MSSQL Worm Hits the Net… Hard
In case you were wondering why the internet was so slow today/tonight… well, it's because a new worm hit, like, every crappy MS SQL Server out there. So the Inet networks with MS servers on them are getting, essentially, flooded on port 1434 (the mssql port). Here's the current status of the Inet as I write this (note: it auto updates, in a few hours it may well be different and in a day, you won't see the current behavior at all, so I'll sum it here): at right about midnight, EST, 25 Jan something happened. The result? A lot of the Inet went down. Websites, as of this writing, are down to 80% response rate (from 99% norm). It's like a mega DDoS.
Anyway, just thought you might be interested. Here's the best post to date:
Update (Score:1)
by mabu (178417) on Saturday January 25, @05:40AM (#5156034) Here's what we've been able to learn, at 4:30am Central time.
We have reason to believe that something called the “SQL Worm” is in play. Some sort of DDOS attack which creates overwhelming traffic on port 1434. This is all preliminary stuff, so take it as such but I have one link up and 3 others down.
I don't have confirmation or details on what systems are affected but we have information to indicate that the following networks are currently affected: Quest, Cable & Wireless, Broadwing, Sprint (partially). My Worldcom link seems to be unaffected (which is why I can post). Note that the connectivity interruptions may be regional but that's what we are dealing with in the South Central area of the US. This has been going on now for about 4-5 hours.
What we are seeing is a major outage due to DDOS on port 1434, on portions of the Internet backbone. At this point, the exact pattern of the outage has not been clarified.
Expect the problem to potentially be addressed when the backbone providers start filtering port 1434. However, it's taken them at least four hours to figure this out.
We just got notice (a few moments ago) that Quest finally started filtering port 1434 and everything went back up. So now we need to figure out what vulnerability this was. My information indicates that port 1434 is MS SQL server resolution service (see related CERT advisory [cert.org]. My initial impression is that while this vulnerability was discovered awhile back, someone just recently figured out a very effective exploit using the vulnerability. I am looking forward to hearing more about what people find out.
Update: 
here's what it all looked like.
Permalink |
