From: Mike '/m' 

Probably the most rational commentary/observation/analysis that I've seen so far.

Thanks for posting it.

 /m


On Wed, 29 Jan 2003 18:00:20 -0600, "Joe Barr"
 wrote:

>
>An open source guy on the MS SQL fiasco
>
>
>From:    "Karsten M. Self" 
>To:   linux-elitists{at}zgp.org
>Subject:   Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT
1434!
>Date:   Wed, 29 Jan 2003 23:17:57 +0000
>
>on Sat, Jan 25, 2003 at 01:26:39PM -0800, Don Marti (dmarti{at}zgp.org) wrote:
>> begin Michael Bacarella quotation of Sat, Jan 25, 2003 at 02:11:41AM -0500:
>>
>> > All admins with access to routers should block port 1434 (ms-sql-m)!
>>
>> Anybody who has _any_ relational database server directly connected
>> to the Internet please save some of whatever you're smoking for me.
>
>A few further points on this issue.
>
>Looking over the BUGTRAQ and NANOG lists, a few trends start to emerge.
>
>Apologies if this is fundamental knowledge -- if I'm duplicating
>well-known summaries, please post links as followup as I'm unaware of
>them.
>
>  - Attacks worldwide appear to start at 05:29:30 UCT, give or take a
>    few seconds.  The launch of this attack *does* appear to be highly
>    coordinated.  I've seen reports of up to several minutes later, but
>    nothing earlier.
>
>  - University of Dartmouth registers 10k independent sources within the
>    first 30 minutes of the attack, and a peak of 16k independent
>    sources, speaking for extremely rapid propagation.  Early
>    propagation appears to be from many widely dispersed sites, though
>    large colo facilities (e.g.:  Hurricane Electric) appear in several
>    reports.  Other references speak of ~19k distinct sources.  Whether
>    or not this represents the maximum scope of the attack isn't clear,
>    but let's presume that the total number of infected hosts were <
>    100k.  Current estimates of total Internet nodes tend to range in
>    the 200m - 400m range, though I don't have good numbers on this.
>    I'd be interested in same if anyone has a reference.
>
>  - Another number I've been pulling out of /dev/ass (mostly because
>    nobody's provided anything more useful) is that there are 10m Win2K
>    systems in existence.
>
>  - This means that the infected hosts were on the order of 1% of all
>    potential hosts.  That is, Microsoft users were attaining a 99%
>    patch and/or secure rate of systems publicly visible to the worm.
>    This is a pretty good compliance rate.  It was also wholly
>    inadequate in preventing this attack.
>
>  - Several NANOG sources report prior scans of the 1434 port across
>    systems earlier in January, particularly on the 16th and 19th.  This
>    may have been preparatory work for the sort of rapid-propagation
>    exploit attack that was hypothesized last summer.
>
>  - The MS SQL engine is incorporated into a large number of MSFT
>    products.  While not absolving guilt, it does help to explain why
>    so many exposed systems existed.  The overhead of knowing what
>    services exist on a given system, and of keeping these systems
>    patched, increases consequently.
>
>    http://www.microsoft.com/technet/security/MSDEapps.asp
>
>  - In balance, the level of infection for this attack was *small*, not
>    large.  The effects were disproportionate to the number of directly
>    infected systems.  Calling this the result of a widespread software
>    monoculture may not be appropriate (IMO it is, for complex reasons,
>    but that's a longer discussion).  A similar vulnerability in a
>    widely deployed free software utility could produce similar results,
>    and the GNU/Linux & free software communities shouldn't enjoy
>    excessive schadenfreude over this incident.
>
>    I recall (but can't locate) a reference, possibly following the
>    Mindcraft Apache / IIS rigged shootout, in which it was observed that
>    raw webserving capacity was a poor performance metric, as a score or
>    so Sun workstations would be more than sufficient to flood major
>    Internet backbone links.
>
>
>While it's fun (however unsporting) to blast away at Microsoft for its
>security deficiencies, IMO the free software world should view the
>Sapphire / Slammer worm as more a cautionary tale.  This is the sort of
>attack which _could_ potentially hit GNU/Linux or another 'Nix.  I feel
>that the likelihood is lower than that for legacy MS Windows, though
>there are a large number of likely poorly maintained GNU/Linux and other
>'Nix systems live on the Net.
>
>Smugness kills.
>
>Peace.
>
>--
>Karsten M. Self        
http://kmself.home.netcom.com/
> What Part of "Gestalt" don't you understand?
>    The truth behind the H-1B indentured servant scam:
>    http://heather.cs.ucdavis.edu/itaa.real.html
>    http://www.zazona.com/ShameH1B/

--- BBBS/NT v4.01 Flag-4