Re: Increased activity on UDP/1434

From: slswick@aep.com
Date: 01/25/03

  • Next message: Tina Bird: "internet status" 
    To: "Dmitri Smirnov" <Dmitri.Smirnov@fusepoint.com>
From: slswick@aep.com
Date: Sat, 25 Jan 2003 09:36:51 -0500

    TrendLabs has received a number of reports from two major companies
    describing attacks via port 1434 that are attributed to this malware.

    This DDoS attack uses a vulnerability that allows remote attackers to
    create a denial of service condition between two Microsoft SQL servers. It
    affects systems running Microsoft SQL Server 2000.

    For more information on DDOS_SQLP1434.A please visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName

    Thanks,
    Stephen L. Swick
    Team Lead
    Risk Management - Information Security
    American Electric Power
    614-324-3929
    SLSwick@AEP.com

                                                                                                                           
                        "Dmitri Smirnov"
                        <Dmitri.Smirnov@fuse To: <incidents@securityfocus.com>
                        point.com> cc:
                                                   Subject: Increased activity on UDP/1434
                        01/25/2003 02:05 AM
                                                                                                                           
                                                                                                                           

    Having a big number of connections on UDP/1434 from a random IPs in
    Internet on
    a different networks. One hour ago (22:00 PST) one server in colo space
    started to initiate
    a hundreds of connection per second to diff. hosts on Internet to port
    UDP/1434 (isolated).
    New worms? DDoS? Is anyone experience the same?

    Dmitri Smirnov, SSCP
    Security Team
    Fusepoint Managed Services Inc.
    Suite 2323, Three Bentall Centre
    595 Burrard Street
    P.O. Box 49336
    Vancouver B.C. V7X 1L4
    Phone: (604) 687-7757
    Fax: (604) 687-7761
    Email: Dmitri.Smirnov@fusepoint.com

    ----------------------------------------------------------------------------

    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • RE: autoblocking many ssh failed logins from the same IP....
      ... Defending Against Attacks ... ports can be bombarded with login attempts using common ID/PW ... To the firewall these all look like legitimate packets. ... The simplest defense is to change the port numbers these services ...
      (freebsd-questions)
    • Re: Blocking attacks from spoofed IP addresses
      ... cause a _Self_ Denial Of Service attack. ... Defeating Denial of Service Attacks ... of our DMZ servers, and had source IPs from our public DNS servers. ... Web services are on your port 80 and/or 443, ...
      (comp.os.linux.networking)
    • RE: Specification-based Anomaly Detection
      ... >Or highly polimorph attacks, yes. ... >defines a listening application, so we can profile ... What about apps that all tunnel over a single port? ... >actionable anomaly detection result. ...
      (Focus-IDS)
    • Re: Grafting a SSH auto-drop chain onto Arnos 1.8.3-RC1
      ... > hammering my machine with multiple attacks per second. ... to block those certain places from ever touching your ssh port (if you don't ... the patchomatic-ng and add alot of neat options to iptables. ... have not seen one single ssh attack since I moved my sshd off port 22. ...
      (comp.os.linux.security)
    • RE: Hacking to Xp box
      ... restricts most of the attacks that use anonymous connections. ... nessus found port 135 139 ... Audit your website security with Acunetix Web Vulnerability Scanner: ... login pages, dynamic content etc. Firewalls, SSL and locked-down servers ...
      (Pen-Test)