MASSIVE internet DDOS attacks....

Even though the ISP I used appears to have missed
the bullet overall with no extra bandwith useage......
My one server has been getting over the last
week, a problem of server overload......
Maybe I need a bigger server!!! or more memory!!!

It looks like UUNET Dallas TX has been getting hit real hard.

Personally I think Bill Gates should pay the bill for writing
bad software... and not fixing it right. Setting up defaults
to let the world in instead of keeping the world out is DUMB!

Sources on the attack....

Maybe it is Binladen
North Korea
Iraq
Iran
Lybia

Maybe it is none of the above.... It is just script kiddies
or real stupid Admins who never patch their systems.

I just did a check of my logs on 6 different Linix boxes
and found my Nimda probes are up by 10 times...
on all but 1 of my boxes I admin

Hmmmmmm!!!
:confused:

im just curious what services run on udp port 1434 that makes it so vulnerble, is it just the port that the worm is set to move on? or is it some thing else? also i ran a netstat -an and i dont have anything running on port 1434, and i use mediacom...so my question in short why am i not being affected and you guys are?

If only 22,000 administrators had patched their systems responsibly like they should... *sigh*

For the patch, go here: http://www.microsoft.com/technet/tre...n/ms02-039.asp

Anyone who is running the SQL server and is not patched, do the Internet a favor and please go to that address and install the patch if you haven't already.

It only effects people running MS SQL Server.

http://isc.incidents.org/analysis.html?id=180

Gotta love getting woke up at 3am cause some wanker decides to release something like that. Basically memory resident worm only. Rebooting the machine will remove the infection; however, unless you patch it, you are just as vulnerable and will get infected rapidly again. Blocking udp/1434 at your gateway is quite effective. The above aritcle gives snort signatures and methods for correction.

Installing SP3 for SQL 2000 should correct it.

http://www.microsoft.com/sql/downloads/2000/sp3.asp
http://vil.mcafee.com/dispVirus.asp?virus_k=99992

/nebulus

quote from bugtraq:

Quote:

---

A worm which exploits a (new?) vulnerability in SQL Server is bringing
the core routers to a grinding halt. The speed of the propagation can be
attributed to the attack method and simplicity of the code. The worm
sends a 376-byte UDP packet to port 1434 of each random target, each
vulnerable system will immediately start propagating itself. Since UDP
is connection-less, the worm is able to spread much more quickly than
those using your standard TCP-based attack vectors (no connect
timeouts).

Some random screen shots, a copy of the worm as a perl script, and a
disassembly (sorry, no comments) can be found online at:

http://www.digitaloffense.net/worms/mssql_udp_worm/

-HD

---

for them geeks who can read assembler ;)

Even a well patched sql server has some interference with this... Mine was patched and still it acts crazy... so get the patch if you haven't already and if you want drop udp packets for ports 1433 and 1434 both in and ourgoing, till it's ok again.

to ammo: sorry to say it, but I think most people on AO don't know what the hell we're talking about, and the ones that do know are somewere else reading places were it does get discussed :/

oh its ONLY for servers running microsoft sql, i was underthe impression that it was the back bones that was getting hit , which they are, but because of that EVERYONE was getting hit, not just M$ users, thank you for clearing that up for me nebulus200, i appreciate it.

Yeah, well my openBSD box does get hit, but it isn't as damaging as to the windows box... It's still anoying though to get those packets... maybe only for my firewall logs get long and it is spoiling my time.

Quote:

---

to ammo: sorry to say it, but I think most people on AO don't know what the hell we're talking about, and the ones that do know are somewere else reading places were it does get discussed :/

---

Yeah, I guess... Actually, I am one of those who's reading about it elsewhere where it get's better coverage...

Quote:

---

Originally posted here by hatebreed2000
oh its ONLY for servers running microsoft sql, i was underthe impression that it was the back bones that was getting hit , which they are, but because of that EVERYONE was getting hit, not just M$ users, thank you for clearing that up for me nebulus200, i appreciate it.

---

Well, is aimed only at MS SQL servers, ie: only MS SQL servers can get "infected/compromised" by the worm, HOWEVER, everyone feels its effects because of the huge amount of traffic it generates while trying to spread itself; this leads to core routers backbone links being overloaded and results in legitimate traffic not getting through.

Ammo

thank ammo i now understand, just an after thought though. i know admins have a tough job, having to keep upto date with patches and fixes and what not but, i remember when this patch came out, cant say i ever would have guessed soem one would use the exploit to such a large scale, but now maybe the admins will keep the patches more upto date,.........even though its really not there fault, cause M$ is crap, but at least now they will know that M$ is crap and will proceed with caution from now on.

Quote:

---

Originally posted here by hatebreed2000
thank ammo i now understand, just an after thought though. i know admins have a tough job, having to keep upto date with patches and fixes and what not but, i remember when this patch came out, cant say i ever would have guessed soem one would use the exploit to such a large scale, but now maybe the admins will keep the patches more upto date,.........even though its really not there fault, cause M$ is crap, but at least now they will know that M$ is crap and will proceed with caution from now on.

---

Well you'd think they'd have learned after Code Red and Nimda, but apparently not... It's sad really. What I don't understand is how they can sleep at night with an MSSQL server exposed on the net!! Heh.. beats me...

Ammo