Snort mailing list archives
FW: Currently MS UDP/1434 attacks
From: Rich Adamson <radamson () routers com>
Date: Sat, 25 Jan 2003 09:09:14 -0600
All... Below not just posted on another list... Current serious vulnerability... best be blocking the port real soon! Might read http://www.nextgenss.com/advisories/mssql-udp.txt for some tech detail. ------------------ Hey folks,
Seems that as of 12:30 AM EST today a MS-SQL worm has been wreaking havoc on the Internet. Some of the tier 1 providers are reporting nearly 100% packet loss on their peering links. I'm seeing mixed reports, but it looks like this worm leverages a Cisco Netflow bug and/or multicast addressing to amplify the attack. This makes the bandwidth consumption far worse than the Code Red and Nimda. Here are the advisories of concern: http://www.kb.cert.org/vuls/id/370308 http://www.kb.cert.org/vuls/id/399260 http://www.kb.cert.org/vuls/id/484891 http://www.kb.cert.org/vuls/id/796313 Please notice that the most current is from 7/2002 so if you are patched you are cool. You are also in good shape if you are blocking UDP/1434 inbound and _outbound_. Outbound is important to ensure you don't spread the thing if you catch it. You are also cool if you have, like me, installed the "Red Hat" patch to all of your servers. ;-) I just checked dshield at: http://isc.incidents.org/port_details.html?port=1433 and it actually shows UDP/1434 traffic as being lower than normal, but I would expect this is due to report lag time rather than real numbers. I know all of the above sounds really bad folks, but not to worry. I received a personal e-mail from Bill Gates this week saying they are now focused on security so I'm sure this just some kind of simple misunderstanding. ;-)
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FW: Currently MS UDP/1434 attacks Rich Adamson (Jan 25)