Of the customers I've had to shut off for being DOS targets, all are
windows boxen. Perhaps there is a new windows exploit?
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Greetings,
It looks like all hell is breaking loose on some of the nations
backbones. http://www.internethealthreport.com
The port counters on my ATT DS3 were reading in the 250 megabit range,
that is a DS3, mind you.
Any source IP's I can add to the circular file would be appreciated.
Any
* Avleen Vig [EMAIL PROTECTED] [20030124 22:44]:
It seems we have a new worm hitting Microsoft SQL server servers on port
1434.
A preliminary look at some of our NetFlow data shows a suspect ICMP payload
delivered to one of our downstream colo customer boxes followed by a
70 Mbit/s burst
-- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben --
--Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
-- Forwarded message --
Date: Sat, 25 Jan 2003 01:50:34 -0500
From: Tim Yocum [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL
Not just L3Genuity is getting whacked. ELI is getting whacked.
Somebody needs to be gelded.
Andrew
This is definately a world-wide problem.
Many networks are reporting all sorts of things. Nothing clear, except
that it's all aimed at 1434.
01:28:33.331686 64.21.34.210.28295 238.192.142.61.1434: udp 376 [ttl 1]
01:28:33.331720 207.99.21.121.1917 226.39.19.228.1434: udp 376 [ttl 1]
On 1/25/03 2:00 AM, Christopher J. Wolff [EMAIL PROTECTED] wrote:
Greetings,
It looks like all hell is breaking loose on some of the nations
backbones. http://www.internethealthreport.com
The port counters on my ATT DS3 were reading in the 250 megabit range,
that is a DS3, mind you.
Internap has posted an alert noting widespread latency and packetloss
affecting all their pnaps.
Any SQL Server host at my facilily shows an enourmous traffic spike at the
times below. We've begun filtering udp port 1434 in/out.
- Original Message -
From: Andy Dills [EMAIL PROTECTED]
Really, really bad - most traffic I see is from this virus/dos:
Extended IP access list 152
deny udp any any eq 1434 (5639464 matches) - 94%
permit ip any any (311888 matches) - 6%
Wow!!!
On Fri, 24 Jan 2003 [EMAIL PROTECTED] wrote:
Really bad. Quick capture of filter drops:
repost* Forgive me if this shows up twice. Mail is flaked via this smtp, and
the last time I sent this, I accidentally sent it to the individual and not
list. heh.
Temporary block in place. My border cpu was starting to hammer up.
Outbound stat about 2 minutes later:
deny udp any any eq
We were hit hard by this as well. It appears to be a buffer overflow
exploit, as blocking the ports on my router and restarting MS SQL put a stop
to it.
Thanks,
Adam Debus
Network Administrator, ReachONE Internet
[EMAIL PROTECTED]
- Original Message -
From: Avleen Vig [EMAIL PROTECTED]
We are also seeing this traffic at AS4436. Appears to be coming from IP
addresses all over the space. Here's a box that traps all of
165.227.0.0/16:
23:08:13.257197 165.194.123.131.1227 165.227.92.176.1434: udp 376
23:08:13.259778 129.187.150.78.2667 165.227.84.186.1434: udp 376
Hey Blaine,
On Sat, Jan 25, 2003 at 01:53:49AM -0600, Blaine Kahle wrote:
Same symptoms here. After disabling MS SQL, which required a reboot as
the process didn't want to shut down normally, the traffic stopped. I
found 3 boxes on our network that were generating massive amounts of
From: Dave Stewart
Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint
Looks like we may have a winner for DDoS of the year (so far)
Temporary block in place. My border cpu was starting to hammer up.
Outbound stat about 2 minutes later:
deny udp any any eq 1434
MS SQL, or SQL Monitor?
On Sat, 25 Jan 2003, Blaine Kahle wrote:
On Sat, Jan 25, 2003 at 02:05:42AM -0500, Kevin Welch wrote:
I am seeing similar traffic loads on my network at this hour, one of our
MS SQL servers seemed to be sending a large amount of traffic out to the
Internet.
