Cyber Security Awareness Month Activity: SQL Slammer Clean-up
It's Cyber Security Awareness Month, and it's about more than just educating users-- security professionals can participate a little too. I want to start an additional track to the Internet Storm Center's Cyber Security Awareness Series. This will be a month-long series of diaries to supplement our weekly topics.
It was near 05:30 GMT on Saturday, 25 January 2003 when the Slammer worm started to spread. Some of you probably remember where you were when you were first alerted to that incident. For those of you who didn't get to experience that first hand, there's a pretty decent Wikipedia article on it (http://en.wikipedia.org/wiki/SQL_Slammer). As I write this, I note that it's well over 7 years later. But SQL Slammer alerts continue to be a top talker on my perimeter IDS.
It's time to do something about that.
Slammer actvitiy has been written off as "background radiation" for long enough.
Througout this month I'm going to continue on this topic to inspire people to try something new. If you're not looking at you logs, I want you to look at them. If you're not reaching out to abuse contacts, I want you to send a few emails and make a few phone calls. If you're not helping your customers clean up their systems, I want you to experiment and reach out to help a couple of them. See what happens. See if you can make a measureable difference.
I pulled the IDS and darknet logs from the day job. From just one day I see 153 unique source IP addresses generating IDS alerts, and on my external darknet I see 63 probing UDP/1434. How many do you see hitting your perimeter? How much bandwidth is being consumed that just that activity? Can you quantify that into a dollar amount?
That's your homework for today. More to come.
-KL
Comments
But they don't do nearly as much damage to bandwidth costs as SSH, FTP, TermServer and POP3 brute-force attacks. Those are bandwidth hogs.
Frank
Oct 2nd 2010
1 decade ago
joeblow
Oct 3rd 2010
1 decade ago
I see quite the same number of IPs machines active with 5 machines accounting for 90% of the flows.
From my point of view the traffic is about 5 kbit/s/Class-B.
I would appreciate an effort to eliminate that.
Jens
Oct 3rd 2010
1 decade ago