Security Incidents mailing list archives

Re: SQL Slammer Variant?

From: crucible <crucible () collective sh>
Date: Tue, 01 Apr 2003 07:53:20 -0500


Aaron,

If you're pretty sure that the traffic is originating internally and isspoofed, here are a couple of things you could do:


- If you have internal routers, add source address spoofing filters to
  each of their interfaces. You could turn on logging for matches based
  on that rule and at least narrow down which of your networks this is
  coming from. This is a good thing to have in any event. People on your
  internal network shouldn't be sending spoofed packets.

- If you don't have internal routers and you've got just one big
  switched network, then the source MAC address of the spoofed packets
  should hopefully be in the packet captures of your IDS logs. Use this
  information in combination with your switch management tools to figure
  out where the traffic is coming from.

HTH,

--
crucible <crucible () collective sh>
---------------------------------------------------------------------------
Excellent. The weather machine is nearly completed. What do you say to
that broccoli? Stop mocking me! -- Stewie from Family Guy


Wilson, Aaron J. wrote:

I am witnessing SQL Slammer IDS events on an internal sensor that aren't
coming from one particular source.  In fact, every packet sent has a unique
and random source IP as well as a unique and random destination IP.  The
data in the packet matches the one shown at
http://isc.incidents.org/analysis.html?id=180.  We have UDP 1434 blocked
around the perimeter and believe this traffic to be originating from a

system within the internal network.

The rate of packets at around 2-6 packets per minute isn't as high as the
original SQL Slammer traffic I have been seeing (at thousands of packets per
minute).  But this is going to be difficult to track down on a large
network.  If it spreads, 2-6 packets per minute per infected host with

thousands of internal systems...

The first spell was between 03/27/2003 1023 and 1100 PST.  It picked up
again at 1431 PST on 3/28/2003 and hasn't stopped yet.

Thoughts?  Similar experiences?  Note to coworkers - if this is a practical
joke on me it's a good one.

-Aaron



----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Current thread:

Re: SQL Slammer Variant? crucible (Apr 02)
- <Possible follow-ups>
- RE: SQL Slammer Variant? Wilson, Aaron J. (Apr 02)
- RE: SQL Slammer Variant? Rob Shein (Apr 02)