At 02:45 AM 1/25/2003 -0600, Jack Bates wrote:
From: Mike Tancsa
Yes, I am seeing this big time. Are you sure its SQL server ? Thats
normally 1433 no ? Are there any other details somewhere about this ?
snip
All MS SQL servers listen to 1434 reguardless of the other ports they listen
On Sat, 25 Jan 2003, Christopher J. Wolff wrote:
Greetings,
It looks like all hell is breaking loose on some of the nations
backbones. http://www.internethealthreport.com
The port counters on my ATT DS3 were reading in the 250 megabit range,
that is a DS3, mind you.
Any source IP's I
Duplicated info.. But this is an old worm ;-(
http://www.cert.org/advisories/CA-1996-01.html
Pete Ashdown wrote:
* Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:
It seems we have a new worm hitting Microsoft SQL server servers on port
1434.
Affirmative. Be sure to block 1434 UDP
I can't say for certain, not having taken an exhaustive look (it is, after
all, almost 3 in the morning out here on the right coast), but on the one
MS SQL server here, there do not appear to be new files installed, and
after rebooting, the server is *not* spewing forth traffic as it was
What I'm seeing from on my personal network connections is a lot of
traffic to udp port 1434 start at 05:30:08 UTC. The sources appear very
widespread, but I'm also seeing different affects on networks. Some
backbones are being hit extremely hard, while others are just moderately
impacted. I
Same results here, shut down SQL problem went away... started it back
up.. problem started again, so I shut them all down. One side note all
the egress traffic headed out UU.NET, not our CW or Sprint DS3's...
since we have full routes from all carriers this may be an indicator of
the
* Josh Richards [EMAIL PROTECTED] [20030124 23:25]:
Same here. We first saw what looked like a DoS at about
09:00 PST. We're seeing strange stuff all over the place.
Oops, meant to say 09:30 PST.
-jr
Josh Richards jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }
Geek
From: Mikael Abrahamsson
What kind of traffic levels are you seeing? With a handful of /16 etc
we're not seeing more than 5-10 megabits of traffic according to my
global transit graphs.
People who havent null routed their unused prefixes properly will probably
see a lot of problems though
Everyone,
I don't know what is causing this, but we had several customer machines
(which we don't manage) affected tonight. The common thread is that all
were running an unpatched MS SQL Server. This new worm seems to create
MASSIVE network traffic which propagates outbound. Somehow it seems
Has someone reported the details to CERT yet?
Preferably someone who's got logs and such?
-george william herbert
[EMAIL PROTECTED]
[EMAIL PROTECTED] show firewall filter proactive-filter
NameBytes Packets
mssql-drops 916252204 2267951
term NO-MSSQL {
from {
packet-length
On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
We are seeing this too.
We are seeing the gige interfaces on multiple customer aggregation
switches at multiple locations add several hundred Mbps each. All the
traffic is destined for udp port 1434 with a randomized source
1434 is the SQL Server Resolution Service.
Unfortunately, this appears to be a whole new thing, I was unable to find
anything more recent then May of 2002 about security issues with this port.
Thanks,
Adam Debus
Network Administrator, ReachONE Internet
[EMAIL PROTECTED]
- Original Message
From: Mike Tancsa
Yes, I am seeing this big time. Are you sure its SQL server ? Thats
normally 1433 no ? Are there any other details somewhere about this ?
snip
All MS SQL servers listen to 1434 reguardless of the other ports they listen
on. Depending on configuration depends on what
Appears to relate to this cert advisory
http://www.cert.org/advisories/CA-1996-01.html
We have it totally blocked on our network but the routers are working
over time just rejecting packets.
The only way to stop it is to stop MySQL or kill the hosts network
connection.
[EMAIL PROTECTED]
We had to go through each VLAN to determine which boxes were compromised,
looks like W2K SQL.
This thing is spreading fast.
-D
0. Pete Ashdown [EMAIL PROTECTED] farted:
* Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:
It seems we have a new worm hitting Microsoft SQL server
I'm seeing obscene amounts of 1434/udp traffic at my transit and peering
points. I've filtered it out in both directions everywhere my network
touches the outside world. It's almost 20% of my traffic at this point.
I think I've calmed the internal storm so far, but we'll see.
I saw refence to
Note, further analysis makes me believe that the ICMP we saw immediately
beforehand was a coincidence and unrelated. The origin of the ICMP has
been traced to a customer application.
