Subject: Re: The Current IP Network Problem Worldwide
From: Christopher E. Brown (cbrown@woods.net)
Date: Sun Jan 26 2003 - 10:25:27 AKST
Yes, the issue is related to a set of known security issues with MSSQL
2000. Microsoft has known since May 2002, and patches have been
available since July 2002.
The flooding issues is this, port 1434 *UDP* is a /autodetection/
port. A client may sent a specific 1 byte packet to this port and get
reply detailing connect method for this server. One of the other
options is to send a different byte and the server sends it back to
the source addr/port. It is (more or less) a service specific ping,
so the client can ask "Are you up?".
Soo, if a machine sends out a spoofed packet with the proper byte to
port 1434 UDP of a MSSQL server, it replies to 1434 UDP and the
spoofed addr. If the spoofed addr is that of another MSSQL
server.....
You end up with the stupid things exchanging min length packets as
fast as they can, causing routers much pain.
Remember the issues of old with the echo service? MS reinvented the
wheel, and one that everone else threw out years ago.
Specificly, if you run a MSSQL server you should apply the patch
(there are several related stack smashes that yield total access to
the server, even if the SQL server is runing as a restricted user),
and block *all* of the ports (check your docs) that MSSQL uses to that
machine.
If you are a service provider trying to limit the effects of the
current flood you should be dropping port 1434 UDP traffic at your
border in and out. (No one needs and extra 250,000 packets/sec).
-- I route, therefore you are.--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Sun Jan 26 2003 - 10:23:06 AKST