Internet under attack

SQL 2000 vulnerability to blame.

A new worm attacking a known vulnerability in Microsoft SQL Server 2000  that has been slowing down or halting Internet traffic worldwide could prove as tricky a nemesis as security foes 'Code Red' and 'Nimda,' according to firms tracking the outbreak.

Half a dozen security outlets have issued bulletins describing worm W32/SQL Slammer, dubbed 'Slammer.' Using a buffer overflow to take over a server, the worm sends out a flood of packets, an effect similar to a denial-of-service attack.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A new worm attacking a known vulnerability in Microsoft SQL Server 2000  that has been slowing down or halting Internet traffic worldwide could prove as tricky a nemesis as security foes 'Code Red' and 'Nimda,' according to firms tracking the outbreak.

Half a dozen security outlets have issued bulletins describing worm W32/SQL Slammer, dubbed 'Slammer.' Using a buffer overflow to take over a server, the worm sends out a flood of packets, an effect similar to a denial-of-service attack.

Network Associates' Anti-Virus Emergency Response Team (AVERT) estimates that 150,000 to 200,000 servers worldwide have already been infected.

When the attack began around 5:30 a.m. GMT (12:30 a.m. EST), packet loss across the Internet approached 20 percent, according to monitoring firm Matrix NetSystems, in Austin. Packet loss rates are usually less than 1 percent.

One of the countries worst affected was South Korea, where most of the nation's fixed-line and mobile Internet users were unable to access Web sites for nearly half of the day.

"The networks of Internet service providers in South Korea were partially down from about 2:30 p.m. today," said Lee Kin Tae, a technical assistant at the Korean Computer Emergency Response Team (CERT) in Seoul. "From around that time, most people in South Korea cannot use the Internet."

Ten hours after the attack began, traffic flow was picking up, with packet loss down to around 5 percent by Matrix NetSystems' readings.

Recovering from the worm is easy, security firms agree: Installing Microsoft's recently released SQL Server 2000 Service Pack 3 solves the problem. Some also recommend system administrators consider blocking traffic on port 1434 from unknown machines.

Firms disagree, though, on the severity of the threat posed by Slammer. Trend Micro Inc. labels the worm "destructive" and "high risk," while Symantec Corp. assesses its damage potential as "low." Network Associates Inc. and eEye Digital Security Inc., one of the first to spot and dissect the worm, both issued high-risk alerts on the worm.

While the worm may be easy to defend against, a vast number of systems remain unprotected.

"It's probably worse than it was three or four hours ago," said AVERT Vice President Vincent Gullotto, about 12 hours after the attack began. "This is not going to be cleaned up any time soon."

"(Slammer) doesn't destroy, remove, hack or extract any data," said Tom Ohlsson, Matrix NetSystems' vice president of marketing and business development. "But it's a very, very aggressive worm about self-replication."

Slammer's speed in spreading itself recalls another worm that rampaged through the Net: Code Red, a scourge that appeared in mid-2001 and infected hundreds of thousands of servers.

Despite the availability of a patch, Code Red caused $2 billion [b] in damage, according to one research firm's estimates. New infections continued spreading more than a year after the worm's discovery, according to several vendors, as some vulnerable systems remained unprotected.

The IDG News Service is a Network World affiliate.