Worm Attack
- Thread starter candletrader
- Start date
No, no, it's like in the markets: You only know after the event. And by definition, fraud prevention is *always* lagging - who could know what the bad guy, or the market ie., has in petto for you.
"Be prepared" is the lesson to learn. As a sys admin, have backup tapes, as a trader, don't take availability for granted and have an emergency plan.
Now I don't want to protect criminals, but they show us where we need to build our safety nets.
Andreas
You mean like all DNS servers should be taken off the internet and hid behind a firewall? Good suggestion; too bad it would effectively stop most internet access worldwide. BTW, about half the DNS servers were effected by this worm. As you noted while you contradicted yourself, the actual problem was sloppy admins failing to apply an MS patch that had been available for months prior.
I'm not talking about global major access points. I'm talking about smaller network clusters that companies use. A company should never have their backend servers exposed to the net. It is surprising how apathetic a lot of sysadmins are.
Obviously, DNS servers are at a cross-road point and need to be able to route and see all data-flow. However, if something is banging a port continuously (like the MS SQL 1434 port), then perhaps they should just block those packets until the situation is resolved.
That is exactly what they did with the 13 major nameservers.
Ps: I'm not saying it could not have been prevented, but there are definately great strides they can take to improve this sort of occurance from happening in the future via more intelligent analysis of what liget traffic looks like compared to a massive attack.
The main nameservers are already putting up with a huge amount of traffic that is simply redundant.
SAN DIEGO SUPERCOMPUTER CENTER RESEARCHERS FIND UNNECESSARY TRAFFIC SATURATING A KEY INTERNET âROOTâ SERVER
Scientists at the San Diego Supercomputer Center (SDSC) at UCSD analyzing traffic to one of the 13 Domain Name System (DNS) ârootâ servers at the heart of the Internet found that the server spends the majority of its time dealing with unnecessary queries. DNS root servers provide a critical link between users and the Internetâs routing infrastructure by mapping text host names to numeric Internet Protocol (IP) addresses. Researchers at the Cooperative Association for Internet Data Analysis (CAIDA) at SDSC conducted a detailed analysis of 152 million messages received on Oct. 4, 2002, by a root server in California, and discovered that 98 percent of the queries it received during 24 hours were unnecessary. The researchers believe that the other 12 DNS root servers likely receive similarly large amounts of bad requests.
http://ucsdnews.ucsd.edu/newsrel/science/sdscRoot.htm
DNS servers should not be behind firewall while SQL servers should. Note, DNS servers are unrelated to SQL servers.
They could have been indirectly affected by this worm if part of the payload would be DoS (in that case DDoS) attack on the root name servers, similar to attack on root servers that happened in October. However, that's not the case. Slammer did not attack root name servers.
Now, who reported this attack? Box owners? ISP guys who monitor what's going on? Nope! The only report about "5 of the 13 root name servers" being down came from message board (!) and was posted by some amateur security enthusiast affiliated with amateur website http://www.americanintelligence.us/. What is that "American intelligence"? CIA+NSA+FBI+Military? Yeah, right.
"This site is for a few of us who are Intelligence, Military and Political junkies and for those who wish to acquire, disseminate and discuss Intelligence from around the world that relates directly to American interests."
Why it might seem that the root servers were not responding, ie were down? The worm generated traffic storm on Internet backbones severely affecting UUNET/Worldcom's backbone. Northeastern US was affected much more severely than other parts of the country. So, what happened to this guy is that he just could not reach some of the servers because of latency and jumped to wrong conclusion about what caused that. That wrong conclusion has been propagated by some clueless and/or hysterical people but did not spread widely.
You do not have to believe everything you read on the Internet, this post included. However, you always can hit Google and try to find additional info to prove or disprove something. In our case, you will not find any credible reference or evidence that the attack on the root servers was a result of SQL Slammer worm or that it even actually took place.
South Korea is the world's most wired country and its network was brought to a virtual halt for most of Saturday... from what I gather, the Far East in general has been hit pretty bad...
thanks for the world update candleman. if i ever trade from korea i might find you info useful
Just goes to show how a country that is highly wired can be brought to her knees by a worm...
i hope it brings the entire world to its nees hahahahahhahahahha!
F%$# BILL GATES!
WE NEED A NEW WORLD ORDER!!
NWO baby!! hahaha
F%$# BILL GATES!
WE NEED A NEW WORLD ORDER!!
NWO baby!! hahaha