Re: Massive SQL Server attack

From: Bob A. Schelfhout Aubertijn MCSE (bobsklfk@NOSPAMquicknet.nl)
Date: 01/25/03 

From: "Bob A. Schelfhout Aubertijn MCSE" <bobsklfk@NOSPAMquicknet.nl>
Date: Sat, 25 Jan 2003 14:59:10 +0100

I would like to revise my previous statement.

W32/SQLSlammer, as its being called now, does not act like SQL-Spida,
and the mitigators to prevent SQL-Spida are not necessarily effective in
preventing SQLSlammer.

SQLSlammer is delivered entirely in the single connection, 367 bytes of
attack code. It appears to be entirely memory resident, iows, it won't
drop anything. It does not appear to take advantage of weak passwords or
any stored procedures, it simply overflows the buffer and executes.
Also, SQL-Spida attacked 1433, whereas this attacks UDP1434.

If this attack is also employing the SQL Ping bounce described by David
Litchfield last July, then this could account for the amount of
bandwidth being consumed by this. Look in the NTBugtraq archives for
David's email.

There is some discussion occurring that ISPs are blocking this traffic,
so we should see recovery relatively quickly.

So far there have been no reports of SQL 7 or lower being affected.

More as its available.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor 

--
Bob A. Schelfhout Aubertijn
======================================================
Please reply to the newsgroup only so that others can learn from this issue.
This message is provided "as is", with absolutely no warranties.
If this post or another solves your problem in any way, or gives you new ideas,
please have the common decency to inform the newsgroup of your farings.
We don't charge extra for being polite.  ;-)
======================================================