Countering Slammer Worm
There have been numerous reports of the SQLSlammer/W32.Slammer/Sapphire worm slowing down network performance all over the world for the past few days. The spreading of this malicious code has caused network degradation across the Internet and has compromised vulnerable machines.
How infection occurs
The scans are aggressively targeting a buffer overrun in the SQL resolution service that existed in SQL Server 2000 prior to Service Pack 3 and MSDE 2000. Microsoft released a patch to address this.
http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx
Once the SQL Server 2000 host is infected, the worm creates the code with information that it needs to spread by crafting packets that are 376 bytes in length and sending them to randomly generated IP addresses on port UDP 1434. If the packet is sent to a vulnerable machine, it becomes infected and starts to propagate scan packets using the same algorithm. There is no other activity that this worm generates other than scanning activity - generating thousands of scanning packets across the Internet slowing networks and hosts down.
How to identify activity
The way to identify this activity on your network is to search for the UDP packets that are 376 bytes in length and targeted at UDP port 1434. These packets will have random destination addresses if they are being generated from your site and will have random source addresses coming into your site. Due to the random IP addresses being used by this attack, there will also be a lot of ICMP Unreachable messages being transmitted back and forth on networks due to routers responding back to non-existent hosts and services. This additional traffic will also contribute to network performance degradation.
The impact has been performance issues where network bandwidth is consumed by the scan packets and infected hosts suffering from DoS like symptoms. This attack may be a prelude to further attacks, as the attacker now knows that the SQL host is vulnerable.
Solution
All installations running Microsoft SQL Server 2000 and MSDE 200 are highly encouraged to review CERT advisories: CA-2002-22 and VU#484891 and see Microsoft's Security Web site to for information on patching their affected systems.
http://www.microsoft.com/technet/security/alerts/slammer.mspx
Apply inbound ACLs at the border router to filter out packets destined for UDP 1434. SQL servers should not be directly accessible from the public Internet and thus should not be able to communicate beyond the border router. You may choose to block the database server from communicating with other systems on ports UDP 1434.
Brocade customers can implement additional security features available in their network devices to further stop the performance degradation and protect themselves for DoS attacks.
- To instruct the router to stop generating ICMP Unreachable messages use the following command:
Syntax: [no] ip icmp unreachable [network | host | protocol | administration
| fragmentation-needed | port | source-route-fail]
- For customers running JetCore ASICs, you can turn on "Adaptive Rate Limiting" on UDP 1434 to control the number of packets that the host can transmit. If you must continue to use UDP 1434, this can drastically help prevent further infections of this worm from causing network performance issues.
- To protect specific SQL servers, Layer 2 ACLs blocking UDP 1434 can be applied on the interface the SQL server is connected to.
- Disable transmission and receipt of IGMP queries on a port (if it's not required) and implement multicast limits. This command applies only to the IP Multicast Traffic Reduction feature on Layer 2 Switches.
Syntax: [no] ip-multicast-disable
Syntax: [no] multicast limit <num>
By controlling the amount of broadcasts, SYN requests, IP-Directed broadcasts, you can proactively protect your networks against other DoS type attacks. Although these features are not directly related to solving this particular worm, it can add extra protection for future attacks.
Syntax: [no] ip directed-broadcast (stop Smurf type attacks)
Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds> (stop ICMP floods)
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds> (stop SYN floods)
Syntax: broadcast limit <num> (limiting broadcasts)
Syntax: [no] rate-limit-arp <num> (limiting ARP requests)
Rate limiting UDP (only if legitimate UDP is not a major part of the bandwidth)
References:
CERT Advisory CA-2003-04 MS-SQL Server Worm
http://www.cert.org/advisories/CA-2003-04.html
Microsoft Knowledge Base Article 323875 - FIX: MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Might Enable Code Execution
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B323875
Microsoft Security Bulletin MS02-039
http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx