Jump to content
Compatible Support Forums
Sign in to follow this  
ThC 129

SQL Slammer Worm - Whose Fault and How to Fix?

Recommended Posts

After the recent slammer worm attacks. The hammer comes down and everyone is in a race to say "Its not me" and point the finger at someone else.

 

I have heard it is a lot of SysAdmins' faults because they couldve secured their network better (any security links would help because this is SERIOUS and Im in my MCSE training so this is what im going to be doing).

 

Then people say it is M$s fault for releasing a patch that breaks another patch, or having interlinked software to begin with. Others say Windows sucks don't use it.

 

Then you have the people say that well you shouldve been using *nix, because it is more secure, and something like this would never happen.

 

 

 

So whose fault is it, and more importantly how do we as internet users stop something like this from happening. The internet is becoming more and more a staple of urban life, and this recent attack even made ATMs useless and Seattle's 911 Service inoperable. So not only is this affecting networks, but other things people use in day to day life.

 

The question left to ask is when and what is the next attack going to do?

Share this post


Link to post

Common sense avoids these issues. I was using the IIS security tools before Code Red came out, and when it hit the only thing my server did was count up all the hits to it. As for the SQL server issue, nobody should ever have their SQL box exposed to the Internet anyway, and if they did they should have been up to date on their patches (and there was one long before the worm came out). As long as there are stupid and lazy admins out there, you will see things like this.

Share this post


Link to post

Just to expand a little more on this issue:

 

Most SQL Admins would not install a major SP, such as SP3, without a month or two of testing to be sure it doesn't have any undocumented surprises... or other unexpected side effects.

 

And, what a royal pain it was to apply the two patches (which had to go on SP2)? This was not a matter of just clicking on a web link, sitting back, and rebooting an hour later; this requried moving files around, or writing a script to do that. And if you applied the security patch without first applying the fix for the memory leak...

 

So, in my view, MS is getting away with murder if most of the world thinks that it was lazy or ignorant sysadmins who couldn't be bothered keeping their machines patched.

 

I agree with you that's not a good thing, but it is the fault of MS, not the admins, in my opinion.

 

Anyways, just figured I should share some $0.02

 

Links

 

www.securityfocus.com

http://www.eeye.com/html/Research/Tools/SapphireSQL.html

Share this post


Link to post

OK, but do you agree with opening SQL server ports to the Internet? I can see it if there's a secure means of doing it (IPSec or dropping traffic from all IPs other than needed connections) but not just leaving it out there to be attacked. So in that case, it would most definately be the admin's fault.

Share this post


Link to post

Opening needed SQL ports to the internet is of course a NO NO smile .....

 

Now should I come out and say "it is the Admin's fault" .... well then I would be implying that my boss was either misinformed or incompetant laugh

 

Lemme side step with this ....

 

Accidents don't happen, they are caused. Caused by either neglect or stupidity. Having our SQL servers exposed to the internet, was not an accident (library catalog web servers and such). Yet having them unpatched and having the ACL on the PIX for them wide open .... well maybe that was an accident...

 

In the end, I blame both MS and poor administration.

 

Just think Clutch, when everything gets ported over to DB filesystems and everyone runs MSDE just to access there MP3s ....

 

The entire planet is getting more and more database enabled...

 

Either people will get serious about security, or there will be wailing and gnashing of teeth

 

End of Rant ... Thank you Clutch and others for putting up with that smile

Share this post


Link to post

Umm, we are already heavily db-enabled. Didn't get the memo eh? wink

 

Most of the issues can be avoided by simply eliminating connection to ports that shouldn't be open to begin with. Next, allow *only* what transactions/commands to be executed with a default "off" for everything else (like in URLScan) to prevent new tricks from attacking both old and new exploits.

 

So, did you get t-boned with this one? You don't seem like the type to get nailed on it (yeah, a rarity, that was a *compliment*; you may commence with the "oooohs" and "ahhhhhs") so I would imagine it was before you could catch it, or you were under the impression someone else had it under control.

 

As for me, I can generally count on one hand the amount of ports per IP that I allow through my firewall, so monitoring this is much easier. Also, since I am in charge of these things, I can do whatever the hell I please with complete disregard for others.

 

laugh

Share this post


Link to post
Quote:
Umm, we are already heavily db-enabled. Didn't get the memo eh?


Nah, I was too busy filling out TPS reports *1*

Quote:
So, did you get t-boned with this one?


Boned at exactly 12:39 AM, Saturday, EST laugh

Quote:
so I would imagine it was before you could catch it, or you were under the impression someone else had it under control.


Bulls Eye ... My responsibilites include, but are not limited to AD, Exchange2000, Wireless, blah blah .... however PIX administration and SQL servers belong to others ... who are, shall I say, less informed wink

However everyone in my department plays janitor when one person makes a critical error into a huge problem.

Quote:
You don't seem like the type to get nailed on it (yeah, a rarity, that was a *compliment*; you may commence with the "oooohs" and "ahhhhhs")


Takes a bow winksmile

Then again, the "oooohs" and "aaaahhss" were replaced with grunts and "@#^%!^!&" as Ipsentry keep paging me throughout the night.

Quote:
As for me, I can generally count on one hand the amount of ports per IP that I allow through my firewall, so monitoring this is much easier. Also, since I am in charge of these things, I can do whatever the hell I please with complete disregard for others.


A lesson well learned apparently from previous mistakes.

-------------

*1* Quote from Office Space .... great movie smile

Share this post


Link to post
Quote:
As for the SQL server issue, nobody should ever have their SQL box exposed to the Internet anyway, and if they did they should have been up to date on their patches (and there was one long before the worm came out).


mr. clutch hit the nail on the head. it used to be u had to know how to use a computer to set one up and it took a few years of experience. everything is so automatic that anyone can setup a sql server.
i wonder if it will come down to having to be liscenced to operate a server or a specific type of server on the internet.
man doesnt that open a can of worms.

Share this post


Link to post

Well, licensing would be nice. Personally, I wish there was better licensing for a lot of things. Take for instance car purchases. I am tired of seeing little old people tooling around in Lincoln Navigators running people off the road and taking up 3 spots to park. My motto as governor (when I run) would be "if you can push it, you can drive it." Then, people hit the dealership, get the customary pushing gloves from their salesperson, and can get approved based on what they can push. Just think of it; companies will want to make lighter cars with smaller tanks (as the car will need to have a full tank of gas for the push evaluation) so they can be sold, and thereby reducing fuel consumption.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×