|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical FW: FYI - Cisco - Status as of Sat Jan 25...Global worm attack seems related to SQL 2000...see below for patches from Microsoft (available as of 7/17/02).]
-----Original Message----- From: [mailto:@cisco.com] Sent: Saturday, January 25, 2003 2:13 PM To: Recipient list suppressed Subject: FYI - Cisco - Status as of Sat Jan 25...Global worm attack seems related to SQL 2000...see below for patches from Microsoft (available as of 7/17/02). FYI - According to this article from the Associated Press: <http://story.news.yahoo.com/news?tmpl=story2&ncid=716&e=3&u=/ap/2003012 5/ap_on_hi_te/internet_attack> http://story.news.yahoo.com/news?tmpl=story2&ncid=716&e=3&u=/ap/20030125 /ap_on_hi_te/internet_attack "The attack sought to exploit a software flaw discovered by researchers in July 2002 that permits hackers to seize control of corporate database servers. Microsoft deemed the flaw to be "critical" and offered a free repairing patch, but it was impossible to know how many computer administrators applied the fix." Symptoms that may be seen, detected and may be causing alerts on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. The Microsoft Security advisory specifies that this vulnerability is specific to SQL 2000. Microsoft first published the fixed patch on 7/17/2002. Please insure that you are at the correct patch levels for all your servers that use SQL 2000. Microsoft Security Bulletin MS02-039 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS02-039.asp This is basically the same attack as code red using the same UDP port numbers to for the attack. If you have applied patches for the code red virus they are most likely covered protected. The attached link from CNN does a nice job of explaining the similarity. http://www.cnn.com/2003/TECH/internet/01/25/internet.attack.ap/index.htm l Cisco utilizes a security harden OS for servers running our services such Call Manager 3.3. Though SQL 2000 is used by Cisco Unity and Call Manager 3.3, it is still appropriate and best practice to keep all servers current with the latest patches to avoid known vulnerabilities and protect against future re-occurrences. Cisco's Host Intrusion Detection System (HIDS) can be used on servers to detect "unknown" attacks, as was Code Red prior to patches being available. Thanks, Cisco ================================================================== TECHNICAL INFORMATION - There is a Global attack going on around the world which is a WORM that is attacking the Microsoft SQL server on UDP port 1433 & 1434. Cisco TAC has the following PSIRT that can be used to help our Customer. ************************************************************************ ********************************* Summary: Cisco customers may currently be experiencing attacks due to a new worm that has hit the Internet. The signature of this worm appears to be high volumes of UDP traffic to port 1434. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms that can be seen & detected on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. Details: UDP port 1433 and 1434 are used for SQL server traffic. A new worm has been targeting this port and attempting to exploit a buffer overflow vulnerability in Microsoft's SQL server. Microsoft has issued a security advisory about this issue, the details are here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS02-039.asp For infected servers, MS recommends downloading Service Pack 3 for SqlSvr, located here: http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN <http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN&LN=en-us&gssn b=1> &LN=en-us&gssnb=1 Symptoms: You may see instability in networks due to increased load. The traffic load generated by this DoS is very high, with some customers experiencing traffic loads as high as 20 Megabits per second combined egress and ingress rates. Workarounds until patches can be applied: Thus far the best mitigation is to block inbound and outbound traffic destined to UDP port 1434. Care must be taken in regards to the impact on mission critical services as 1434/udp and 1433/udp are used by Microsoft SQL Server. Before blocking traffic to that port completely make sure that the possible effects on your network are understood. PLEASE NOTE: These workarounds block both ports 1433 and 1434, although we have received no evidence yet that blocking port 1433 has any affect on the attack. If your network requires traffic to flow on port 1433 please leave that portion of the ACL out and monitor your results closely. **** VACL config on 5500/6500 - confirmed that this drops the CPU load on the MSFC as well. set security acl ip WORM deny udp any eq 1433 any set security acl ip WORM deny udp any any eq 1433 set security acl ip WORM deny udp any any eq 1434 set security acl ip WORM deny udp any eq 1434 any set security acl ip WORM permit any commit security acl WORM set security acl map WORM **** ACL for IOS access-list 115 deny udp any any eq 1433 log access-list 115 deny udp any any eq 1434 log access-list 115 permit ip any any int ip access-group 115 in ip access-group 115 out **** If you have any new information that would be of use to us, please send email to [email protected] General information regarding strategies for protecting against Distributed Denial of Service attacks may be found at http://www.cisco.com/warp/public/707/newsflash.html ******************************************** ________________________________________________________________ Cisco Systems
|