-jr
* Josh Richards [EMAIL PROTECTED] [20030125 00:21]:
A preliminary look at some of our NetFlow data shows
On Sat, 25 Jan 2003, Doug Barton wrote:
Anyone want to get involved in some sort of real time chat (like IRC) to
disuss strategies? We're seeing some pretty big traffic, and related
problems in multiple colo's world wide.
What's to discuss? If you put something like
access-list 150 deny udp
Hello,
It might be interesting if some people were to post when they received
their first attack packet, and where it came from, if they happened to
be logging.
Here is the first packet we logged:
Jan 25 00:29:37 EST 216.66.11.120
--Phil
ISPrime
On Sat, Jan 25, 2003 at 08:05:33AM +, Gary Coates wrote:
Duplicated info.. But this is an old worm ;-(
http://www.cert.org/advisories/CA-1996-01.html
This is not the worm that's spreading now.
Greetz, Peter
--
[EMAIL PROTECTED] | http://www.dataloss.nl/ | Undernet:#clue
my transit traffic doubled (luckily it is the low time of the night for
me) from 10-12ish
I work at a really large east coast University. Our sensors show the problem
starting between 12:30-12:45am this morning...
Eric :)
Hi
Any ranges I find I'll echo back to the list.
not sure if you've received any nanog mail yet. don't worry about source
ip's, unless you're doing to deny '0.0.0.0'.
block anything with a destination of udp 1434, find hosts pushing extreme
amounts of traffic, get them patched
On Sat, 25 Jan 2003, Mikael Abrahamsson wrote:
Does it really have to be this time everytime something happens and it
actually would be nice to get the information out quickly?
In this case there may be a causal relationship between the two. Being a
mailing list server can't be a fun job when
On Sat, 25 Jan 2003, Avleen Vig wrote:
On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
We are seeing this too.
We are seeing the gige interfaces on multiple customer aggregation
switches at multiple locations add several hundred Mbps each. All the
traffic is destined
On Sat, Jan 25, 2003 at 01:13:30AM -0800, Bill Woodcock wrote:
On Sat, 25 Jan 2003, Mikael Abrahamsson wrote:
Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint
Looks like we may have a winner for DDoS of the year (so far)
What kind of traffic
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote:
Somebody remind me why Microsoft is still allowed to exist?
Dunno, arent they negligent?
In any other industry a fundemental flaw would be met with lawsuits, in the
computer world tho people seem to get around for some reason.
Steve
On Sat, Jan 25, 2003 at 02:57:16AM -0500, Alex Rubenstein wrote:
MS SQL, or SQL Monitor?
Are those two separate programs? I don't know; I'm not a windows guy. I
just watched over the shoulders of a few other techs as they shut what
appeared to be everything-MSSQL down. I just found the
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part of SQL Server SP3
Would it not also be a good idea/practice *not* to ever let a MS SQL
server (or *any* database server)
http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html
From: Eric Gauthier
Woot!
We made the front page of CNN.com:
Electronic attack slows Internet
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html
Guess that USD10 goes to some unnamed reporter at CNN
And please tell me how CodeRed was worse? I'm sorry, this just
On Sat, 25 Jan 2003, Freedman David wrote:
Anybody here on list using Extreme products
(Summit/Alpine/Blackdiamond)?
We extensively use extreme networks products in our core, distribution and
access. The roadrunner chipset units (Summit24/48) (used mainly for
access) dies if you try to put
From what I have read and researched, it does.
On Sat, 25 Jan 2003, Jack Bates wrote:
From: Avleen Vig
snip
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part of SQL Server SP3
Has it been verified
Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)?
They sure don't like this traffic one bit. It causes them to not only drop
traffic, but spew out every available error message under the sun...
Extreme are apparently assembling an advisory TAC on this, from our
BIll,
- Original Message -
From: Bill Woodcock [EMAIL PROTECTED]
I'd agree with it. Except the herds of losers who still buy exploding
crap from Vendor M don't seem to be thinning themselves out quickly
dude, the Exploding Cars are so much easier to drive than the ones from
Vendor L.
On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part of SQL Server SP3
Would it not also be a good
David,
- Original Message -
From: Freedman David [EMAIL PROTECTED]
Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)?
They sure don't like this traffic one bit. It causes them to not only drop
traffic, but spew out every available error message under the sun...
Another data point - I get connectivity through sonic.net (Santa Rosa). This vanished
between Fri Jan 24 21:30:00 PST 2003 and Fri Jan 24 21:35:00 PST 2003. At that time,
connectivity on other circuits through ALTER.NET, megapath.net and mfnx.net were still
ok.
All circuits seem to be up now
Would it not also be a good idea/practice *not* to ever let a MS SQL
server (or *any* database server) sit on a network that is directly
accessible from the internet ? Having a firewall(s) in front of your
database server regardless of the type is pretty much common sense, right?
Its
On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
It might be interesting if some people were to post when they received
their first attack packet, and where it came from, if they happened to
be logging.
Here is the first packet we logged:
Jan 25 00:29:37 EST 216.66.11.120
Codered was worse by the sheer number of hosts that were infected and in the
end having a lot more impact than what the SQL Sapphire worm has shown. Now
that is not to say this worm does not surpass CodeRed... however it still
has its work cut out for it.
Last I heard the number of infections
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
Including the developers of SSHD, HTTPD, NAMED, CVS?
How about Linus? Wanna call him up?
I am no windows cheerleader, but to think this is something that happens
only in windows-land is whack -- might as well put your head in the sand.
It is
http://www.cnn.com/TECH/
Main story:
Electronic attack hits Net
A fast-moving computer worm slowed down Internet access Saturday for about
22,000 servers, according to the Internet security firm Symantec. Oliver
Friedrichs, a senior manager with Symantec, said the SQL worm was taking
advantage
At 11:56 AM 1/25/2003, Bill Woodcock wrote:
Dunno, arent they negligent?
In any other industry a fundemental flaw would be met with
lawsuits, in the
computer world tho people seem to get around for some reason.
Not true, look at cars and recalls. Also as I
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.wor
m.html
- Original Message -
From: Simon Lockhart [EMAIL PROTECTED]
To: Mike Tancsa [EMAIL PROTECTED]
Cc: Avleen Vig [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Saturday, January 25, 2003 3:48 AM
Subject: Re: New worm /
Not sure you can claim something you have for free is liable or with
guarantee
Thats total rubbish. Whether you pay for it or not shouldn't matter.
You might also want to consider reading the various software agreement
licenses that come with various pieces of software both free and
-
According to this article from the Associated Press:
http://story.news.yahoo.com/news?tmpl=story2ncid=716e=3u=/ap/2003012
5/ap_on_hi_te/internet_attack
http://story.news.yahoo.com/news?tmpl=story2ncid=716e=3u=/ap/20030125
/ap_on_hi_te/internet_attack
The attack sought to exploit a software flaw
I think you are on the right lines below in suggesting that products and
services should be supplied safe and not require additional maintenance out of
the box to make them so (additional changes should make them weaker)
There is no such thing as safe! You have control over what risks you
On 1/25/03 2:53 PM, Christopher L. Morrow [EMAIL PROTECTED] wrote:
Keep in mind that these problems aren't from 'well behaved' hosts, and
'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED
classic DoS attack scenario. :(
Well not everyone plays fair out there. I imagine
On Saturday 25 January 2003 10:03 am, Avleen Vig wrote:
On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their
boxes
:-)
A patch was released mid-2002
On Sat, 25 Jan 2003, Iljitsch van Beijnum wrote:
On Sat, 25 Jan 2003, Rob Thomas wrote:
] access-list 150 deny udp any any eq 1434 log-input
Be _very_ careful about enabling such logging. Some of the worm flows
have filled GigE pipes. I doubt you really want to log that; Netflow
Drew,
There *IS* a difference between windows SP3 and Microsoft SQL2000 SP3.. you
do know that right?
-Scotty
By the way, I know you guys probably don't care but McAfee is saying that
if
you have SP3 on your windows2000 server you will not be infected with
SQLSlammer, this is absolutely
Third point to the correlation above: The vast majority of Windows admins
are dingbat-morons, self-proclaimed experts. Had then not been
dingbat-morons, and applied the readily available and widely announced
patches (as zealously as unix folks patch thier stuff), this'd be all
moot, and we'd
On Sat, 25 Jan 2003, Neil J. McRae wrote:
I think you are on the right lines below in suggesting that products and
services should be supplied safe and not require additional maintenance out of
the box to make them so (additional changes should make them weaker)
There is no such thing
On Sat, 25 Jan 2003, K. Scott Bethke wrote:
BIll,
- Original Message -
From: Bill Woodcock [EMAIL PROTECTED]
I'd agree with it. Except the herds of losers who still buy exploding
crap from Vendor M don't seem to be thinning themselves out quickly
dude, the Exploding Cars are
On Sat, 25 Jan 2003, Avleen Vig wrote:
On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part
On Sat, Jan 25, 2003 at 05:08:22PM +, Stephen J. Wilcox wrote:
Also; everyone who just posted to this list made it abundantly clear that
they don't have a firewall in front of at least one MS SQL server on their
network. Should you really have port 1433/4 open to the world? Would you
What about doing some priority-based QoS? If a single IP exceeds X amount
of traffic, prioritize traffic above that threshold as low. It would keep
any one single host from saturating a link if the threshold is low.
For example, you may say that each IP is limited to 10mb of prioirty
traffic.
At 02:21 PM 1/25/2003, you wrote:
By the way, I know you guys probably don't care but McAfee is saying that if
you have SP3 on your windows2000 server you will not be infected with
SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
infected.
To clarify, we're talking
What I'm seeing from on my personal network connections is a lot of
traffic to udp port 1434 start at 05:30:08 UTC.
I did some graphing of reports we got to DShield/ISC up to 9am EST.
http://isc.sans.org/port1434start.gif
The part that amazes me is the speed. It saturated within 1 minute!
On Sat, Jan 25, 2003 at 02:21:21PM -0500, Drew Weaver wrote:
By the way, I know you guys probably don't care but McAfee is saying that if
you have SP3 on your windows2000 server you will not be infected with
SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
infected.
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote:
I've not looked at any great detail into the exact sources but of the few I
looked at earlier I was surprised to find them on ADSL .. these may be corporate
networks this is the bit I dont know but some of them seemed to be residential,
weird!
So the worm is sending out tons of UDP1434 packets
that let it break into MS-SQL servers and reproduce,
and that's certainly annoying because of the traffic floods.
But is it carrying anything else that will do more damage,
or anything that leaves it a security hole to be exploited later?
It
* Clayton Fiske ([EMAIL PROTECTED]) [030125 12:55] writeth:
On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
It might be interesting if some people were to post when they received
their first attack packet, and where it came from, if they happened to
be logging.
Here is the
On Sat Jan 25, 2003 at 02:21:21PM -0500, Drew Weaver wrote:
By the way, I know you guys probably don't care but McAfee is saying that if
you have SP3 on your windows2000 server you will not be infected with
SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
infected.
It might be interesting if some people were to post when they received
their first attack packet, and where it came from, if they happened to
be logging.
Here is the first packet we logged:
Jan 25 00:29:37 EST 216.66.11.120
A quick followup to my previous message. I found an earlier attempt
Ray Burkholder
-Original Message-
From: McDonald, Dan [mailto:[EMAIL PROTECTED]]
Sent: January 25, 2003 17:05
To: '[EMAIL PROTECTED]'
Subject: [flow-tools] w32.sqlexp.worm
In case anyone needs it, here is the flow-tools nfilter that I've found
to
match the worm that hit us...
MS Date: Sat, 25 Jan 2003 10:17:01 -0800 (PST)
MS From: Marc Slemko
MS It is interesting to note that one inadvertent advantage of open
MS source (when it requires people to compile from source, and pick
MS and choose options at compile time... popular distributions with
MS precompiled packages
## On 2003-01-25 20:04 - Stephen J. Wilcox typed:
SJW
SJW
SJW Heres my advice to the uninitiated. Run linux, run firewalls, disable what you
SJW dont need and listen to folks who have real world experience.
SJW
SJW Steve
SJW
Please don't start a flame war about this but are you
On Sun, 26 Jan 2003, Rafi Sadowsky wrote:
## On 2003-01-25 20:04 - Stephen J. Wilcox typed:
SJW
SJW
SJW Heres my advice to the uninitiated. Run linux, run firewalls, disable what you
SJW dont need and listen to folks who have real world experience.
SJW
SJW Steve
SJW
http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.
The following things can then be assumed:
a) BoA's network has Microsoft SQL Servers on them.
b) BoA has not applied SP3
According to Clayton Fiske:
Interestingly, looking through my logs for UDP 1434, I saw a
sequential
scan of my subnet like so:
Jan 16 08:15:51 206.176.210.74,53 - x.x.x.1,1434 PR udp len 20 33
IN
Jan 16 08:15:51 206.176.210.74,53 - x.x.x.2,1434 PR udp len 20 33
IN
Jan 16 08:15:51
And don't forget to check for a conspicuously absent article on the
front page of www.msn.com.
On Sat, Jan 25, 2003 at 01:56:41PM -0500, Alex Rubenstein eloquently stated:
http://www.cnn.com/TECH/
Main story:
Electronic attack hits Net
A fast-moving computer worm slowed down
On Sat, 25 Jan 2003, Christopher L. Morrow wrote:
wants to log for a while and then counts hits against the cache until it
only for identical packets... so source A:123 - Dest B:80 x50 packets
gets logged 'once'. One log for the first packet and update logs at 5 min
intervals (which
Our first (this is EST):
Jan 25 00:29:44 external.firewall1.oct.nac.net firewalld[109]: deny in
eth0 404 udp 20 114 61.103.121.140 66.246.x.x 3546 14
34 (default)
61.103.121.140 = a host somewhere on GBLX
On Sat, 25 Jan 2003, Pete Ashdown wrote:
* Clayton Fiske ([EMAIL PROTECTED])
From: Stewart, William C (Bill), SALES
But is it carrying anything else that will do more damage,
or anything that leaves it a security hole to be exploited later?
It would be really annoying if machines that aren't cleaned up
later reformat themselves or hang out waiting for further
From: Robert A. Hayden
What about doing some priority-based QoS? If a single IP exceeds X amount
of traffic, prioritize traffic above that threshold as low. It would keep
any one single host from saturating a link if the threshold is low.
For example, you may say that each IP is limited
From: Alex Rubenstein
Does anyone else, based upon the assumptions above, believe this statement
to be patently incorrect (specifically, the part about 'personal
information had not been at risk.') ?
Actually, the statements are correct. Remember, the worm wasn't programmed
to put the
On Sat, Jan 25, 2003 at 02:10:59PM -0800, Stephen Milton wrote:
We have had multiple customers who had SP3 on their boxes that were
hit. SP3 was _supposed_ to include this patch, there is no
verification so far that it did.
Since all the providers have been blocking the attack spread
MS SQL SP3, _NOT_ MS Windows 2000 SP3.
BIG DIFFERENCE.
http://www.microsoft.com/sql/downloads/2000/sp3.asp
On Sat, 25 Jan 2003, Stephen Milton wrote:
We have had multiple customers who had SP3 on their boxes that were
hit. SP3 was _supposed_ to include this patch, there is no
On Sat, 25 Jan 2003, Iljitsch van Beijnum wrote:
On Sat, 25 Jan 2003, Christopher L. Morrow wrote:
Access list logging does not show every packet that matches an entry.
Logging is rate-limited to avoid CPU overload.
either way, the logging for this, ESPECIALLY with log-input, is a
http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.
The following things can then be assumed:
a) BoA's network has Microsoft SQL Servers on them.
b) BoA has not applied SP3
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
Does anyone else, based upon the assumptions above, believe this statement
to be patently incorrect (specifically, the part about 'personal
information had not been at risk.') ?
Patently incorrect? No. It is possible.
Even if the confidentiality
On Sat, 25 Jan 2003, Christopher J. Wolff wrote:
Does this mean that BofA ATM's are SQL based or that BofA is running ATM
traffic through some kind of internet VPN? Perhaps they just plug the
ATM's into any connection and pass cleartext transactions over the
internet? This is very
On Sat, Jan 25, 2003 at 08:56:06AM -0800, Bill Woodcock wrote:
Dunno, arent they negligent?
In any other industry a fundemental flaw would be met with lawsuits, in the
computer world tho people seem to get around for some reason.
Not true, look at cars and
1 - 100 of 133 matches
Mail list logo
