Date: 25 January 2003
References: ESB-2003.0053 ESB-2003.0054 ESB-2003.0055 ESB-2003.0056 ESB-2003.0057 ESB-2003.0058
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AusCERT Update AU-2003.002 - "Slammer" Worm Causing Wide Spread DDoS Effect
25 January 2003
This AusCERT Update is to draw your attention to the recent and on-going
DDoS (Distributed Denial of Service) which is having wide spread effect on
the internet.
An internet worm, nicknamed 'Slammer', is currently propagating via MS-SQL
servers vulnerable to the buffer overrun issue in MS-SQL Server 2000
Resolution Service, as described in Microsoft Security Bulletin MS02-039.
This worm propagates by scanning for vulnerable servers using UDP port 1434.
Upon a server becoming compromised, the worm loads its instructions into
memory and begins scanning randomly for further prorogation. While current
analysis of the worm indicates that there is no malicious payload, the
scanning activity produced by a compromised host can easily cause a denial
of service attack due to the high rate of outbound UDP packets.
AusCERT has received reports from Australian and international sites
indicating a wide spread DDoS effect. One site has reported that a single
compromised host has saturated an 8Mb/s internet connection.
Major ISPs internationally are in the process of blocking UDP/1434 traffic
both inbound and outbound in an attempt to mitigate the effects of this
worm.
AusCERT encourages members to apply relevant patches to their MS-SQL
servers, and additionally consider filtering any unnecessary UDP/1434
traffic at their border routers and firewalls.
AusCERT will distribute further information as it becomes available.
REFERENCES:
Microsoft Security Bulletin MS02-039
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
http://www.auscert.org.au/render.html?it=2216
ESB-2002.368 -- CERT Advisory CA-2002-22 -- Multiple Vulnerabilities
in Microsoft SQL Server
http://www.auscert.org.au/render.html?it=2220
Regards,
The AusCERT Team
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
Regards,
The AusCERT Team
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPjMkeih9+71yA2DNAQH5uwQAm1OQTdN6vDcd3P7a0/9aZc7KhvxU4TI4
vcXuWqz2PU+NfP+YzFO+a1iLiXYG3JPV1b5j50owXZylSe7YM1KWv5c0K4VTwnIf
3OVgS7DAjLXy0UxT0F4WxXoY+YU82uM1GZIJunI9G4XqLSK/PlSwTSRDNYX+53l6
nkls6QIbp4E=
=RIHA
-----END PGP SIGNATURE-----
|