Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Currently MS UDP/1434 attacks

From: Rich Adamson <radamson () routers com>
Date: Sat, 25 Jan 2003 09:09:14 -0600
All...

Below not just posted on another list...

Current serious vulnerability... best be blocking the port real soon!
Might read http://www.nextgenss.com/advisories/mssql-udp.txt for some
tech detail.

------------------
Hey folks,


Seems that as of 12:30 AM EST today a MS-SQL worm has been wreaking
havoc on the Internet. Some of the tier 1 providers are reporting nearly
100% packet loss on their peering links. I'm seeing mixed reports, but
it looks like this worm leverages a Cisco Netflow bug and/or multicast
addressing to amplify the attack. This makes the bandwidth consumption
far worse than the Code Red and Nimda.

Here are the advisories of concern:
http://www.kb.cert.org/vuls/id/370308
http://www.kb.cert.org/vuls/id/399260
http://www.kb.cert.org/vuls/id/484891
http://www.kb.cert.org/vuls/id/796313

Please notice that the most current is from 7/2002 so if you are patched
you are cool. You are also in good shape if you are blocking UDP/1434
inbound and _outbound_. Outbound is important to ensure you don't spread
the thing if you catch it. You are also cool if you have, like me,
installed the "Red Hat" patch to all of your servers. ;-)

I just checked dshield at:
http://isc.incidents.org/port_details.html?port=1433

and it actually shows UDP/1434 traffic as being lower than normal, but I
would expect this is due to report lag time rather than real numbers.

I know all of the above sounds really bad folks, but not to worry. I
received a personal e-mail from Bill Gates this week saying they are now
focused on security so I'm sure this just some kind of simple
misunderstanding. ;-)




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: