MS SQL Server Worm Wreaking Havoc 964
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
Who did this I wonder????? (Score:4, Funny)
Re:Who did this I wonder????? (Score:5, Funny)
I investigated into this matter, and came up with the following theory.
Port 1434 = 1+4+3+4 = 12
12 is the number of the month when Steve Gibson got hired as a consultant [grc.com]. Coincidence? I think not!
SQL (alphabet numbered) = S(19) + Q(17) + L(12) = 48
48 is the number of states which are connected together on US map. That means that attack came either from Hawaii or Alaska.
Using the search on a popular site called Google, I was able to track down [google.com] the perpetrator.
So at the end we are left with one answer: Steve Gibson is just hax0ring back, in an elaborate revenge plan to outlaw port 1434 and raw sockets.
Re:Who did this I wonder????? (Score:5, Insightful)
My "oh crap,no internet" communications plans are a heap-o shortwaves and scanners. Better than nuthin. I know all the commercial am and fm and tv stations will all get taken over by the fema boxes, and start spewing dotgov propaganda (moreso than normal), so I'd be more monitoring some more "unregulated" sources.
Terrorism, must be (Score:5, Interesting)
It said the shutdown was triggered by "apparent cyber terror committed by hackers".
http://news.bbc.co.uk/1/hi/technology/2693925.stm [bbc.co.uk]
Re:Terrorism, must be (Score:5, Funny)
billg has no uniform; therefore illegal combatant (Score:5, Funny)
does not wear a military uniform.
So he must be an _illegal_ combatant.
Therefore, if guilty, he will have to go to
Guantanamo Bay for a few years to "help with
investigations".
Of course, proof cannot be given for his guilt
because that might jeopardize national security.
Therefore no trial until terrorism is defeated.
Can't afford to take chances with them terrorists!
Re:Terrorism, must be (Score:4, Funny)
And every email admin in the western world heaved a sigh of relief
Re:Terrorism, must be (Score:5, Insightful)
N.
Re:Terrorism, must be (Score:4, Funny)
As I said in a previous post... (Score:5, Informative)
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
Re:As I said in a previous post... (Score:5, Informative)
You are filtering it out on your firewalls, aren't you?
Exactly. From the MS Security bulletin:
The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall.
What the heck was it doing open in the first place?
Re:As I said in a previous post... (Score:5, Insightful)
As far as I'm concerned, boxes SHOULD be able to stand on their own without firewalls. A firewall just adds another layer.
Sounds like you're advocating armadillo security to me - hard on the outside, soft on the inside.
Re:As I said in a previous post... (Score:5, Insightful)
You put your webserver on a DMZ, and let it (and only it) talk to the database server through the firewall. Any 2-tier client-server app should be going through a VPN or other secure tunnel.
The only way to do security is to have multiple layers, and to ruthlessly apply the priciple of least privilidge (you get only those permissions you ABSOLOUTELY need and nothing more).
Re:As I said in a previous post... (Score:5, Insightful)
"Oh, it's OK because it's behind the firewall..."
I think firewalls make people lazy. Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.
Re:As I said in a previous post... (Score:5, Interesting)
I have argued for many years that people tend to get the idea that a firewall is some kind of +8 amulet of protection they just strap on which will protect them from pretty much anything.
However there are real benefits to using firewalls and NAT boxes. Unfortunately there are some members of the IESG who are confused on this point but thats because they are blinkered by the end-to-end dogma. I'll note here that Steve Bellovin, the new security AD knows a thing or two about firewalls.
There are actually two end-to-end principles. Applied to networking it meant put the intelligence at the ends, not in the middle of a communication. This was applied to security to mean the same thing.
End-to-end is appropriate to the design of network protocols, it is inappropriate as a guide to operational security. Many protocols are not designed securely, most protocol implementations have flaws.
Another dogma that is inappropriate to operational security is the 'security through obscurity' trope. A design that relies on security through obscurity is broken. This does not mean that operators should divulge all the details of their operations to attackers in the hope this will improve security, it will not. Argument of this type was used to block the introduction of shadow passwords on UNIX for years after the vulnerability to dictionary attacks was widely known and being exploited by attackers.
