From: "Adam Flinton" 

Just thank god MS haven't managed to move the Access user base over to the
cut down SQL server though.

Adam

"Mike '/m'"  wrote in message
news:i4sg3v8qqtvapdsvd4oaijpt8j0c1u5k61{at}4ax.com...
> Probably the most rational commentary/observation/analysis that I've
> seen so far.
>
> Thanks for posting it.
>
>  /m
>
>
> On Wed, 29 Jan 2003 18:00:20 -0600, "Joe Barr"
>  wrote:
>
> >
> >An open source guy on the MS SQL fiasco
> >
> >
> >From:    "Karsten M. Self" 
> >To:   linux-elitists{at}zgp.org
> >Subject:   Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK
PORT 1434!
> >Date:   Wed, 29 Jan 2003 23:17:57 +0000
> >
> >on Sat, Jan 25, 2003 at 01:26:39PM -0800, Don Marti (dmarti{at}zgp.org)
wrote:
> >> begin Michael Bacarella quotation of Sat, Jan 25, 2003 at
02:11:41AM -0500:
> >>
> >> > All admins with access to routers should block port 1434
(ms-sql-m)!
> >>
> >> Anybody who has _any_ relational database server directly connected
> >> to the Internet please save some of whatever you're smoking for me.
> >
> >A few further points on this issue.
> >
> >Looking over the BUGTRAQ and NANOG lists, a few trends start to emerge.
> >
> >Apologies if this is fundamental knowledge -- if I'm duplicating
> >well-known summaries, please post links as followup as I'm unaware of
> >them.
> >
> >  - Attacks worldwide appear to start at 05:29:30 UCT, give or take a
> >    few seconds.  The launch of this attack *does* appear to be highly
> >    coordinated.  I've seen reports of up to several minutes later, but
> >    nothing earlier.
> >
> >  - University of Dartmouth registers 10k independent sources within the
> >    first 30 minutes of the attack, and a peak of 16k independent
> >    sources, speaking for extremely rapid propagation.  Early
> >    propagation appears to be from many widely dispersed sites, though
> >    large colo facilities (e.g.:  Hurricane Electric) appear in several
> >    reports.  Other references speak of ~19k distinct sources.  Whether
> >    or not this represents the maximum scope of the attack isn't clear,
> >    but let's presume that the total number of infected hosts were <
> >    100k.  Current estimates of total Internet nodes tend to range in
> >    the 200m - 400m range, though I don't have good numbers on this.
> >    I'd be interested in same if anyone has a reference.
> >
> >  - Another number I've been pulling out of /dev/ass (mostly because
> >    nobody's provided anything more useful) is that there are 10m Win2K
> >    systems in existence.
> >
> >  - This means that the infected hosts were on the order of 1% of all
> >    potential hosts.  That is, Microsoft users were attaining a 99%
> >    patch and/or secure rate of systems publicly visible to the worm.
> >    This is a pretty good compliance rate.  It was also wholly
> >    inadequate in preventing this attack.
> >
> >  - Several NANOG sources report prior scans of the 1434 port across
> >    systems earlier in January, particularly on the 16th and 19th.  This
> >    may have been preparatory work for the sort of rapid-propagation
> >    exploit attack that was hypothesized last summer.
> >
> >  - The MS SQL engine is incorporated into a large number of MSFT
> >    products.  While not absolving guilt, it does help to explain why
> >    so many exposed systems existed.  The overhead of knowing what
> >    services exist on a given system, and of keeping these systems
> >    patched, increases consequently.
> >
> >    http://www.microsoft.com/technet/security/MSDEapps.asp
> >
> >  - In balance, the level of infection for this attack was *small*, not
> >    large.  The effects were disproportionate to the number of directly
> >    infected systems.  Calling this the result of a widespread software
> >    monoculture may not be appropriate (IMO it is, for complex reasons,
> >    but that's a longer discussion).  A similar vulnerability in a
> >    widely deployed free software utility could produce similar results,
> >    and the GNU/Linux & free software communities shouldn't enjoy
> >    excessive schadenfreude over this incident.
> >
> >    I recall (but can't locate) a reference, possibly following the
> >    Mindcraft Apache / IIS rigged shootout, in which it was observed that
> >    raw webserving capacity was a poor performance metric, as a score or
> >    so Sun workstations would be more than sufficient to flood major
> >    Internet backbone links.
> >
> >
> >While it's fun (however unsporting) to blast away at Microsoft for its
> >security deficiencies, IMO the free software world should view the
> >Sapphire / Slammer worm as more a cautionary tale.  This is the sort of
> >attack which _could_ potentially hit GNU/Linux or another 'Nix.  I feel
> >that the likelihood is lower than that for legacy MS Windows, though
> >there are a large number of likely poorly maintained GNU/Linux and other
> >'Nix systems live on the Net.
> >
> >Smugness kills.
> >
> >Peace.
> >
> >--
> >Karsten M. Self 
http://kmself.home.netcom.com/
> > What Part of "Gestalt" don't you understand?
> >    The truth behind the H-1B indentured servant scam:
> >    http://heather.cs.ucdavis.edu/itaa.real.html
> >    http://www.zazona.com/ShameH1B/
>

--- BBBS/NT v4.01 Flag-4