next generation nimda virus ?

Whoever is reading this…. please block UDP port 1434 (MS SQL server ) right away. Its practically taking the whole net down..
my servers are getting hammered with this

[update]

UDP traffic, sourced from 2038, destined for 1434, single-packet flows.

The worm seems to be using this MS exploit
From the advisory :
When an SQL Server receives a single byte packet, 0x0A, on UDP port 1434 it will reply to the sender with 0x0A. A problem arises as SQL Server will respond, sending a ‘ping’ response to the source IP address and source port. This ‘ping’ is a single byte UDP packet – 0x0A. By spoofing a packet from one SQL Server, setting the UDP port to 1434, and sending it the a second SQL Server, the second will respond to the first’s UDP port 1434. The first will then reply to the second’s UDP port 1434 and so on. This causes a storm of single byte pings between the two servers. Only when one of the servers is disconnected from the network or its SQL service is stopped will the storm stop. This is a simple newtork based DoS, reminiscent of the echo and chargen DoSes discussed back in 1996 (http://www.cert.org/advisories/CA-1996-01.html). When in this state, the load on each SQL Server is raised to c. 40 – 60 % CPU time.

To me, it looks more like a “next generation Nimda worm”. The port scan rate (both in number of target hosts per interval, and bits/s.) is amazing. Some of hosts send out over 40 Mbit/s. UDP 1434, targeted to wildly varying destination addresses – which is more typical for a “portscan/worm” thing than for a DOS. (Well, it definitely was a DoS on my network infrastructure. )

All admins with access to routers should block port 1434 (ms-sql-m)!
Everyone running MS SQL Server shut it the hell down or make sure it can’t access the internet proper!

Disclaimer : I make no guarantees that this information is correct, test it out for yourself!

5 Comments

  1. tariquesani · January 25, 2003 Reply

    Ah! that explains some of it … …
    More details – whats happening?

  2. bhatta · January 25, 2003 Reply

    solpa explain maadi

  3. manusb · January 25, 2003 Reply

    From http://www-ind.cricket.org/ :

    Service Status: CricInfo would like to apologise to anyone unable to access our website from 0530-1600 GMT today (Saturday).

    This was due to a computer virus which – whilst not directly affecting own our servers – has caused problems with a significant part

    of the internet throughout the day, and made it impossible for us to update the site for several hours. Users in certain countries may

    continue to experience difficulty connecting for some time, but unfortunately this is beyond our control. Thank you for your patience.

    Yep, a worm is definitely on the loose.

  4. idealshare videogo serial key · January 4, 2022 Reply

    Thanks for this informative blog and for giving us an opportunity to share our views.

  5. Corel Draw X8 Serial Number · January 4, 2022 Reply

    I enjoy the blog in general and I respect your stuff very much.
    Sentences are my favourite.
    I will bookmark your website and keep exploring fresh information.

Leave a Reply