A firewall and NAT box provides a significant degree of security at low cost. NAT provides a means of concealing the internal structure of the network. This does not eliminate the possibility of attack but raises the bar significantly. If you are running a site that is considered attractive to hackers a technology that weeds out the knob turners and dimmer script kiddies has value.
What we need to move to is security in depth, recognizing that design security and operational security are different and that both are important.
Re:As I said in a previous post... (Score:5, Insightful)
This adds a third layer of security, in addition to the 'secure firewall' and the 'secure desktop'. If, god forbid, someone gets through your firewall, you'll at least know it.
And I'm talking about logging outgoing traffic, also. After all, if your firewall is set up correctly you can't have any random incoming traffic...but you'll have lots of outgoing. They have NIDS to detect suspicious traffic, or you can just get a huge dump and start filtering out things you know are okay.
And it's about the only way you'll ever catch that some idiot is running an ICQ from three years ago with a known buffer overflow or something stupid. Neither firewalls nor updated desktop machines can protect you from your own users, only log files of network traffic can do that.
Re:As I said in a previous post... (Score:4, Interesting)
The problem with logging is that it is usless unless you actually review the logs. This rarely happens until after a site has been compromised.
Much more useful is to have the firewall connected up to a 24x7 monitoring, or better management service like Counterpane, VeriSign or whatever.
Over time I expect that cost of high end firewalls to drop significantly. I have two firewalls at home, neither cost more than $200 and they are both pretty adequate for my needs. So why does an enterprise setup cost $80K rather than $4K or so?
Re:As I said in a previous post... (Score:5, Interesting)
These people are just as likely to say things like "I'm 3DES encrypting my data, so there's no way anybody can read it", because they fail to understand the meaning of statements like "cracking 3DES is computationally infeasible". When you try to explain to them that their webserver and applications are much more likely to be their weakness than their encryption algorithm, they give you blank looks and mutter about the Computerworld article that said 3DES is "unbreakable encryption". It's not a problem with 3DES (or any strong algorithm); it's a problem with people not understanding that any security measure can be negated by poor design in other parts of their architecture.
It's the same thing with firewalls. Only the unknowledgable would drop in a firewall and then go off to the bar to celebrate their newly "secure" network. That doesn't mean that the firewall is useless; it is still a crucial tool for securing one's network. The problem is the people who have no idea how to use the tool properly, and no concept of what a real-world attack actually looks like.
Re:As I said in a previous post... (Score:5, Funny)
Locks promote softer security.
"Oh, I'm OK because I have locked doors and windows..."
I think door locks make people lazy. Imagine if we didn't have deadbolts, or doors for that matter. We'd have to sit in front of the front door, with a shotgun, never sleeping for more than a few moments.
Re:waiting for patches is hardly good security pol (Score:5, Insightful)
Sounds like a damn good advice to me. Why the hell should either of those be exclusive?
It's very BAD advice! What happens when you blindly apply the patch and find out your mission critical app won't run anymore? A little QA testing would show you that on a test system instead of your live servers. If a firewall rule can protect you, use that, then QA the patch and apply if it is safe.
Consider that sometimes, the 'security patch' just disables a feature that 'nobody uses anyway' (except for your mission critical app, that is). Other times, it doesn't fix the hole, it just changes it's shape a little. In that case, you go from a hole you know about and can guard against at the firewall to one you don't know exists that has less information about it available.
It's not purely a dig at MS (though their track record for quality patches is spotty), any sudden change to widely deployed software runs the risk of causing a problem for sombody's configuration.Re:As I said in a previous post... (Score:4, Interesting)
For example, applying security hotfixes to Windows XP causes MSN Messenger to be installed, even if it was previously removed. This practice got a Microsoft infantry mobile-computing solution to be disqualified when Outlook Express and MSN Messenger were installed to Army XP-Embedded machines.
If you blindly apply MS patches to a mission-critical system, you're nuts. If you have the time to verify the multitude of MS patches as they come, you are probaly soon to be unemployed.
Re:As I said in a previous post... (Score:3, Informative)
Because sometimes you need to connect to SQL from somewhere outside the local LAN? For example, we have SQL passed logging services running in Sydney that connect back to a SQL server in London. Of course, inbound connections are limited to the correct address range.
Re:As I said in a previous post... (Score:3, Informative)
If you limited the IP address range, then you don't have it open. You have controlled access to the resource.
