The SQL Slammer worm: how two organizations survived the attack.The Oakland Raiders This article is about an American football team. For other uses, see Raider. The Oakland Raiders are a professional American football team based in the city of Oakland, California. offense wasn't the only thing that got slammed on Superbowl weekend. Fans who needed twenties to cover their office pool bets got shut out of their accounts as the "SQL SQL in full Structured Query Language. Computer programming language used for retrieving records or parts of records in databases and performing various calculations before displaying the results. Slammer A worm that caused a billion dollars worth of damage on the Internet on January 25, 2003. Slammer infected computers all over the Internet by generating random IP addresses and causing the computer's buffer to overflow with its own instructions that replicate itself and start the process " worm shut down most of Bank of America's 13,000 ATMs the day before the big game. When the dust settled, this attack once again demonstrated the precarious nature of organizational security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security . While antivirus protection and firewalls are an essential part of any organization's resources, they are essentially reactive. Software vendors are quick to release patches or new antivirus definitions as soon as one hits, but they can't necessarily predict what attack someone will come up with next. By the time they discover the problem, work out a fix, and get customers to install it, the damage is done. SQL Slammer was no exception. It took only three minutes "Three Minutes" is the 46th episode of Lost. It is the twenty-second episode of the second season. The episode was directed by Stephen Williams, and written by Edward Kitsis and Adam Horowitz. It first aired on May 17, 2006 on ABC. to reach a rate of conducting 55 million scans per second as it sought to locate and spread to vulnerable computers. After that, its growth slowed only because it tied up so much bandwidth that it couldn't continue to expand. "The successful management of malicious-code threats is a more complex enterprise initiative than simply installing and maintaining antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. with signatures issued by antivirus vendors," says Gartner, Inc. research director Arabella Hallawell. "Organizational processes and effective governance decisions are more important than technology 'fixes.'" Although the worm attacked servers running Microsoft products, for once the company escaped the scathing attacks usually directed its way whenever such a virus or worm hits. This time it was administrators that took the hit, because Microsoft had issued a security bulletin on the vulnerability and a patch six months earlier. Those system affected simply hadn't had the patch installed. Ironically, some units at Microsoft's Redmond campus hadn't installed the patches and were targeted by the worm. "It is tempting to blame enterprise system and security administrators for not addressing this issue, but it is also unfair," says Hallawell. "Microsoft has released so many patches for security vulnerabilities in SQL Server An earlier relational DBMS from Sybase and from Microsoft. Sybase introduced SQL Server in 1988 for various Unix versions. In that same year, with help from IBM, Sybase created an OS/2 version that Microsoft licensed and branded as Microsoft SQL Server. that administrators can't reasonably be expected to keep up with them all." Patching SQL itself is one small part of the job. Every other piece of software in the enterprise has its own steady stream of updates and patches. It's a next-to-impossible task to keep up with all of them. Hallawell advocates asset management and network and systems management tools to address the problem. Self-Service Survival Enterprise management tools, in fact, do more to ensure reliability and security than just making it easier to deploy patches. Take the cases of Computer Associates, Inc. and Brigham Young University-Idaho. Both were hit by SQL Slammer but each organization used network management software to quickly detect the problem, isolate it, repair it and bring systems back online. Computer Associates (CA), relied on its own tools. CA Unicenter Network and Systems Management (NMS See NetWare Management System. ) initiallydetected a pattern of abnormal behavior similar to what had occurred with the Code Red II worm. This matched up with alerts being generated by the CA eTrust Intrusion Detection See IDS and IPS. software. "It became clear that we were seeing a great deal of activity on a specific port, indicating some sort of SQL worm," says William Taub, security team manager for CA's Global Information Systems (GIS). "The first goal was to identify and contain the worm, free up the network and disable SQL network traffic by closing the appropriate ports." The reports generated by Unicenter Asset Management showed that the bulk of the production systems had already been patched, but that certain other machines, including ones in the lab, remained vulnerable. GIS stopped the SQL processes on these machines to prevent the spread of the worm. It then used Unicenter Software Delivery to patch the affected machines. "When