Re: Major Internet Disruptions since last night

• To: "Kevin R. Tyle" <ktyle@xxxxxxxxxxxxxxxx>
• Subject: Re: Major Internet Disruptions since last night
• From: Gerry Creager <gerry.creager@xxxxxxxx>
• Date: Sat, 25 Jan 2003 12:55:47 -0600

Gerry

Kevin R. Tyle wrote:

Hi all,

There appears to be a major DDoS attack going on since last
night, which is causing some pretty significant problems on
the Internet all over the globe.  In terms of the Unidata feeds,
we have been seeing some problems feeding from a few sites.

The problem appears to be a worm that is hitting unpatched
MS SQL server machines.

Even NCEP is being hit, as we can see from the latest message
from the SDM desk:

NCEP IS EXPERIENCING INTERNAL AND EXTERNAL WEB ACCESS
PROBLEMS AND NCEP ACCESS TO SUITLAND WHERE MUCH OF
THE SATELLITE PRODUCTS ORIGINATE A FOR OUR MODEL RUNS.
SUPPORT PERSONNEL SAY THAT ANOTHER HOUR MAYBE NEEDED
TO FULLY RECOVER THE COMMS SYSTEM...SORRY FOR THE
DELAY...

I've attached below the first account of this attack from
the Bugtraq list . . .

--Kevin

______________________________________________________________________
Kevin Tyle, Systems Administrator               **********************
Dept. of Earth & Atmospheric Sciences           ktyle@xxxxxxxxxxxxxxxx
University at Albany, ES-235                    518-442-4571 (voice)
1400 Washington Avenue                          518-442-5825 (fax)
Albany, NY 12222                                **********************
______________________________________________________________________

---------- Forwarded message ----------
Date: Sat, 25 Jan 2003 02:11:41 -0500
From: Michael Bacarella <mbac@xxxxxxxxxxxx>
To: nylug-talk@xxxxxxxxx, wwwac@xxxxxxxxxxxxxxx, linux-elitists@xxxxxxx
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
Resent-From: mbac@xxxxxxxxxxxx
Resent-To: bugtraq@xxxxxxxxxxxxxxxxx

I'm getting massive packet loss to various points on the globe.
I am seeing a lot of these in my tcpdump output on each
host.

02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m:  udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port 
ms-sql-m unreachable [tos 0xc0

It looks like there's a worm affecting MS SQL Server which is
pingflooding addresses at some random sequence.

All admins with access to routers should block port 1434 (ms-sql-m)!

Everyone running MS SQL Server shut it the hell down or make
sure it can't access the internet proper!

I make no guarantees that this information is correct, test it
out for yourself!

--
Gerry Creager -- gerry.creager@xxxxxxxx
Network Engineering -- AATLT, Texas A&M University
Office: 979.458.4020  FAX: 979.847.8578
Cell: 979.229.5301    Pager: 979.228.0173

From owner-ldm-users@xxxxxxxxxxxxxxxx 25 2003 Jan -0500 15:11:10

Date: 25 Jan 2003 15:11:10 -0500
From: Jeff Wolfe <wolfe@xxxxxxxxxxx>
In-Reply-To: <3E32DDB3.9080505@xxxxxxxx>
To: ldm-users@xxxxxxxxxxxxxxxx
Subject: Re: Major Internet Disruptions since last night
Received: (from majordo@localhost)
        by unidata.ucar.edu (UCAR/Unidata) id h0PKBDp29790
        for ldm-users-out; Sat, 25 Jan 2003 13:11:13 -0700 (MST)
Received: from pangaea.ems.psu.edu (pangaea.ems.psu.edu [128.118.52.83])
        by unidata.ucar.edu (UCAR/Unidata) with ESMTP id h0PKBB629727
        for <ldm-users@xxxxxxxxxxxxxxxx>; Sat, 25 Jan 2003 13:11:11 -0700 (MST)
Organization: UCAR/Unidata
Keywords: 200301252011.h0PKBB629727
Received: from isostasy (isostasy [128.118.52.2])
        by pangaea.ems.psu.edu (Postfix) with ESMTP id 84D181285
        for <ldm-users@xxxxxxxxxxxxxxxx>; Sat, 25 Jan 2003 15:11:10 -0500 (EST)

Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Mime-Version: 1.0
Sender: owner-ldm-users@xxxxxxxxxxxxxxxx
Precedence: bulk

On Sat, 2003-01-25 at 13:55, Gerry Creager wrote:

As an addendum, you may want to look at http://average.matrix.net/ for graphical info on the severity of this attack across the entire net.

I've not heard if this a concentrated effort against the US or the 'Net in general. Data from the MIDS site suggests it hit the whole net. Which makes sense since so many systems are interconnected, or folks get a vanity domain name from offshore sources, obscuring where folks really are.

CNN and our campus security folks both suggest it's similar in some ways to Code Red.

Our campus is now connected to the world. However, we're not all connected together back on-campus, as we've a large number of Microsoft systems with SQL Server that have to be secured or disconnected before the buildings they're in can be reattached.

The worm had(has?) a very small payload, only 300 or so bytes. It's
enough to compromise an unpatched MS SQL server (patch released 7/2002)
over UDP port 1434. Once compromised, the worm enters an infinite loop
and generates pseudo-random IP addresses to send itself to. The UDP

deal with the massive amount of unique flows and crash, which further

All in all, a pretty nasty worm. Most major NSPs are now filtering port
1434 and the number of scans we're seeing has dropped accordingly.

There will probably be a lot of news media interest, but good info about
the worm can be found here:

http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html

-JEff

• References:
  • MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    • From: Michael Bacarella