Re:As I said in a previous post... (Score:5, Insightful)
Re:As I said in a previous post... (Score:5, Informative)
When the SQL Server 2000 client Net-Libraries connect to an instance of SQL Server
2000, only the network name of the computer running the instance and the instance
name are required. When an application requests a connection to a remote computer,
Dbnetlib.dll opens a connection to UDP port 1434 on the computer network name
specified in the connection. All computers running an instance of SQL Server 2000
listen on this port. When a client Dbnetlib.dll connects to this port, the server
returns a packet listing all the instances running on the server. For each instance,
the packet reports the server Net-Libraries and network addresses the instance is
listening on. After the Dbnetlib.dll on the application computer receives this
packet, it chooses a Net-Library that is enabled on both the application computer and
on the instance of SQL Server, and makes a connection to the address listed for that
Net-Library in the packet.
So the UDP 1434 port is open when the SQL Server is started to listen all the clients
with any IP address on this port. SQL Server only receives the packet from the client
on this port to determine which instance the client attempts to access and return the
related information of the SQL Server to the clients. Then, the clients can create
the connection to the SQL Server with the protocol enabled on the server side.
Re:As I said in a previous post... (Score:5, Informative)
with any IP address on this port. SQL Server only receives the packet from the client
on this port to determine which instance the client attempts to access and return the
related information of the SQL Server to the clients. Then, the clients can create
the connection to the SQL Server with the protocol enabled on the server side.
There is a difference between a port being open on the machine the service is on and the port being open to the world. You should not leave this port open to the world. If people outside your firewall need access to your internal MSSQL server, you leave TCP 1433 open to selective hosts.
leaving that port open... (Score:3, Interesting)
Gr.... All the more reason to run a host firewall on every machine.
Re:As I said in a previous post... (Score:5, Informative)
I bloody hope no-one is specifically blocking this port. That's not how firewalls are supposed to be used. First you block everything then only open the specific ports you need. In most cases, these are 80 and 22 and maybe 25. There's no reason a database server's protocol port should ever be exposed to the public Internet!
Re:As I said in a previous post... (Score:5, Insightful)
Re:As I said in a previous post... (Score:5, Informative)
Re:As I said in a previous post... (Score:5, Informative)
Re:As I said in a previous post... (Score:5, Interesting)
I, for instance allow no incoming, but don't restrict outgoing. It's not a huge corporation, it's a R + D lab, where the overhead and hassle I'd cause by restricting outbound traffic would stiffle the lab users productivity. Still, I added the block to that specfic port in the slim chance that an internal box was infected (lord knows how) that it would be a localised problem, not contributing.
I don't think you should tell people what firewall rules they should be running.
Re: (Score:3, Insightful)
Re:As I said in a previous post... (Score:3, Interesting)
No reason? Really? What about distributed servers taking to a central database? Desktop software that queries a remote database? Remote administration of a remote database? All legitimate reasons.
Re:As I said in a previous post... (Score:5, Insightful)
That's what VPNs are for, my friend.
Re:As I said in a previous post... (Score:5, Insightful)
Re:As I said in a previous post... (Score:3, Insightful)
The point isn't finding the hole, it's people not patching their servers. I mean FFS this was discovered and patched over six months ago. SQL Server is not consumer software - you can't blame Joe Public for not being up-to-speed on net security issues - this is professionals not doing their jobs properly.
Re:As I said in a previous post... (Score:5, Interesting)
As far as I can see that's nonsense. If he or she had the worm wouldn't work as well as it did.
Re:As I said in a previous post... (Score:5, Interesting)
Um, like the original Internet Worm [nasa.gov] which started all this trouble in the first place? :-)
This was the incident that sparked the creation of CERT/CC [cert.org]. Every time I see another worm, I wonder why we still haven't learned [mit.edu].
Dave
been watching this all night (Score:5, Informative)
Collected a packet disasembly and some urls here [freedom.org].
Everyone seems to be assuming this is a new use of an old (July) hole; I'm not certain of that. Any facts welcomed, see above url.
Re:been watching this all night (Score:4, Informative)
It starts off with 04 (the same hex byte as in my IDS signature for the Server resolution service buffer overflow everyone thinks this is) and then a bunch of padding with 0101. I myself am skeptical based on volume alone how this could be an old vulnerability, but remember, Code Red and Nimda were old too, and they didn't have any problem finding lots of new hosts very quickly.