Microsoft made available an updated SQL roll-up patch to address the emergency, we immediately deployed it to the systems that were not yet patched," says Taub. Most organizations, though, are not multi-billion dollar operations that spent the last two decades producing enterprise-class management software. Nevertheless, the same principle of using network management software to mitigate the damages caused by cyber-attacks applies to other entities. Brigham Young University-Idaho's IT infrastructure is much simpler than CA's. The school has a 3000-node network with gigabit Ethernet An Ethernet standard that transmits at 1 Gbps. Used mostly to connect high-end workstations and servers as well as for network backbones, Gigabit Ethernet transmits full duplex from point to point using switches and half duplex in a shared environment (CSMA/CD) using a hub. in the backbone core and 10 or 100Mbits going out to the desktops. It also is in the process of rolling out 802.11b wireless nodes. The servers are primarily Windows 2000, with some Linux back end apps and an IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) iSeries server running OS/400. Desktops are mainly Windows 2000/XP with some Linux and Mac machines. The university uses Microsoft Exchange Messaging and groupware software for Windows from Microsoft. Exchange Server is an Internet-compliant e-mail system that runs under Windows NT/2000 and Windows Server 2003. It can be accessed by Web browsers, the Exchange client, versions of Outlook and the earlier Windows Inbox. , but the main enterprise apps such as admissions and finances are all homegrown. But it wasn't until this year that BYU-I BYU-I Brigham Young University - Idaho campus had any type of management software in place. After reviewing various products such as Tivoli and HP Open View, the university opted to go with a lower-cost, web-based network and systems management package from Somix Technologies, Inc. called WebNM. "We looked at various other network management platforms and software packages, but they have long implementation times and can be expensive," says BYU-I network manager Michael Rydalch. "WebNM has most of the functionality we needed. BYU-I bought the software in the nick of time. A Somix technician spent four days installing and configuring the management software, finishing the job on January 23, one day before SQL Slammer hit. The technician set up WebNM to monitor CPU CPU in full central processing unit Principal component of a digital computer, composed of a control unit, an instruction-decoding unit, and an arithmetic-logic unit. and disk utilization on all the servers. On switches and routers, the software monitors CPU utilization and the interface to the ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. . In addition to providing real-time information on hardware or service status and performance, it also generates graphs showing long- and short-term trends for any of the monitored parameters. In addition, the university uses WebNM's hardware and software inventory module known as OStivity. SQL Slammer hit a server in the university's DMZ (DeMilitarized Zone) A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet. Also called a "perimeter network," the DMZ is a subnetwork (subnet) that may sit between firewalls or off one leg of a on January 24 at 11:30 pm, a little more than a day after the Somix technician left. The network operations analyst on call that weekend received an alert from the university's response center about problems coming from an unidentified source. After coming into the office, the BYU-I staff checked the WebNM graphs and narrowed the problem down to excessively high utilization on a perimeter--router--probably caused by a virus or worm. After checking the emails and alarms, the server administrator logged onto CNN CNN or Cable News Network Subsidiary company of Turner Broadcasting Systems. It was created by Ted Turner in 1980 to present 24-hour live news broadcasts, using satellites to transmit reports from news bureaus around the world. and found out what was known about the worm at that--time--that it was attacking databases. Based on this information, they next used OStivity to rapidly identify all systems running either SQL Server 7.0/2000 or the Microsoft Data Engine (MSDE MSDE Maryland State Department of Education MSDE Microsoft Data Engine MSDE Microsoft SQL Desktop Edition MSDE Microsoft Development Environment MSDE Military Scenario Development Environment MSDE Microsoft Sql Server Desktop Engine MSDE Microsoft Database Engine ). They shut down the necessary TCP and UDP ports at the perimeter and cleaned up all infected servers. Constant Vigilance As can be seen having network and systems management software in place didn't prevent the attack. Despite the billions spent annually on antivirus software, firewalls, intrusion detection systems and packet sniffers, attacks will keep occurring, and people will continue to find methods to exploit the security holes. But management software helps provide another line of defense by alerting personnel of unusual patterns and helping them to repair the damage or contain the threat. Drew Robb is the senior writer at Robb Editorial (Los Angeles, CA) |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion