Educause Security Discussion mailing list archives

new outbreak of Slammer?

From: Scott Genung <sagenung () ILSTU EDU>
Date: Wed, 25 Aug 2004 10:28:22 -0500
All,

We are seeing large volumes of DoS traffic originating from what appears to
be a new outbreak of Slammer. It all started around 4:30p yesterday
afternoon and has doubled our inbound Internet volume. We are effectively
blocking this traffic at the edge our network through filters and IPS.
Anyone else seeing this? Below is one page of the logs we see on our IPS.

Hit Count       Time    Name    Category        Type    Src.
Addr.      Src. Port       Dst. Addr.      Dst. Port       Device  Segment
Severity        Trace
1       08/25/2004 09:58:25 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.4.43.20       2656    138.87.205.1    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:54:43 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.4.43.20       2656    138.87.88.42    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:59:09 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.4.117.112     1038    138.87.209.231  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:07:25 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.7.201.213     1421    138.87.10.94    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:55:33 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.7.201.213     1421    138.87.119.0    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:08:47 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.7.201.213     1421    138.87.253.215  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:15:54 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.128.176    1049    138.87.135.161  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:58:01 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.128.176    1049    138.87.115.126  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:57:33 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.167.4      3471    138.87.69.121   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:02:58 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.167.4      3471    138.87.51.74    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:56:13 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.167.4      3471    138.87.200.43   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:11:36 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.167.4      3471    138.87.233.99   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:08:01 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.167.4      3471    138.87.14.215   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:55:57 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.10.167.4      3471    138.87.175.130  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:51:16 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.11.254.155    3377    138.87.164.144  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:08:31 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.11.254.155    3377    138.87.160.85   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:05:58 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.16.224.138    2827    138.87.72.48    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:15:09 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.34.132.171    3363    138.87.254.30   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:53:01 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.34.132.171    3363    138.87.207.129  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:01:23 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.46.99.0       1461    138.87.228.10   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:02:16 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.46.99.0       1461    138.87.192.137  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:07:00 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.46.99.0       1461    138.87.12.4     1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:51:31 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.46.99.0       1461    138.87.17.4     1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:10:23 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.47.238.235    3101    138.87.231.144  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:05:59 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.47.238.235    3101    138.87.119.9    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:58:28 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.47.238.235    3101    138.87.38.119   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:59:21 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.47.238.235    3101    138.87.214.43   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:03:59 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.47.238.235    3101    138.87.185.96   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:01:50 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.47.238.235    3101    138.87.76.24    1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:04:17 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.47.238.235    3101    138.87.98.155   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:56:44 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.60.48.218     4879    138.87.190.87   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 09:56:53 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.60.48.218     4879    138.87.149.229  1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:01:36 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.60.48.218     4879    138.87.158.18   1434
stv7Dips1       STV-GW  Critical        0
1       08/25/2004 10:13:09 AM  1456: MS-SQL: Slammer-Sapphire
Worm     Attacks -
Exploits      Block   4.60.48.218     4879    138.87.239.251  1434
stv7Dips1       STV-GW  Critical        0



Scott Genung
Manager of Networking Systems
Telecommunications and Networking
Illinois State University
124 Julian Hall
Normal, IL 61790-3500

Phone: (309)438-7258
Web: http://www.tel.ilstu.edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Current thread:

new outbreak of Slammer? Scott Genung (Aug 25)
- <Possible follow-ups>
- Re: new outbreak of Slammer? Doug Pearson (Aug 25)