copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AU-2003.002 -- AusCERT Update - "Slammer" Worm Causing Wide Spread DDoS Effect

Date: 25 January 2003
References: ESB-2003.0053  ESB-2003.0054  ESB-2003.0055  ESB-2003.0056  ESB-2003.0057  ESB-2003.0058  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

AusCERT Update AU-2003.002 - "Slammer" Worm Causing Wide Spread DDoS Effect
25 January 2003

This AusCERT Update is to draw your attention to the recent and on-going
DDoS (Distributed Denial of Service) which is having wide spread effect on
the internet.

An internet worm, nicknamed 'Slammer', is currently propagating via MS-SQL
servers vulnerable to the buffer overrun issue in MS-SQL Server 2000
Resolution Service, as described in Microsoft Security Bulletin MS02-039.

This worm propagates by scanning for vulnerable servers using UDP port 1434.
Upon a server becoming compromised, the worm loads its instructions into
memory and begins scanning randomly for further prorogation.  While current
analysis of the worm indicates that there is no malicious payload, the
scanning activity produced by a compromised host can easily cause a denial
of service attack due to the high rate of outbound UDP packets.

AusCERT has received reports from Australian and international sites
indicating a wide spread DDoS effect.  One site has reported that a single
compromised host has saturated an 8Mb/s internet connection.

Major ISPs internationally are in the process of blocking UDP/1434 traffic
both inbound and outbound in an attempt to mitigate the effects of this
worm.

AusCERT encourages members to apply relevant patches to their MS-SQL
servers, and additionally consider filtering any unnecessary UDP/1434
traffic at their border routers and firewalls.

AusCERT will distribute further information as it becomes available.


REFERENCES:

	Microsoft Security Bulletin MS02-039
	http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
	http://www.auscert.org.au/render.html?it=2216

	ESB-2002.368 -- CERT Advisory CA-2002-22 -- Multiple Vulnerabilities
	in Microsoft SQL Server 
	http://www.auscert.org.au/render.html?it=2220


Regards,

The AusCERT Team

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

Regards,

The AusCERT Team

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPjMkeih9+71yA2DNAQH5uwQAm1OQTdN6vDcd3P7a0/9aZc7KhvxU4TI4
vcXuWqz2PU+NfP+YzFO+a1iLiXYG3JPV1b5j50owXZylSe7YM1KWv5c0K4VTwnIf
3OVgS7DAjLXy0UxT0F4WxXoY+YU82uM1GZIJunI9G4XqLSK/PlSwTSRDNYX+53l6
nkls6QIbp4E=
=RIHA
-----END PGP SIGNATURE-----