Re:been watching this all night (Score:5, Funny)
the fun's almost over now"
I sincerely thank you, Sir or Madam. I previously thought that I was the most sad, laughable figure in the entire world, but now, having read your post, which conjures up images of someone sitting in front of their monitor, snacks in hand, gasping in amazement at the output of tail -f on their firewall log all night, I know that there is yet hope for me.
graspee
Patch (Score:5, Informative)
Re:Patch (Score:5, Funny)
Gates pledges better software security
Electronic attack slows Net
Now if they would only address security before they released their products we might not see these issues.
wow yeah! (Score:5, Interesting)
Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!
Re:wow yeah! (Score:5, Insightful)
AND verisign will be down for certain hours while
Re:wow yeah! (Score:3, Insightful)
Re:wow yeah! (Score:5, Funny)
What's it matter? It's not like you people have gone to work since last July [microsoft.com] anyway.
Ok now tell me (Score:5, Funny)
Re:Ok now tell me (Score:5, Funny)
First hand report (Score:5, Interesting)
Re:First hand report (Score:3, Informative)
What you really need to do is to assess which ports you need to leave open, and to which hosts they correspond. You need to block everything, and then set rules to enable only the ports/hosts that are necessary (open ports 80/443 to webserver, etc).
Otherwise, you'll be doing the same thing for the next worm.
Re:Why would anyone use anything else? (Score:3, Informative)
Re:First hand report (Score:5, Insightful)
The patch does not affect routers stupid. Just because his routers are all lit up with massive amounts of traffic, does not mean that his servers are unpatched!
My link was down for 4 hours from the flooding with everything all lit up, and I'm not even running an SQL server.
ZDNet and Yahoo stories (Score:3, Informative)
Whoever puts their database server (Score:5, Insightful)
NGSSoftware alerted Microsoft to this problem on the 17th of May 2002 and
they have produced a patch that resolves these issues.
This is January 25 2003 if I'm not mistaken. Are these the same people that leave their cars unlocked with the keys in the ignition?
Re:Whoever puts their database server (Score:5, Funny)
A real idiot would leave the car locked witht the keys in the ignition...
I guess they learn something at MSCE courses
DB vendor more at fault (Score:3)
If this were a fair analogy, the *auto maker* would be at fault for leaving spare sets of keys attached to the outside of the car...and you'd simply be (much less) at fault for not having removed the latest set of spare keys the auto maker decided to tell you about.
how bad is it? (Score:3, Interesting)
CNN & AP Beat Slashdot (Score:3, Interesting)
Very disappointing.
Timely is as important as accurate SlashEditors. Many of us look to you when big events occur...
Especially considering this all began about 8 hours ago!
Re:CNN & AP Beat Slashdot (Score:3, Informative)
If you want an non-editor-controlled story queue, with story selection subject to user moderation, try submitting/reading here [slashdot.org]; the capability is now possible on Slashdot. It's not as simple as it could be, and it's only a week old, but it works without you having to leave Slashdot.
--LP
Information about the worm (Score:5, Informative)
Another look at the worm (Score:3, Informative)
Whoever... (Score:5, Insightful)
Sysadmins like that should be dragged into the street and shot.
Re:Whoever... (Score:5, Insightful)
V P N
There is NO excuse for leaving BACKEND services like DBs, appservers, or whatever else visible on the public net. NONE WHATSOEVER. I work on a major website with multiple different data servers and backend applications, all distributed (and load balanced) over 4 physical sites on 2 continents. We use private circuits to handle the inter-site traffic, you could use VPN just as well. But everything vulnerable is buried from the internet behind several layers of firewall. Anything else is sheer lunacy.
Crappy admins bring this kind of attack on themselves, and alas, on the rest of us too.
Been waiting for this (Score:4, Funny)
According to unconfirmed sources on NANOG, the worm seems to eat up bandwidth at line rate (even at GigE links), is rumored to amplify itself via Cisco routers, and is the creation of Saddam Hussein.
My journal [slashdot.org] on the worm.
best writeup (Score:5, Informative)
Some Links (Score:5, Informative)
http://average.matrixnetsystems.com/Daily/markR.h
http://mrtg.nac.net/switch9.oct.nac.net/3865/swit
The advisory announcing the flaws:m / [digitaloffense.net]
http://www.boredom.org/~cstone/worm-annotated.txt [boredom.org]
http://www.nextgenss.com/advisories/mssql-udp.txt [nextgenss.com] Various disassemblies and discussions: http://www.snafu.freedom.org/tmp/1434-probe.txt [freedom.org] http://www.digitaloffense.net/worms/mssql_udp_wor
Writeups:n et.attack.ap/index.html [cnn.com] / 20030125/ap_wo_en_po/na_gen_internet_attack_2 [yahoo.com] r tdetail.jsp?oid=21824 [iss.net]
http://www.cnn.com/2003/TECH/internet/01/25/inter
http://news.bbc.co.uk/2/hi/technology/2693925.stm [bbc.co.uk]
http://story.news.yahoo.com/news?tmpl=story&u=/ap
http://bvlive01.iss.net/issEn/delivery/xforce/ale
problem still around (Score:3, Interesting)
Collected info: (Score:5, Informative)
Some snippets from there:
the problem is monoculture again (Score:3, Insightful)
Open the gates... (Score:4, Insightful)
Seriously though, you should have upgraded!
Dissassembled & annotated (Score:3, Informative)
Kudos to cstone@boredom. Interesting & educational, with a nutty crunchy flavor.
Yow! Good call /. (Score:5, Funny)
Woah! What's.. uh.. 150 inbound requests.. doing.. today.. worm?
I start to fire up
*clickity click*
1434? The hell is 1434. Worm?
*slashdot shows*
Ah ha! Ve haf comprehension.
*groggily shuffle off to get coffee, oooo black gold*
For what it's worth, a majority of the packets so far have been mostly US servers --
Re:Yow! Good call /. (Score:5, Funny)
tybclbsqla02.listbuilder.com
Hmm. Lists equal large databases.
Large databases usually mean a DBA.
DBAs should know better.
whois listbuilder.com
Technical Contact:
Microsoft (EJSEHEQUAO)
msnhst@MICROSOFT.COM
Microsoft
One Microsoft Way
Redmond, WA 98052
US
425-882-8080
Fox News (Score:5, Funny)
"The virus spreads using a Microsoft vulnerability known as "SQL Server""
Re:Fox News (Score:5, Funny)
Well, on CNN's headline newsticker they have:
"[Microsoft][ODBC SQL Server Driver]Operation canceled
[Microsoft][ODBC SQL Server Driver]Timeout expired
ODBC: Msg 0, Level 16, State 1
Communication link failure
Connection Broken"
What's the DNS connection? (Score:3, Interesting)
Did someone jump to a bad conclusion based on ping stats?
Re:What's the DNS connection? (Score:4, Funny)
Has this affected Microsoft? (Score:3, Interesting)
50% from Colleges??? (Score:5, Interesting)
A bug in CISCO routers is helping to control this! (Score:5, Informative)
"...the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
This will continue (Score:5, Insightful)
It can get inside a firewall (Score:4, Informative)
Ironic timing... (Score:5, Informative)
Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."
How about easier ways to apply hotfixes remotely to desktop computers? (There are ways apparently, but requires installing IIS and SQL ironically, to run something called SUS.) I'd prefer the hotfix to simply have an option like '-m\\machine' to apply to domain machines in a domain admin context so I can script the installs to my tastes and needs. No need to get overly complex. Besides, I'd rather not have an IIS server at my site if I can help it. Apache runs everything. Just another damn thing to learn for something that should be simple.
Also, the hotfixes themselves only have about 10 different ways of applying at the command line unattended. How about standardizing the hotfix installers too...
Example, this is what is run after an XP desktop install with SP1 at our location...
It doesn't include latest javavm fix, which for some reason won't install right during the guirunonce part of an install, so I have to script to reboot the machine TWICE before running... Think that's bad? Here's some pre sp1 hotfix command lines from an earlier script.. And the syntax to install unattended is never easy to find on their site. I usually have to use google to search microsoft.com to find what I need, their search engine really sucks. Others must feel the same way since there is a dedicated google page for this at http://www.google.com/microsoft [google.com]Don't think MS is to blame? Read this: (Score:5, Insightful)
The bad assumption people are making here is that there's "no reason to break this rule." Well, unfortunately, this is just not so.
In my case, a project involved upsizing a client's access database, and then transferring it from my dev machine to an ISP's SQL Server instance. The client has a dynamic IP address, and they would never even consider the cost of using a VPN. My SQL Server ports were open for only 3 weeks, during the transition period, and would have been shut down next week.
I kept up on service packs (I was up to SP2), and had installed every SQL Server security patch I could find. I had a non-guessable sa password. I got it anyway.
So why is that? I'm not sure. But I have some observations about the manner in which you're supposed to keep SQL Server (and other MS applications for that matter) current which bear seriously on the issue:
Anywhere? I can't find it today. Maybe it exists and I just didn't notice it. That would be atrocious site design. Or maybe a simple, centralized "MS SQL Server 2000 Security Page" with ordered patch list and instructions doesn't even exist. That's just atrocious.
All I can find is top-level references to service packs and an unqualified link to an all-microsoft download search page. When you select SQL Server 2000 in it, you get everything, not in order, patches thrown together with samples, evaluation downloads, etc.
And I'm supposed to check here... every week? Sounds sensible on the surface, but if they really wanted to prevent trouble:
IT'S SO BLOODY SIMPLE. Yet they didn't bother.
Compare this to redhat, where there's one tool, up2date, and it works for everything. And you are trivially notified by email when there's an update.
At any rate, we can at least tell people a convenient fix - go install SQL Server 2000 SP3.
What's the bottom line? I had a reason to have the port open. And I had a not-for-nothing false sense of security that I was protected against this vulnerability. And most of all, if this was RedHat (for instance) I would never have had this problem - because I would have been notified the moment the patch was available, and would have installed it in a heartbeat, through their single, consistent, easy-to-use interface; and so would tens of thousands of others.
Whats interesting... (Score:4, Interesting)
And, on top of this, our "corporate IT security" just sent out an email that some of their *internal* machines were infected (so obviously *something* was accessable through the firewall) and now we who are connected to corporate via a T1 must apply the patches. So much for the firewall.
This also happened with Code Red two years ago. Big panic, everyone patching their systems, because corporate had holes in the firewall.
Yet, we have our own firewall to a customer site (which we've managed on our own for years, and which corporate now wants to take over) which we have *never* been infected via. Go figure.
Not saying that we shouldn't have been up on it, but we have noone dedicated to IT Security (funny, since we do DOD work) in our building, and we are all so swamped with other stuff we rarely have the time to keep up with it.
At my *last* job, however, we setup a new box and immediately port-scanned it... knew what every service was on the box, and if we didn't, closed it down. And that *wasn't* DOD... e-commerce. And we kept on top of patches.
So... you credit card number was *really* safe at my old job... but our nation's secrets may not be at the new job.
Go figure.
We shouldn't blame MS... no wait, yes we should. (Score:5, Insightful)
But on second thought, when I look at the serious impact of the worms that have been created for MS products and their vulnerabilities the last few years, the obvious becomes apparent: admins of MS OS's and processes on them are a LOT slower to patch than any of their counterparts (read: stupider). And the thing is, MS knows this, they specifically market to the stupid/lazy admins. They're the "easy" OS, they sell their products by telling people that you just install them and never worry about them again. I've taken too many MS courses (I am an MSCE and MSCDBA if they haven't expired on me, but I couldn't care less) and not once was patching the operating systems or server processes ever mentioned during all those courses, which is amazing to me.
And hey, to each their own I guess... apparently there aren't enough intelligent or well read admins around so there is a demand for these products and this approach. But if that's the case, then I think it has to be said that MS has a greater responsibility to create products free from exploits than anyone else, if they're marketing and teaching the idea that you don't need to patch.
It's by creating that laissez faire attitude towards administration that MS is directly responsible for the proliferation of these worms.
Who said anything about turning it off? (Score:3, Informative)
Re:Turn your SQL server off? (Score:5, Insightful)
No, it's a very reasonable one. Yes, you still need to patch, use non-blank SA passwords and the other things you suggest, but if you have an SQL server (any SQL server) directly visible to the Internet then you are either a fscking moron or have a very abnormal circumstance. A database server is a backend server, and should be completely hidden from the Internet by not one but two layers of firewalls.
Basically, in this day and age, your setup from the Internet in to your internal LAN, should be (as a minimum):
Internet router(s) => Firewall(s) => Web servers (HTTP, mail relays, proxies, VPN termination, etc.) => Firewall(s) => backend servers (SQL, internal mail etc..) => Internal network.
Some of these networks can quite easily be different ports on the same physical firewall, but I'm limited by ASCII. Alternatively, if you have no backend servers, that segment can obviously be omitted altogether.
Firewall rulesets can, and should, apply to outbound as well as inbound traffic and allowing traffic to flow cleanly accross multiple firewalls should be limited as much as possible. At a pinch, you could put your backend servers (if any) directly on the internal LAN, and get by with a single, three port firewall, but this should be the absolute minimum setup if you are hosting connections from the Internet. Sticking a two port firewall between your network and the Internet is simply not good enough anymore.
With resonable DMZ capable firewalls available for less than $500, either as a dedicated box, or old PC running the open source apps of your choice, there is no fiscal reason for even the smallest of companies not to be secure. As ever, the real reason is lack of a clue when it comes to matters of security.
Re:Turn your SQL server off? (Score:4, Insightful)
Maybe because bind was built with the Internet in mind. Besides, who in their right mind (I know its redundant), would expose a database server to the Internet, whether that be Oracle, MySQL, PostgreSQL, MSSQL or anything of this nature. It should be hidden completely behind an application layer, preferrably behind a firewall.
Remember to all: This isn't about bashing Micro$oft per se, but rather bashing sysadmins who expose a database out on the net.
Re:What's inside ? (Score:5, Informative)
This is inside... (Score:3, Informative)
Disassembly of the 404 bytes being sent by affected systems [freedom.org]
Re:Such floods can be easily stopped. (Score:3, Insightful)
Wagner LLC Consulting Co. - Getting it right the first time
If I took you for someone else, please accept my apology.
Re:Such floods can be easily stopped. (Score:3, Insightful)
I agree. However I also suggest that packets streaming into any port under a gaussian bell curve probability and/or a poisson distribution also be filtered out. I heard that the newest version of the linux kernel has mechanisms for thermodynamically analyzing all packets for signs of randomness. As all computer scientists and mathematicians know, humans are not random and it is therefore unlikely that packets sent from a client will arrive at any given server randomly. Richard Stallman in his PhD thesis ``The Statistical Thermodynamics of Software Evolution'' says as much. Please read the paper for details.
Sorry, I don't have the URL. I'm not a karma whore.
Re:One at our site cut itself off from the net... (Score:4, Interesting)
"Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
Re:The Fix? (Score:3, Insightful)
For free.
Asshead.
Re:Attention! You must have SP3 or MS039!! (Score:4, Informative)
Need both MS02-034 and MS02-039 MS02-034 must be included on SP3.
Re:UUNET woes? (Score:5, Interesting)
We have many many colocated customers, many of whom run msql. This issue is horrible in that it is causing massive packet loss and when packets do get through the latency is around 500ms and up and that is for an all ethernet network segment. Our core router was getting slammed and cpu utilization would hang out at around 100%.
When we started unplugging switches from the routers, traffic would return to normal. We then pinpointed it down to all of our colo customers and disconnected just the sql servers from the network. Effing pain in the ass though.
Goddamned MS and their crappy no-password-requirement for the sql admin user and the moron admins who don't patch their system. Are people this trusting of MS that their servers are safe and/or this stupid they just don't apply patches until they get screwed?
Whatever, I am soooo tired... g'night
Re:my naked-to-the-net sqlserver2000 box is aok (Score:4, Insightful)
You, and the rest of you non-engrossed, non-technical people who don't have $15.00 to put a NIC in a 486 firewall that you can pick up at the dump, but plenty of money to shell out system upgrades every few years... You're causing this problem. You, personally.
First, by buying and deployng a server OS by an untrustworthy organization, followed by not even complying with thier reccomendations of protecting, securing, and updating that server.
Then, by saying "Whew! Dodged that bullet" after you CLICKED ON A CHECK BOX is not quite the same as.. oh.. patching it, securing it behind a firewall and testing it for packet traffic... THESE are the "basics" of your box and the internet. Not what your manual, the context sensitive help, or what MS' Marketing department tell you.
Was that non-technical enough for you? Stop being smug, and stop being part of the problem.