Continued slammer traffic over Abilene

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

See some comments below, from our Advanced Network Management Lab.  The
comments refer to a list of sites, which I have removed.  But, we will
attempt to identify the technical contacts for those sites and send them
more detailed information.  In any case, all campuses might want to
consider continuing/reinstating/installing traps on 1433 and 1434. 

(That with my REN-ISAC hat on -- this with my IU hat on:  we never
removed our filters on those ports.  Very little problem here, and only
about 3 situations where we had to make exceptions.)
M.

-- 
Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu



***
Abilene continues to see a large number of SQL Slammer infection 
attempts, roughly one million attempts per day.  The trend on infection 
attempts appears to be basically static as analysis done two weeks ago 
also showed roughly a million infection attempts per day.

Below  is the output of a query against our PostGres relational 
database system showing the top infection sites (more than 10,000 
infected packets sourced) ordered by number of infected packets sourced 
over a three day period.  Note that the source addresses are anonymized 
according to Internet2 criteria.

[list deleted]

Note that the total number of infected packets over the same period was 
3,545,547.  During that period we captured 920 billion individual 
traces.  From a network load perspective SQL Slammer is a small part  
(0.0004%) of Abilene's total flow.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.