more on the ms-sql worm

– cricinfo was not accessible ( manu pointed this out )
– 5 out of the 13 DNS root servers went down
– 95% ( thats right , no typo ) packet loss across UUnet / Worldcom.
– upto 210MB/sec traffic seen on some routers.
– if you plug an infected machine into a port on an HP4000 switch it would freeze.

anyway the traffic seems to be going down slowly.. and hopefully I can get some sleep tonight.

many people have asked me how to filter it out on their linux box. So here you go :
/sbin/iptables -I FORWARD -p udp –dport 1434 -j DROP

<more updates>

– (At least some) Boeing employees were sent home today because the network was reportedly hosed. I wonder how many other major companies with moderate security concerns were hit…
– Reports are coming in that HP was hit pretty bad too
– In South Korea internet services were shut down nationwide for hours on Saturday.
– MS Sucks real bad : microsoft.com is not accessible and they dont have mirrors of the site.. so people hitting microsoft.com for the latest patch are not able to get it
– Bank of America Corp. said Saturday that customers at a majority of its 13,000 automatic teller machines were unable to process customer transactions after a malicious computer worm nearly froze Internet traffic worldwide.

4 Comments

  1. vaibhav · January 25, 2003 Reply

    MS at fault?

    While its true that darn M$ has a reputation of buggy software, but as far as this is concerned, aren’t those admins at fault who did not update their machines on time?

    The patches for this exploit have been available since May 2001. Yes, its easier to find and exploit vuln. in M$ products, but what if the worm had exploited an apache / sendmail / BIND or blah vuln. and the same would have happened, would we blame apache.org or the admin?

  2. vaibhav · January 25, 2003 Reply

    Re: MS at fault?

    whoa! typo!

    Patches have been available since “May 2002”.

    BTW, a lot of problems in other products too were triggered because the traffic. e.g. Cisco’s netflow would lock up the routers as some versions had problems.

    Interesting though. 🙂

  3. powell · January 26, 2003 Reply

    /sbin/iptables -I FORWARD -p udp –dport 1434 -j DROP

    This rule should be on the router right?, not on the host.

Leave a Reply