections. I know our routers aren't smurf amplifiers and I don't know
what caused the increased outbound traffic. Once this process is started,
the MSSQLServer service cannot be stopped (or killed with pview). If the
service is disabled and the server rebooted, it will not generate this
traffic. It is not a master-slave program which requires a connection from
outside to start the flow. Once the SQL server has been infected, no
Internet connection is needed to continue the traffic storm even after a
reboot. None of our managed customer machines were affected, but all of
them are patched with current patches and none of them have 1433 exposed to
the world either. I don't have any more detail at this time, but I plan to
look into this worm/virus/exploit further in the AM. This seems to affect
both MSSQL and MSDE. Does anyone else have more to add. I have seen several
networks drop off the earth tonight as a result of this exploit.
-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." -
Francis Jeffrey
More information about the NANOG
mailing list