I am sure I am not the first to put this together but here is my working theory:

1. Worm attacking MS Sql server with this exploit on port 1434 UDP

http://www.nextgenss.com/advisories/mssql-udp.txt

2. Compromised machines start spewing exploits at a rate of 35-75Mbps

3. Huge amount of bandwidth is taking down routers and backbones.

4. Unaffected machines are SQL 2000 service pack 2 with hot fix or SQL 2000 service pack 3.

My guess is that the exploit and worm are all in one packet and no additional software is installed.

A little more information. The worm doesn't appear to install any software but only propagates itself. Disconnecting the machine from the network and rebooting the server seems to clear the worm. Patch the server before reconnecting to the network.

The worm doesn't forge the UDP traffic and seems to be very random in the destination addresses that it sends traffic to. It doesn't seem to cluster in the same class C/B/A as code red did.

Most providers seem to be filtering UDP 1434 both in and outbound at this point. Qwest seems to be very hard hit. No estimated time to repair yet. Some people are reporting problems with Extreme switches/routers having problems with this traffic.

Although this is a major disaster and by turns of damage one of the worst (sympathy for those that were affected) I find it quite hard to understand that the patch for MS SQL has been out for some time (quite a long time in fact) and since Microsoft has an auto update features, that hosts don’t persuade there customers to ensure they are up2date and using the latest releases.

We for one, only host a few windows servers (thank god) and from day one had emphasised the importance of keeping software up2date, and today it showed how little extra efforts are paid off.

Let the lesson be learnt!
All the best to those affected and hope everything is back to normal soon!

-Shazad

SQL doesn't auto-update. But that's still no excuse. What sort of half-assed admin doesn't look for patches?

If you can get to it, check out the MIDS maps http://www.mids.org/weather/us/index.html and you'll see one helluva latency spike at 1am CST.

You don't really want to run that Autoupdate.
As it'll automatically reboot your machine everytime, new patches require this...
And you can't do anything about it. (except turn it off then ;-))
That's sth. you should consider, imho, in a server enviroment where uptime is important.

greets,

Does anyone know if M$ has a security mailing list
that I could join? I'm one of the unfortunate ones
who thought running the windows update function
regularly would update my server with any critical server
patches. I gues M$ doesn't consider Sql server
a vital part of their server product line.

Thanks in advance!
Aaron

Answering my own question...

Here is a link to M$'s security notification service.
It requires that you create/have a Passport account.

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/notify.asp

I am aware the hot fix’s don’t update SQL, but if you half make an attempt to run it weekly, you will remember to check for other patch's, that was the point of my post.

Was a little tired, sorry for the confusion.

-Shazad

I recommend everyone subscribe to Bugtraq. Ever since I began, even though 98% of the reports don't apply specifically to what I am running, it really makes one aware of what evil is lurking out there.

In fact, someone posted their findings regarding this bug (now called SapphireSQL) many hours before the world felt both barrels. Lots of PHP vulnerabilities, Apache discussions, various builds of *nix, quite a useful group.

Always such a mess...
When the Inbox is filled up with bulk emails from some mailinglists :D

Yeah, I'll admit that it can be a drag. As if I don't get enough exercise deleting spam, now I have to delete a folder full of list crap. But it's usually under 50 messages a day, more like 10-20 on average, and the ones that are "news" to me are usually quite interesting and/or pertinent. Found out about several phpbb bugs and more. To be perfectly honest, it's nice to read about a non-M$ bug once in a while. ;-)

If you're on-top of the bugs then there's no need to watch it. But for me, who does very little programming these days, it's nice to stay plugged into that circle.

On another note, I thought I should mention that my ISP began having "issues" on Wednesday of this week. DSL slowed to 100k or less, bottoming at sub-dialup speeds. So things were acting squirrelly for several days prior to the Friday @ midnight sh*tstorm. Did anyone else feel anything?