internet block and cramped NOC traffic very badly
A worm which exploits a (new?) vulnerability in SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 (i found 1433 also) of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts).
Some random screen shots, a copy of the worm as a perl script, and a disassembly (sorry, no comments) can be found online at: http://www.digitaloffense.net/worms/mssql_udp_worm/
The UDP D.O.S. attack: (Random snippets from logs) PROTO=UDP SPT=1518 DPT=1434 PROTO=UDP SPT=1032 DPT=1434 PROTO=UDP SPT=1077 DPT=1434 PROTO=UDP SPT=4319 DPT=1434
Some News: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt Microsoft Fix: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-039.asp
MS SQL listens on port 1434/udp so that clients can figure out which method of communication to use (named pipes, tcp/ip et al) there are two problems that yield ability to execute code remotely while unauthenticated.
Right now, packet loss is running at roughly 95%.
ranjeet