Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SQL Slammer Variant?

From: "Rob Shein" <shoten () starpower net>
Date: Wed, 2 Apr 2003 10:24:13 -0500
Look at the MAC address on the packets, and RARP them to find the proper IP.
If it matches that of a router, go to the net(s) on the other side of that
router and sniff there, doing the same thing.  

-----Original Message-----
From: Wilson, Aaron J. [mailto:AARON.J.WILSON () saic com] 
Sent: Saturday, March 29, 2003 1:31 PM
To: 'incidents () securityfocus com'
Subject: SQL Slammer Variant?


I am witnessing SQL Slammer IDS events on an internal sensor that aren't
coming from one particular source.  In fact, every packet sent has a unique
and random source IP as well as a unique and random destination IP.  The
data in the packet matches the one shown at
http://isc.incidents.org/analysis.html?id=180.  We have UDP 1434 blocked
around the perimeter and believe this traffic to be originating from a
system within the internal network.  

The rate of packets at around 2-6 packets per minute isn't as high as the
original SQL Slammer traffic I have been seeing (at thousands of packets per
minute).  But this is going to be difficult to track down on a large
network.  If it spreads, 2-6 packets per minute per infected host with
thousands of internal systems... 

The first spell was between 03/27/2003 1023 and 1100 PST.  It picked up
again at 1431 PST on 3/28/2003 and hasn't stopped yet.

Thoughts?  Similar experiences?  Note to coworkers - if this is a practical
joke on me it's a good one.

-Aaron

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfihl1



----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
Previous By Date Next
Previous By Thread Next

Current thread: