Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Cyber Security Awareness Month Activity: SQL Slammer Clean-up SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month Activity: SQL Slammer Clean-up

It's Cyber Security Awareness Month, and it's about more than just educating users-- security professionals can participate a little too.  I want to start an additional track to the Internet Storm Center's Cyber Security  Awareness Series.  This will be a month-long series of diaries to supplement our weekly topics.

It was near 05:30 GMT on Saturday, 25 January 2003 when the Slammer worm started to spread. Some of you probably remember where you were when you were first alerted to that incident. For those of you who didn't get to experience that first hand, there's a pretty decent Wikipedia article on it (http://en.wikipedia.org/wiki/SQL_Slammer). As I write this, I note that it's well over 7 years later. But SQL Slammer alerts continue to be a top talker on my perimeter IDS.

It's time to do something about that.

Slammer actvitiy has been written off as "background radiation" for long enough.

Througout this month I'm going to continue on this topic to inspire people to try something new. If you're not looking at you logs, I want you to look at them. If you're not reaching out to abuse contacts, I want you to send a few emails and make a few phone calls. If you're not helping your customers clean up their systems, I want you to experiment and reach out to help a couple of them. See what happens. See if you can make a measureable difference.

I pulled the IDS and darknet logs from the day job. From just one day I see 153 unique source IP addresses generating IDS alerts, and on my external darknet I see 63 probing UDP/1434. How many do you see hitting your perimeter? How much bandwidth is being consumed that just that activity? Can you quantify that into a dollar amount?

That's your homework for today. More to come.

-KL

Kevin Liston

292 Posts
ISC Handler
Don't know about bandwidth, but SQL Slammer is still alive and well out there. We still see it hitting our sensors. Also, CodeRed is not dead either. We see that once in a while as well.

But they don't do nearly as much damage to bandwidth costs as SSH, FTP, TermServer and POP3 brute-force attacks. Those are bandwidth hogs.
Frank

24 Posts
i can't say anything about sql slammer, but i've tried my hand at reporting ssh bots. i did it for years, and all i got in return was either silence, or computer generated emails, and the same host would continue to operate for months. it's just not worth the hassle to me anymore.
Anonymous
This one hits my nerve. I watch sql-slammer in my flows now for about two years and it has lowered it's activity by about a factor of 3 since then.

I see quite the same number of IPs machines active with 5 machines accounting for 90% of the flows.

From my point of view the traffic is about 5 kbit/s/Class-B.

I would appreciate an effort to eliminate that.
Jens

42 Posts

Sign Up for Free or Log In to start participating in the conversation!